Skip to Content
avatar image
Former Member

Regd Password Standards

Hi Experts,

In our project we have a requirement of setting the initial password for a user as product password.

As known this is done by tinkering the value of last logon time of the user using sy-uzeit.

This makes the password for the user as product even if it shows as initial in su01.

My question is what is the security implication we might face if we leave the user with the above condition?

Is users with initial password in system has something to do with Audit complaince

Kindly elaborate!!!

Anticipating your reply at the earliest

Thanks in Advance

Regards

Anand Sekar

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Dec 21, 2011 at 08:04 PM

    Hi

    Why you want to do this - if you are able to achieve it (I do not know/never tried) - presumably admins will know password of every dialog user (since users would not be prompted to change their password as its already product); which would be a considerable risk to say the least.

    Best Regards

    Prashant

    Edited by: Prashant Tripathi on Dec 21, 2011 9:05 PM

    Add comment
    10|10000 characters needed characters exceeded

  • Dec 21, 2011 at 10:26 PM

    Hi,

    first of all BAPI allows you to set productive password (for example this feature is used by IdM). So instead of fiddling with tables I would suggest to use BAPI.

    What is the requirement for setting productive password? It does not sound right if it will be performed by administrators.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 22, 2011 at 06:56 AM

    You are updating the wrong field. The LTIME trick is not used anymore, but rather the STATUS of the password is respected.

    Anyway, what you are doing is a stupid workaround (sorry, but that is being honest). Mostly this is done when people attempt to synchronize passwords or they are sharing passwords and therefore do not want it to be changed.

    Based on your other posts, this process involves admin setting the password and status remotely via RFC and then sending it to the group of users? Is that correct?

    something to do with Audit complaince

    Yes... 😉

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Dec 28, 2011 at 01:18 PM

    Hi All,

    Thanks for quick response.

    Sorry for not reciprocating it

    The scenario that deemed me to require this functionality is in business we use admin accounts which has complete access.

    It remains a system user and we convert it into dialog user for meeting with any business requirement

    This happens at a particular frequency. So while doing it i manually change password and issue it to the user.

    Instead of doing it, i thought of doing it thru a report. This the reason behind my above post

    Can anyone suggest what is the bapi used for setting product password ??

    Regards

    Anand Sekar

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      If you are only giving the password to one person then what is the problem with it being initial?

      System type user is only SAPGui incapable. All other clients are supported so this will not prevent unauthorized logins.

      Sorry, but your solution has serious security errors in it!

      Regarding "report": give them the report to run which records that they gave more access for a period of time but remain logged on as themselves. That is the best design in my opinion.

      Cheers,

      Julius

  • avatar image
    Former Member
    Jan 06, 2012 at 04:00 PM

    This message was moderated.

    Add comment
    10|10000 characters needed characters exceeded