cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Password Expiration

Former Member

on ‎09-25-2009 7:48 AM

0 Kudos

Hi All,

I plan to implement password expiration feature of SAP. I am looking at having to expire my user's password every 3 months. I did by using rz10 transaction code and inserting the parameter login/password_expiration_time and setting its value to 90. However, I noticed that its been 5 months already and the password is still not expired. Im expecting that by the end of the third month, it will prompt me to change my password.

Have I missed something? By the way, I restarted the instance after I set the login/password_expiration_time parameter.

Can anybody help?

Thanks in advance

Jun

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

debasissahoo
Active Contributor
‎09-25-2009 8:53 AM
0 Kudos

Hi,

This parameter works with the Exception: Users of types SERVICE and SYSTEM.

Check if your user id is of type Service or not?

if its a dialog user, please mention your kernel version.

Regards,

Debasis.

Show replies
Show replies
Former Member
‎09-25-2009 11:09 AM
0 Kudos

HI.

Thanks for the reply. I have users of DIALOGUE and SERVICE types. Can I have it to work for the both type of users. My kernel version is 7.00.

Thanks in advance.

Jun

debasissahoo
Active Contributor
‎09-25-2009 12:27 PM
0 Kudos

No, by definition SERVICE users will not go though the normal password expiration check during login to system.

http://help.sap.com/saphelp_erp2004/helpdata/EN/52/67119e439b11d1896f0000e8322d00/content.htm

Thanks,

Debasis.

Former Member
‎09-25-2009 12:34 PM
0 Kudos

Hi,

Thanks for the feedback. In that case, then can we work on the DIALOGUE users? As said, my kernel release is 7.00.

Thanks

Jun

debasissahoo
Active Contributor
‎09-25-2009 12:52 PM
0 Kudos

Do you mean to say password policy is not working for Dialog users also? what kernel patch you are using.

Thanks,

Debasis.

anindya_bose
Active Contributor
‎09-25-2009 5:58 PM
0 Kudos

Do you have multiple instances? if Yes, is the value of login/password_expiration_time parameter set to 90 for all the instances?

You can change login/password_expiration_time parameter this dynamically from RZ11 also ( and check same on all servers) as this is a dynamic parameter.

Former Member
‎09-29-2009 2:02 AM
0 Kudos

Hi Debasis,

Yes, its also not working for DIALOGUE users. Im sorry but I dont know how to determine the kernel patch? What should I do to determine it?

Thanks

Former Member
‎09-29-2009 2:06 AM
0 Kudos

Hi,

Sorry but I dont understand what you mean by "How many instances do I have?" But here's my setup, I have DEV, QAS and PROD and all of them have their own separate servers. Do I need to set the password parameter settings to all of them?

Thanks in advance

sunny_pahuja2
Active Contributor
‎09-29-2009 6:56 AM
0 Kudos

Hi,

You can check kernel level in System --> Status.

Thanks

Sunny

Former Member
‎09-29-2009 7:48 AM
0 Kudos

Hi Sunny,

My kernel level is 700.

Thanks

Former Member
‎09-29-2009 9:47 AM
0 Kudos

Hi

Which profile did you use to set the login parameter?

The parameter login/password_expiration_time should be set in the

instance profile.

If it is set in the instance profile it should be active in all clients

in the instance.

anindya_bose
Active Contributor
‎09-29-2009 10:22 AM
0 Kudos

No, Multiple Instances means for the same system. like for QAS you can have 3 physical hosts.

Former Member
‎09-29-2009 10:42 AM
0 Kudos

Hi,

In my PRODUCTION instance, I have 2 physical servers. One is the application server and the other is the database server. The database server is also my Central Instance. Thus, I would say that I have multiple instance. I set the password parameter to the instance profiles of both my application and central instance but it seemed not working.

Thanks

JPReyes
Active Contributor
‎09-29-2009 11:05 AM
0 Kudos

If its not working is because you didn't set or activate the paremeters correctly.

Check that the parameter exist in both instance profiles, in the other hand if this apply to the whole environment you could add this to the default profile. You can check the current value of the paremeter via RZ11 to see if your changes to the value took place.

Regards

Juan

Former Member
‎10-05-2009 9:24 AM
0 Kudos

Hi Juan,

I checked theRZ11 and searched for the parameter PASSWORD_EXPIRATION_TIME and I cant find it. I went back to RZ10 and I can see 5 profiles. Please see below:

Profile Name Prof Type

DEFAULT Deafult Profile

E6P_D00_AMC-E6P-APPS Instance Profile

E6P_DVEBMGS02_AMC-E6P-DB Instance Profile

START_D00_AMC-E6P-APPS Start Profile

START_DVEBMGS02_AMC-E6P-DB Start Profile

I checked on the 2 instance profiles and I can see that the parameter login/password_expiration_time is present and has a value of 90.

Please help. Where did I go wrong?

Thanks

JPReyes
Active Contributor
‎10-05-2009 10:10 AM
0 Kudos 
I checked theRZ11 and searched for the parameter PASSWORD_EXPIRATION_TIME

You should be checking for login/password_expiration_time, if you just put PASSWORD_EXPIRATION_TIME certainly won't return anything.. alternatevely you can use * as a wild card like *password_expiration_time 

I checked on the 2 instance profiles and I can see that the parameter login/password_expiration_time is present and has a value of 90.

Did you restarted the system after the changes?... also you can do a profile Check in RZ10 to see if the syntax or the values of the parameters are properly set.

Regards

Juan

Former Member
‎10-05-2009 10:23 AM
0 Kudos

Hi,

Yes, I restarted the instance. Also, I noticed error in profile check but these errors may not have nothing to do with the password expiration. Please see actual errors below:

E:login/disable_multi_gui_login is not identified identically on all servers

E:login/disable_multi_gui_login (1) on server AMC-E6P-DB_E6P_02

E:login/disable_multi_gui_login (0) on server AMC-E6P-APPS_E6P_00

E:login/min_password_letters is not identified identically on all servers

E:login/min_password_letters (2) on server AMC-E6P-DB_E6P_02

E:login/min_password_letters (0) on server AMC-E6P-APPS_E6P_00

E:login/min_password_digits is not identified identically on all servers

E:login/min_password_digits (2) on server AMC-E6P-DB_E6P_02

E:login/min_password_digits (0) on server AMC-E6P-APPS_E6P_00

However, Ive been searching for those parameters above that has zero values but I cant find them.

JPReyes
Active Contributor
‎10-05-2009 10:37 AM
0 Kudos 
However, Ive been searching for those parameters above that has zero values but I cant find them.

You can't find them because 0 its the defualt value, so when the parameter is not set on the profile it takes that value.

You should consolidate the value to the same so they match...

Regards

Juan

Former Member
‎10-05-2009 10:58 AM
0 Kudos

Hi Juan,

Actually the reason why Im looking for those with zero values is to be able to delete them so that I will have a single value for each parameter. If its not possible, please advise how to consolidate.

Thanks

JPReyes
Active Contributor
‎10-05-2009 11:59 AM
0 Kudos

You can't delete a default value... if you want to keep the 2 on your environment then you either set the parameter in the instances where the value is 0 or remove the paremeter for the instance profile and add it to the default profile so it applies to the whole system

Regards

Juan

Former Member
‎10-06-2009 2:56 AM
0 Kudos

Hi Juan,

Thats what I've been trying to do but I can seem to do it right. Im looking for that parameter where the value is zero so that I can change it but I cant find it anywhere in all the profiles. Since I cant find it, I created a new parameter and set the value to 2 but when I saved it, its returning an error saying that I havent set it identically on all servers and its showing the same parameters with 2 different values (0 and 2).

Where do you think did I go wrong?

Thanks

Ask a Question