Just recently I got this request from a customer: when using the NetWeaver Developer Studio (NWDS) with NetWeaver Development Infrastructure (NWDI), the Studio effectively is using a server and therefore must log in to it. This results in a small login window that appears. To make this easier the password may be stored for further use.
The request was that in case the password is forced to change by the server, it should be possible to do this without logging into the server via a web interface but also from the NWDS. The current situation is that this change request is not handled by the studio and after several tries (as users are not aware that a change is needed) results in a lock of the user. As this seems to make a lot of sense, I talked to development.
After a short discussion I found myself sent to the next department. As this is not what I would call a good start Idecided to first really understand the problem before running around with other peoples knowledge…
What they had told me was that the Studio does not get any more specific information than an “unauthorized” answer from the server once the password timed out. Unfortuantely it is a security standard to not give more information on login requests for agood reason. In addition, the client does not have any information about when an attempt for a new password will be.
All together this means that to make this requirement happen we would need to either change a security standard or implement a specific login that would keep track on the time left for updating passwords. This seamed pretty much effort to me for such few functionality. I started to think about alternatives.
The actual problem is that the login mechanism doesn’t warn the developer and such functions more like a trap that results in a user lock. After this she finds herself searching for an admin to get unlocked. Wouldn’t it be enough to just give a hint when the window asks you for an unexpected login?
The final decision hit me yesterday: i was looking into the server to get a better overview on htis problem searching for the admin options for user management. Threre is no such option to renew passwords after x days. As you might know the User Management Engine (UME) allows to connect to an internal user system, an LDAP one, or an ABAP server. And I know very well that ABAP servers do have that functionality. In other words, the implementation would have to take care about password changes throöugh another server.
This assured me that I’m on the right track with “second best” .
And if you ever come back to me for more, then please let me know why the heck you need renewing passwords on a development system 😉