GRC How-to. Password Self Service (non-HR)
Recently I
have decided to implement the Password Self-Service (PSS) in the GRC. This
feature provides users with a flexible mechanism to restore their passwords any
time they want, and for a Basis team it gives a possibility to save time for more important business.
First of
all I would like to say about a restriction we have which is common for some companies – absence of an HR module.
Besides, you can find a lot of information on the SDN about customization of
the HR-oriented GRC system, but not for non-HR-oriented.
A PSS
configuration can be performed in a CUP, part of the GRC. Connections to all necessary
SAP systems should be customized
correctly. Well, let’s start.
Go to your
main GRC page: http://:500/webdynpro/dispatcher/sap.com/grc~acappcomp/AC
, then choose Compliant User Provisioning (pic.1)
pic.1
Or go
directly to http://<server>:5<nn>00/AE/index.jsp
Go to a configuration
tab and click on the Self-Service (pic.2)
Authentication Source. Here we choose a Challenge Response
point which can be used for non-HR SAP systems.
*Select Service to Disable Verification. *At this point you can choose
“unnecessary” services. If you choose, for example, a “Password
Self Service” you won’t be prompted to answer a question. All you need in
this case is just logon to your “restore page” (see a link below). If
you choose a “Change Name Service” you will be prompted to fill a questionnaire.
But in both cases you will be authenticated by a login/ a password of the User Data
Source (pic.3). I prefer to keep active all services.
pic.3
Of course,
the best way is using the LDAP (for example, MS AD). But due to some reasons I
chose my Central User System.
Number of Questions End User has to Register. Here you manage a number of
questions to be answered by a user at the first logon. Then answered questions
will be appeared in a questionnaire.
*Number of unsuccessful attempts after which User
is locked.* I think
this point need no comments J
Here is my
customizing:
Then we
need to configure a recovery page.
I have decided
to place a recovery link on a support page. Go to the Support and import your html-document which
contains the following link
http://<server>:5<nn>00/AE/index_pss.jsp
(with tag target=”_blank in clause)
!http://xmages.net/storage/10/1/0/9/e/upload/99de38b3.jpg|height=209|alt=|width=619|src=http://xmages.net/storage/10/1/0/9/e/upload/99de38b3.jpg!pic.5 (Really sorry for design)
At the
first time when a user logs on a PSS page, he will be prompted to answer some personal
questions.
Then you
will get the next screen
pic.8
By clicking
on the Add button or the Add All Systems you can choose a needed system(s).
pic.9
You will
get message with the following content:
+Your password has been reset. Your ID is
#_!PWD_RESET_USER_ID#_! Your password is (Password/System):+
User ID: <myuser>
Password: >4$%Fm+
SAPSystem: <mysystem>
By clicking
on the Re-register button you can reset answers to your questions. If you want
to use only 1 question out of 3, you should fill only one answer field and
other leave blank.
Also bear
in mind the following restrictions:
1) Users
must exist in User Data Source to get access in PSS
2) Users
must have correct e-mails, otherwise they will not get reset passwords
3) Answers
must be in Latin. My Cyrillic symbols are not recognized by the system
Hope this
How-to doc will help you. Post your corrections, commentaries. If it is possible
I will post the HR-customizing later.
Best regards,
Artem Ivashkin
A few remarks:
- You need to be careful chosing the questions for challenge/response. If there are any questions whose answers contain personal information you might be liable in terms of data protection laws. Try to find questions that do not contain sensitive data.
- I have found that for most customers the challenge response mechanism creates more trouble than it's worth. People will forget the answers to the question, and it ends up just another place where a support person has to reset something.
- Many of my customers support the approach that if you can log in to your Windows PC and thus are on the internal network, this should suffice as an authorization to reset your SAP password _with the same User ID_. As most customers current system is limited to calling a helpdesk who has no idea who you are, but will tell you a new initial password, this is definitely an improvement.
- As a consequence of the last remark, these customers set the authentication source to ActiveDirectory (or UME linked to AD) which allows them to use password reset without the hassle/overhead of security questions.
Opinions?
Frank.
Regarding your last point, please be noted that I keep in mind your advice with AD (topic "CUP. Requestor Last/First Name autofill"). I'll try once I have a little more free time 🙂
1. How do the users get to the GRC password reset tool, i.e. does that require the Enterprise Portal to be implemented?
2. What part of GRC needs to be enabled to get the Password Rest to work?
3. Do we need to ensure connectivity to all systems and/or does this work through CUA as a prerequisite?
4. Does it work for ABAP as well as java stack systems?
Many thanks!
2) Connectors must work fine, communication user must have permissions to reset password. Of course, you must have VIRSA components (with RTA) on the back-end system.
3) It depends on your CUA processes. If your systems managed by CUA, you hsve to connect GRC with CUA. In our case, we manage users by CUA, but their role we assign localy. To clarify this point, please look at note "Note 1099011 - Limitations of using CUA with GRC Access Control"
4) Yes, it does. All has been described for ABAP system. But I don't know "Does it work for JAVA stack as well as ABAP?" 🙂
Hope your questions have been answered.
Regards,
Artem