01-29-2010 2:13 PM
Hi,
We are planning an external facing SAP e-recruitment site. Our security advisers have recommended that we enforce a minimum length for the SU01 login alias. I'm not sure it is possible using, for instance, SAP rz10 parameters. There's plenty for minimum password length, etc which we have implemented but nothing I can see for min alias length.
Any thoughts on this?
Thanks
Chris
01-29-2010 3:11 PM
You can just catch the length of the requested alias name in your web application already?
Anyway, the only thing I noticed is that during the existance check on the backend, the system generates an alias name if it is already in use, and this is "folded" into a 10 character name plus 2 additional sequential numbers (00 to 99) - so I would not make the minimum more than 12 on the front-end size.
12 is also the length of XUBNAME for the user switch to a "proper" named ID so you should ideally make 12 the maximum as well.
Cheers,
Julius
01-31-2010 10:37 PM
Hi,
unfortunately, SAP don't provide any BADI to check user details during creation. SAP only check if there is already a user with same alias. So as Julius mentioned you need to force the minimal length in your web application.
Cheers
02-01-2010 9:33 AM
There were exits for SU01 and role assignment in PFCG (see [SAP Note 367660|https://service.sap.com/sap/support/notes/367660] if you can access it) but they were (to be) replaced by BADI's (not sure of the details though). I have my doubts that those BADI's will touch the business logic of the user alias.
However I still find this approach strange, as the Internet User Concept is now obsolete (see [SAP Note 1324366|https://service.sap.com/sap/support/notes/1324366] ) so will need to be migrated to SU01 users anyway...
Cheers,
Julius
02-04-2010 7:56 AM
HI,
Many Thanks for all your replies - I've passed this over to our developers who will change the login screen to include a minimum alias length
Chris