Good Morning All,

Below is a list of the Instance Profile Parameters related to security and there associated definitions that I have been able to find.

Eventually I want to have a comprehensive listing which can be added to the community library as a word document.

Instance Parameters

For Passwords

Login/min_password_lng

This parameter defines the minimum password length. The default is three characters, but this value can be set from three to eight characters.

Login/min_password_digits

Controls the minimum number of digits in a password. Possible entries: 0-40

Login/min_password_letters

Controls the minimum number of letters in a password. Possible entries: 0-40

Login/min_password_specials

Controls the minimum number of special characters in a password, such as !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space.

Possible entries: 0-40

Login/min_paswword_lowercase

Controls the minimum number of lower-case letters in a password.

Possible entries:0-40

Login/min_password_uppercase

Controls the minimum number of upper-case letters in a password.

Possible entries: 0-40

Login/min_password_diff

Controls the number of characters that have to be different form the previous password.

Possible entries: 1-40

Login/password_charset

0 u2013restrictive. Only letters, digits and the following special characters are allowed !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space in a password.

1 u2013 downwards compatible.

The password may consist of various characters All characters aside from the above listed will then be stored as one special character, and can therefore not be differentiated.

2 u2013 not downwards compatible. The password may consist of any character and will be stored in UTF-8 format .

If the system does not support unicode, not every character can be entered during login.

This parameter should only be set to 2, if the systems supports the code.[ with rel. 6.4]

Login/password_expiration_time

This parameter defines the number of days after which a password must be changed. The parameter allows users to keep their passwords without time limit and leaves the value set to the default, 0.

Login/password_history_size

Controls the number of passwords that are stored as history and cannot be used.

Login/password_change_waittime

Controls the number of days a user has to wait to be allowed to change his password again.

Possible entries: 1-1000

Login/password_downwards_compatibility

Controls the downwards compatibility of password security.

0 u2013 no downwards compatibility. The system only generates only new hash values that cannot be interpreted by older kernel versions.

1 u2013 The system internally generates downwards compatible hash values, but does not evaluate them upon logon. This setting is required in a CUA controlled landscape with systems that have older kernel releases.

2- The system generates downwards compatible hash values and checks them -logged in system log- upon failed login attempts to detect compatibility issues. The login fails.

3 u2013 as 2, but with successful login

4 u2013 as 3, but without system log entry.

5 u2013 Completely downwards compatible.

Login/password_compliance_to_current_policy

1 - The system check during login if the password is compliant with the password security settings. If not, a password change will be enforced.

0 u2013 no check

Users of type Service and System are generally excluded from password change requirements.

Login/password_change_for_SSO

If the user logs on with Single Sign-On, checks whether the user must change his or her password.

Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

Login/password_login_usergroup

Controls the deactivation of password-based logon for user groups

Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

Login/password_max_idle_productive

Controls the number of days that may pass from the last password change of a user to his next logon. After that period of time, the password is rejected.

0 u2013 unlimited validity

1- only valid for same day

>1 u2013 number of days before rejection

Login/disable_password_logon

Controls the deactivation of password-based logon

Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

For Multiple Logon

Login/disable_multi_gui_login

Controls whether multiple logins are enabled or disabled.

0 = enable

1 = disable

Login/multi_login_users

Here a list can be deposited that would allow users a multiple login even though the multi login is generally disabled. The multiple login information are stored in the table URSR41_MLD.

For Incorrect Login

Login/fails_to_session_end

This parameter defines the number of times a user can enter an incorrect password before the system terminates the logon attempt. The default is three characters, but this value can be set to any number between 1u201399.

Loginh3. ls_to_user_lock

This parameter defines the number of times a user can enter an incorrect password before the system locks the user from making additional logon attempts. If the system locks, an entry is written to the system log, and the lock is released at midnight. The default is 12 times, but this value can be set to any value between 1u201399.

Login/failed_user_auto_unlock

This parameter unlocks users who got locked out by logging on incorrectly. If the parameter is set to 1 (the default), due to a previous incorrect logon attempt, the system does not consider users locked. The locks remain if the parameter value is 0.

Initial Password: Limited Validity

Login/password_max_new_valid

Defines the validity period of passwords for newly created users.

Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

Login/password_max_reset_valid

Defines the validity period of reset passwords.

Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

For SSO Logon Ticket

Login/accept_sso2_ticket

Allows or locks the logon using SSO ticket.

Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package

Login/create_sso2_ticket

Allows the creation of SSO tickets.

Available as of SAP Basis 4.6D

Login/ticket_expiration_time

Defines the validity period of an SSO ticket.

Available as of SAP Basis 4.6D

Login/ticket_only_by_https

The logon ticket is only transferred using HTTP(S).

Available as of SAP Basis 4.6D

Login/ticket_only_to_host

When logging on over HTTP(S), sends the ticket only to the server that created the ticket.

Available as of SAP Basis 4.6D

Other Login Parameters

Login/disable_cpic

Refuse incoming connections of type CPIC

Login/no_automatic_user_sap*

If the parameter is set to 1, then SAP* has no special default properties. Resetting the parameter to 0 allows logins with SAP, password PASS, and unrestricted system access privileges. Even if you set the parameter, ensure that there is a user master record for SAP. If a user master record for SAP* exists, it behaves like a normal user, is subject to authorization checks, and its password can be changed.

Login/system_client

This parameter specifies the default client. This client is automatically filled in on the system logon screen. Users can enter a different client.

Login/update_logon_timestamp

Specifies the exactness of the logon timestamp.

Available as of SAP Basis 4.6

Other User Parameters

Rdisp/gui_auto_logout

Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).

Default value: 0 (no restriction); permissible values: any numerical value

Login/ext_security

Since Release 3.0E, external security tools such as Kerberos or Secude have managed R/3 System access. If this parameter is set, an additional identification can be specified for each user (in user maintenance) where users log on to their security system. To activate, set the value to X.

Start_menu

This parameter specifies the default start menu for all users and can be overwritten with the user-specific start menu (transaction SU50). The default is S000, and this value can be set to any other area menu code.

Auth/authorization_trace

The combination of transaction and authorization object is written to table USOBX upon authorization check, if it does not exist. Setting this value effect system performance!

Auth/no_check_in_some_cases

By using transaction SU24, you can activate or deactivate authorization checks for transactions. This function is active only if you set the system profile parameter to Y. By default, the function is inactive, and the parameter value is N. To activate the parameter, set the value to Y. If you want to work with the PG, the parameter must be set.

Auth/rfc_authority_check

You can use this parameter to determine whether object S_RFC is checked during RFC calls.

u2022 Value = 0, no check against S_RFC

u2022 Value = 1, check active but no check for SRFC-FUGR

u2022 Value = 2, check active and check against SRFC-FUGR

Auth/system_access_check_off

Use this parameter to turn off the automatic authorization check for particular ABAP language elements (file operations, CPIC calls, and calls to kernel functions). This parameter ensures the downward compatibility of the R/3 kernel. By default, the function is inactive (value = 0 and check remains active). To turn the check off, set the value to 1.

Auth/auth_number_in_userbuffer

To have a good performance in the system, the names of all the authorizations included in a user master for a user are buffered in a table. In the standard, this buffer can deal with up to 1,000 authorizations. If a user has more than 1,000 authorizations the value can be set to 2000. The default value is 800, but this default value can be set to between 1u20132000. If for any reason you have to reset the user buffer, see Online Service System note 84209 and 75908 for detailed information.

Auth/no_check_on_tcode

From Release 3.0E, the system checks on object S_TCODE. In specific instances, you can turn this check off, but this step results in a big security risk for your system. By default, the function is inactive, and the parameter value is N. To switch the check off set the value to Y.

Auth/check_value_write_on

By entering transaction SU53 in the Command field, you can analyze an authorization denied error that has just occurred in your session. This function is active only if you have set the system profile parameter to a value greater than 0. By default, the function is inactive, and the parameter value is 0.

The following are parameters that I need to find the documentation on. If anyone can help that would be much appreciated!!

Login/isolate_rfc_system_calls

Auth/tcodes_not_checked

Auth/trfc_no_authority_check

Auth/object_disabling_active

Auth/shadow_upgrade

Auth/check/calltransaction

Auth/new_buffering

Login/certificate_request_ca_url

Login/certificate_request_subject

login/ticketcache_entries_max

login/ticketcache_off

Login/password_max_idle_initial