SAP BASIS Security Parameters
You can set the number of incorrect login attempts and then system can end the session or can also lock the user account if parameter value is set by the administrator. The following two parameters are used to limit the login attempts −
- Static − This parameter doesn’t apply immediately. the system needs restart for this.
- Dynamic − This parameter can be applied directly and the system does not need to restart for this.
Follow these steps to set the value of parameters −
Step 1 − Use transaction code — RZ11.
Step 2 − Enter the parameter name and click on Display. To edit a parameter, click on Edit.
Step 3 − To set the number of failed attempts, put parameter name — login/fails_to_session_end. You can put any parameter name.
Step 4 − To check the current policy, click on Display.
Important parameters to limit login attempts
- ogin/fails_to_session_end − This parameter defines the number of times that a user can enter an incorrect password before the system ends the logon attempt. The parameter should be set lower than the value of parameter.
- login/fails_to_user_lock − This parameter is used to define the number of times that a user can enter an incorrect password before the system locks the current user account. The default value is 12 and can be set to any value between 1 and 99 inclusive.
It is also possible to define password policy for users in SAP system in the following ways −
- A user has to set minimum password length.
- There needs to be an expiry policy for the passwords.
- Password complexity and other such aspects need to be considered too.
The following parameters are used to define system password policy −
This is used to define minimum password length. The default value for this field is 3 characters and can be set to any value between 3 and 8.
This parameter is used to define the number of days after which a password expires. To allow users to keep their password from expiring without any limit, set the default value to 0.
Limit Users on Password Selection
You can also select the password which you don’t want users to choose. These passwords are maintained in table USR40 and transaction code SM30 is used for this purpose.
There are two wildcard characters −
- ?- stands for a single character.
- *- stands for a sequence of any combination characters of any length.
If you select 123* in table USR40, it means that any password that begins with the sequence “123.” is prohibited.
If you enter *123*, it prohibits any password that contains the sequence “123.”
If you select AB?, passwords that begin with “AB” and an additional character will not be allowed. For example — “ABB”, “ABF”, etc.
Transaction Code — SM30
Select the table and click the Display button below. Enter the password string.