Skip to Content

Profile parameter for passwords - conflicting documentations.


I've encountered an issue with profile parameter login/password_max_idle_productive

Integrated help in SU01 says:

You can use the profile parameter login/password_max_idle_productive to define the point as of which the validity of the productive password ends. The time is calculated from the date of the last password change plus the number of days specified in the profile parameter. Password-based logon is then not possible from this point.

This makes this parameter redundant (we have login/password_expiration_time ).

SAP Library says (see link below):

Specifies the maximum period for which a productive password (a password chosen by the user) remains valid if it is not used.

Which suggests that the time after which passwords are considered expired is calculated from last logon date plus whatever is the parameter value.

SU01 help specifies explicitly how this parameter works but it conflicts with a more ambiguous description found in the SAP Library. The observed system behavior on logon is in line with SU01 help, but report RSUSR200 does not list the user as having an expired productive password.

We're on ECC 6.0, release 701 with support package 3. I could not find any SAP notes relating to this issue.

Has anyone encountered this issue before or have I just run into an odd glitch?

[SAP Library|]

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    avatar image
    Former Member
    Oct 08, 2009 at 07:13 PM


    > This makes this parameter redundant (we have login/password_expiration_time ).


    Here your assumption is wrong.

    An expired password forces you to change the password.

    An idle password set by the user (i.e. productive status) is disabled, or the user is given an option if the authentication is single-sign-on. This can be configured.

    You can conclude from this that setting the expiration time to a value longer than the permitted idle time is illogical.

    What the idle time setting does automatically, is that which you have been doing manually in RSUSR200 - after the password has expired and the user is still not changing the password.

    As the system reacts differently to them, you can only have potentially conflicting settings.



    Edited by: Julius Bussche on Oct 8, 2009 9:27 PM

    Changed "shorter" to "longer". Important difference.

    Add comment
    10|10000 characters needed characters exceeded

    • No, that's not a requirement at all.

      The goal was to eliminate valid but idle users that we see as a potential security threat, regardless of their authorization level. This was a nice-to-have, as we manually block anyone who hasn't logged on for a prolonged time anyways.

      While the fact that we won't be able to achieve this is somewhat disappointing, I'm personally more concerned about the conflicting documentation. [SAP Lib|] and [SAPnote 862989|] appear to be in agreement on how this should work, albeit without telling us exactly how. Integrated help says something else altogether and the actual system behavior is in line with that.

      To reiterate, I'm no not so much worried about the actual functionality as I am about the conflicting documentation. If I can't trust what I RFTM, what can I, then? 😊

      Regardless, we have created an OSS message and I'm eagerly awaiting their response. I will probably follow-up here if there are any interesting developments.