SU01 Alias minimum length

chrisb1 · ‎01-29-2010

Hi,

We are planning an external facing SAP e-recruitment site. Our security advisers have recommended that we enforce a minimum length for the SU01 login alias. I'm not sure it is possible using, for instance, SAP rz10 parameters. There's plenty for minimum password length, etc which we have implemented but nothing I can see for min alias length.

Any thoughts on this?

Thanks

Chris

Former Member · ‎01-29-2010

You can just catch the length of the requested alias name in your web application already?

Anyway, the only thing I noticed is that during the existance check on the backend, the system generates an alias name if it is already in use, and this is "folded" into a 10 character name plus 2 additional sequential numbers (00 to 99) - so I would not make the minimum more than 12 on the front-end size.

12 is also the length of XUBNAME for the user switch to a "proper" named ID so you should ideally make 12 the maximum as well.

Cheers,

Julius

mvoros · ‎01-31-2010

Hi,

unfortunately, SAP don't provide any BADI to check user details during creation. SAP only check if there is already a user with same alias. So as Julius mentioned you need to force the minimal length in your web application.

Cheers

Former Member · ‎02-01-2010

There were exits for SU01 and role assignment in PFCG (see [SAP Note 367660|https://service.sap.com/sap/support/notes/367660] if you can access it) but they were (to be) replaced by BADI's (not sure of the details though). I have my doubts that those BADI's will touch the business logic of the user alias.

However I still find this approach strange, as the Internet User Concept is now obsolete (see [SAP Note 1324366|https://service.sap.com/sap/support/notes/1324366] ) so will need to be migrated to SU01 users anyway...

Cheers,

Julius

chrisb1 · ‎02-04-2010

HI,

Many Thanks for all your replies - I've passed this over to our developers who will change the login screen to include a minimum alias length

Chris