Skip to Content
Author's profile photo Artem Ivashkin

GRC How-to. Password Self Service (non-HR)


Recently I
have decided to implement the Password Self-Service (PSS) in the GRC. This
feature provides users with a flexible mechanism to restore their passwords any
time they want, and for a Basis team it gives a possibility to save  time for more important business.

First of
all I would like to say about a  restriction we have which is common  for some companies – absence of an HR module.
Besides, you can find a lot of  information on the SDN about customization of
the HR-oriented GRC system, but not for  non-HR-oriented.

configuration can be performed in a CUP, part of the GRC. Connections to all necessary
 SAP systems should be customized
correctly. Well, let’s start.

Go to your

main GRC page: http://:500/webdynpro/dispatcher/

, then choose Compliant User Provisioning (pic.1)



Or go

directly to http://<server>:5<nn>00/AE/index.jsp

Go to a configuration
tab and click on the Self-Service (pic.2)


Authentication Source. Here we choose a Challenge Response

point which can be used for non-HR SAP systems.

*Select Service to Disable Verification. *At this point you can choose
“unnecessary” services. If you choose, for example, a “Password
Self Service” you won’t be prompted to answer a question. All you need in
this case is just logon to your “restore page” (see a link below). If
you choose a “Change Name Service” you will be prompted to fill a questionnaire.
But in both cases you will be authenticated by a login/ a password of the User Data
Source (pic.3). I prefer to keep active all services.



Of course,
the best way is using the LDAP (for example, MS AD). But due to some reasons I
chose my Central User System.

Number of Questions End User has to Register. Here you manage a number of

questions to be answered by a user at the first logon. Then answered questions

will be appeared in a questionnaire.

*Number of unsuccessful attempts after which User
is locked.* I think
this point need no comments J

Here is my


Then we
need to configure a recovery page.

I have decided
to place a recovery link on a support page. Go to the  Support and import your html-document which
contains the following link


(with tag target=”_blank in clause)

!|height=209|alt=|width=619|src=!pic.5 (Really sorry for design)

At the
first time when a user logs on a PSS page, he will be prompted to answer some personal



Then you
will get the next screen



By clicking
on the Add button or the Add All Systems you can choose a needed system(s).



!|height=86|alt=|width=550|src=! pic.10

You will
get message with the following content:

+Your password has been reset. Your ID is
#_!PWD_RESET_USER_ID#_! Your password is (Password/System):+

User ID: <myuser>

Password: >4$%Fm+

SAPSystem: <mysystem>


By clicking
on the Re-register button you can reset answers to your questions. If you want
to use only 1 question out of 3, you should fill only one answer field and
other leave blank.

Also bear
in mind the following restrictions:

1) Users
must exist in User Data Source to get access in PSS

2) Users
must have correct e-mails, otherwise they will not get reset passwords

3) Answers
must be in Latin. My Cyrillic symbols are not recognized by the system

Hope this
How-to doc will help you. Post your corrections, commentaries. If it is possible
I will post the HR-customizing later.

Best regards,
Artem Ivashkin

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Frank Koehntopp
      Frank Koehntopp
      Great blog, Artem! Very detailed and to the point.

      A few remarks:

      - You need to be careful chosing the questions for challenge/response. If there are any questions whose answers contain personal information you might be liable in terms of data protection laws. Try to find questions that do not contain sensitive data.

      - I have found that for most customers the challenge response mechanism creates more trouble than it's worth. People will forget the answers to the question, and it ends up just another place where a support person has to reset something.

      - Many of my customers support the approach that if you can log in to your Windows PC and thus are on the internal network, this should suffice as an authorization to reset your SAP password _with the same User ID_. As most customers current system is limited to calling a helpdesk who has no idea who you are, but will tell you a new initial password, this is definitely an improvement.

      - As a consequence of the last remark, these customers set the authentication source to ActiveDirectory (or UME linked to AD) which allows them to use password reset without the hassle/overhead of security questions.



      Author's profile photo Artem Ivashkin
      Artem Ivashkin
      Blog Post Author
      Thank you, Frank, for your comments, which are the great appendix to my 1st blog.

      Regarding your last point, please be noted that I keep in mind your advice with AD (topic "CUP. Requestor Last/First Name autofill"). I'll try once I have a little more free time 🙂

      Author's profile photo Former Member
      Former Member
      Great blog - a few more questions (from a non-techy) to get my head around the scope:

      1.     How do the users get to the GRC password reset tool, i.e. does that require the Enterprise Portal to be implemented?
      2.     What part of GRC needs to be enabled to get the Password Rest to work?
      3.     Do we need to ensure connectivity to all systems and/or does this work through CUA as a prerequisite?
      4.     Does it work for ABAP as well as java stack systems?

      Many thanks!

      Author's profile photo Artem Ivashkin
      Artem Ivashkin
      Blog Post Author
      1) User have to know password from user management system, in described case they should remember password from CUA system (in CUA client I have placed User Management Source). When user knows password he/she can reset password in other system by choosing "Request Access" on "Compliant User Provisioning" page.
      2) Connectors must work fine, communication user must have permissions to reset password. Of course, you must have VIRSA components (with RTA) on the back-end system.
      3) It depends on your CUA processes. If your systems managed by CUA, you hsve to connect GRC with CUA. In our case, we manage users by CUA, but their role we assign localy. To clarify this point, please look at note "Note 1099011 - Limitations of using CUA with GRC Access Control"
      4) Yes, it does. All has been described for ABAP system. But I don't know "Does it work for JAVA stack as well as ABAP?" 🙂

      Hope your questions have been answered.