Password Expiration

Former Member · ‎04-17-2008

Hello forum members! I have a simple question regarding the expiration of passwords within SAP. We have two groups of SAP users: a) office user and b) factory user.

Office users will have to change their password after 90 days, BUT the factory users should not have this rule. They should keep their password. Is there a way of having 2 different rules within the system? What can we do?

Former Member · ‎04-17-2008

Hi. One way are exist, but i'm dont know how it's form security side. In my case if i'm want to no change the password never , in SU01 --> open user --> logon data --> User type --> I'm specify the "service" .

I repeat, it is necessary to ask experts as it from privacy,security. Regards.

Former Member · ‎04-17-2008

Thanks for your quick reply. In this case I´m the security consultant myself. Let me explain more about this situation:

We have 18 computers inside the factory with 380 user working on them. At first we thought we could create logons for each of them but then we realized that it would cost too much und there would be too much time needed to manage them all. That´s why we chose group logons, 18 altogether. If we had to change passwords each 90 days we would have to get certain that 380 people can remember new passwords. The managing would be too much. We already had another security consultant in the house, he said the restrictions are tight enough too use groups and no password expiration.

So, the "service" user would be a solution, sounds promising. I will check this kind of user out, I never used this type. Thanks again!

Former Member · ‎04-17-2008

One things to bare in mind: You could be in violation of your SAP contract when using this solution. So be sure to have this mentioned in your contract with SAP with regards to teh License fees.

Former Member · ‎04-17-2008

I agree with Auke. In all of the contracts I have seen, this would be in violation of the licence terms (though they are all negotiable).

I do not agree with what your other security consultant has said from the info available.

How can they be 100% sure that there are appropriate controls in place to attribute every change of data to the person who changed it?

There is a potential huge control weakness here (especially when working with stocks), what is your internal audit/controls team advice in this area because I know for sure that your external auditors will not be happy with this.

Former Member · ‎04-17-2008

Hi Alex Ayers. And as on the User type "dialog" or "service" from the point of view of the license and security?

As it influences ? With Best regards.

Former Member · ‎04-17-2008

>


> Hi  Alex Ayers. And as on the User type  "dialog" or "service"  from the point of view of the license and security? 
> As it influences ? With Best regards.

Hi Sergo Beradze

As all licences are different it's hard to say, but if you have end users logging in with a service user, SAP will identify it in the licence process and charge you accordingly. Often service users are used in non-prod environments like training.

Service users are not subject to password changes or multi login restrictions and as a result can be abused more easily than dialog users.

Personally I would not give a service ID any more than display access in a production environment. Generally I would go further than that and not use it at all unless there was an absolute technical requirement.

There is a bit more info in SAP Help on the user types which you might find interesting.

Former Member · ‎04-17-2008

Thanks Alex.

Former Member · ‎04-17-2008

Thanks for all your answers. What appeared to be a simple and quick solution now seems like something very odd with all licencing and security issues. One thing is for sure: The CEO won´t spend the money on 380 user licencing as the whole project went far beyond expectations. The service-user can´t be right after reading your answers.

What about user groups? If the system param would be disabled can there be different password-params within the user groups?

Former Member · ‎04-17-2008

Hi Peter,

There are a few options for this. Depending on what the warehouse users do, the licence costs can vary a whole lot. If it is only display access then you could negotiate a very basic licence type for this (plenty of places do that). Chances are you could save a significant amount of money in that way.

One option for the password params is to get the users to log onto a single server which has a different set of parameters in place. It is possible that it is overkill for this situation and there are the obvious drawbacks from a security perspective. If the users were to be display only then the associated risk would be lower than if they have maintenance access. The only way that user groups could work is if load balancing could use the user group to direct to a particular server. I'm no expert in that area so it may not be possible

Former Member · ‎04-17-2008

Hi Peter,

One simple way to get rid of the license, compliance and security problems is to change your licensing model to an Enterprise License (I think that is what it is called).

You can negotiate a fixed rate for the software based on the value it brings as far as I am aware (CIO's often think in terms of % of sales!) and then go bananas creating users; one personal named ID for each of the natural human people to "own" and take responsibility for (including the personal password management and complying with sensible password security rules).

Cheers,

Julius