12-10-2008 12:52 AM
Good Morning All,
Below is a list of the Instance Profile Parameters related to security and there associated definitions that I have been able to find.
Eventually I want to have a comprehensive listing which can be added to the community library as a word document.
This parameter defines the minimum password length. The default is three characters, but this value can be set from three to eight characters.
Controls the minimum number of digits in a password. Possible entries: 0-40
Controls the minimum number of letters in a password. Possible entries: 0-40
Controls the minimum number of special characters in a password, such as !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space.
Controls the minimum number of lower-case letters in a password.
Controls the minimum number of upper-case letters in a password.
Controls the number of characters that have to be different form the previous password.
0 u2013restrictive. Only letters, digits and the following special characters are allowed !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space in a password.
1 u2013 downwards compatible.
The password may consist of various characters All characters aside from the above listed will then be stored as one special character, and can therefore not be differentiated.
2 u2013 not downwards compatible. The password may consist of any character and will be stored in UTF-8 format .
If the system does not support unicode, not every character can be entered during login.
This parameter should only be set to 2, if the systems supports the code.[ with rel. 6.4]
This parameter defines the number of days after which a password must be changed. The parameter allows users to keep their passwords without time limit and leaves the value set to the default, 0.
Controls the number of passwords that are stored as history and cannot be used.
Controls the number of days a user has to wait to be allowed to change his password again.
Controls the downwards compatibility of password security.
0 u2013 no downwards compatibility. The system only generates only new hash values that cannot be interpreted by older kernel versions.
1 u2013 The system internally generates downwards compatible hash values, but does not evaluate them upon logon. This setting is required in a CUA controlled landscape with systems that have older kernel releases.
2- The system generates downwards compatible hash values and checks them -logged in system log- upon failed login attempts to detect compatibility issues. The login fails.
3 u2013 as 2, but with successful login
4 u2013 as 3, but without system log entry.
5 u2013 Completely downwards compatible.
1 - The system check during login if the password is compliant with the password security settings. If not, a password change will be enforced.
0 u2013 no check
Users of type Service and System are generally excluded from password change requirements.
If the user logs on with Single Sign-On, checks whether the user must change his or her password.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Controls the deactivation of password-based logon for user groups
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Controls the number of days that may pass from the last password change of a user to his next logon. After that period of time, the password is rejected.
0 u2013 unlimited validity
1- only valid for same day
>1 u2013 number of days before rejection
Controls the deactivation of password-based logon
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Controls whether multiple logins are enabled or disabled.
0 = enable
1 = disable
Here a list can be deposited that would allow users a multiple login even though the multi login is generally disabled. The multiple login information are stored in the table URSR41_MLD.
This parameter defines the number of times a user can enter an incorrect password before the system terminates the logon attempt. The default is three characters, but this value can be set to any number between 1u201399.
Loginh3. ls_to_user_lock
This parameter defines the number of times a user can enter an incorrect password before the system locks the user from making additional logon attempts. If the system locks, an entry is written to the system log, and the lock is released at midnight. The default is 12 times, but this value can be set to any value between 1u201399.
This parameter unlocks users who got locked out by logging on incorrectly. If the parameter is set to 1 (the default), due to a previous incorrect logon attempt, the system does not consider users locked. The locks remain if the parameter value is 0.
Defines the validity period of passwords for newly created users.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Login/password_max_reset_valid
Defines the validity period of reset passwords.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Allows or locks the logon using SSO ticket.
Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package
Allows the creation of SSO tickets.
Available as of SAP Basis 4.6D
Defines the validity period of an SSO ticket.
Available as of SAP Basis 4.6D
The logon ticket is only transferred using HTTP(S).
Available as of SAP Basis 4.6D
When logging on over HTTP(S), sends the ticket only to the server that created the ticket.
Available as of SAP Basis 4.6D
Refuse incoming connections of type CPIC
If the parameter is set to 1, then SAP* has no special default properties. Resetting the parameter to 0 allows logins with SAP, password PASS, and unrestricted system access privileges. Even if you set the parameter, ensure that there is a user master record for SAP. If a user master record for SAP* exists, it behaves like a normal user, is subject to authorization checks, and its password can be changed.
This parameter specifies the default client. This client is automatically filled in on the system logon screen. Users can enter a different client.
Specifies the exactness of the logon timestamp.
Available as of SAP Basis 4.6
Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).
Default value: 0 (no restriction); permissible values: any numerical value
Since Release 3.0E, external security tools such as Kerberos or Secude have managed R/3 System access. If this parameter is set, an additional identification can be specified for each user (in user maintenance) where users log on to their security system. To activate, set the value to X.
This parameter specifies the default start menu for all users and can be overwritten with the user-specific start menu (transaction SU50). The default is S000, and this value can be set to any other area menu code.
The combination of transaction and authorization object is written to table USOBX upon authorization check, if it does not exist. Setting this value effect system performance!
By using transaction SU24, you can activate or deactivate authorization checks for transactions. This function is active only if you set the system profile parameter to Y. By default, the function is inactive, and the parameter value is N. To activate the parameter, set the value to Y. If you want to work with the PG, the parameter must be set.
You can use this parameter to determine whether object S_RFC is checked during RFC calls.
u2022 Value = 0, no check against S_RFC
u2022 Value = 1, check active but no check for SRFC-FUGR
u2022 Value = 2, check active and check against SRFC-FUGR
Use this parameter to turn off the automatic authorization check for particular ABAP language elements (file operations, CPIC calls, and calls to kernel functions). This parameter ensures the downward compatibility of the R/3 kernel. By default, the function is inactive (value = 0 and check remains active). To turn the check off, set the value to 1.
To have a good performance in the system, the names of all the authorizations included in a user master for a user are buffered in a table. In the standard, this buffer can deal with up to 1,000 authorizations. If a user has more than 1,000 authorizations the value can be set to 2000. The default value is 800, but this default value can be set to between 1u20132000. If for any reason you have to reset the user buffer, see Online Service System note 84209 and 75908 for detailed information.
From Release 3.0E, the system checks on object S_TCODE. In specific instances, you can turn this check off, but this step results in a big security risk for your system. By default, the function is inactive, and the parameter value is N. To switch the check off set the value to Y.
By entering transaction SU53 in the Command field, you can analyze an authorization denied error that has just occurred in your session. This function is active only if you have set the system profile parameter to a value greater than 0. By default, the function is inactive, and the parameter value is 0.
The following are parameters that I need to find the documentation on. If anyone can help that would be much appreciated!!
12-10-2008 7:48 AM
Well Goodmorning David
If you want the documentation for the parameters, check transaction RZ11, you will find the Standard SAP documentation there
Regards
Morten Nielsen
12-10-2008 7:48 AM
Well Goodmorning David
If you want the documentation for the parameters, check transaction RZ11, you will find the Standard SAP documentation there
Regards
Morten Nielsen
02-17-2009 6:57 AM
Hi Morten,
I got most of the original documentation in the post from RZ11 however the other parameters do not have any help documentation in RZ11.
Hoping someone else would know what the values are for?
02-17-2009 12:51 PM
Login/isolate_rfc_system_calls
SAP internal only and not developed yet. So the param is meaningless for now and can be ignored.
For many of the others you can do a search here and the service market place as well to find what you are looking for.
Cheers,
Julius
02-17-2009 8:20 AM
Hi David,
Auth/new_buffering - This has values 1 to 4 i have used 3 and 4 only. 4 causes authorization buffers to be refresehd dynamically. That means a user dosent need to log out and login when a new access is given to him. He needs to log out and login when this is set to 3
Auth/tcodes_not_checked This is used to disable the logging of S_TCODE in SU53 and SU56. If enables this means that the authorization failures logged under this object wont be logged.
Auth/object_disabling_active Deacticates the authorization objects
Login/password_max_idle_initial This determines how long a password can remain initial. I.e the one set by the system administrator
Regards,
Chinmaya
12-02-2010 11:14 PM
Hi, You can find more information about som of these parameters here:
http://help.sap.com/saphelp_nwes72/helpdata/EN/4a/c3efb58c352470e10000000a42189c/frameset.htm
Enjoy!
12-03-2010 12:53 AM
Hi,
wouldn't be better to create a wiki page? More people could co-operate on this and it would be much more easier to find it using search.
Cheers