SAP Security policies / Group policies
With the increased importance of information security and demand for securing systems, SAP started introducing a new feature called Security policies which are similar to Group policies in Active directory.
Basic use of these policies is to control set of users with the required options, which means today in SAP all the security related parameters are common for all users. With introduction of security policies we can now provide different restrictions for different users. For example, users in factory need more flexibility because their accounts need to be highly available.
So now companies can plan or segregate the users based on the need. The main advantage is companies can enforce strict laws on global level (for all users) and can create flexible security policies for set of users for required parameters like auto unlock accounts.
Definitions from SAP
A security policy is a collection of security policy attributes and their values. This procedure replaces the definition of behavior with profile parameters: once a security policy is assigned to a user master record, this determines the desired behavior; profile parameters are only relevant for those user master records for which no security policy has been assigned.
Security Policy Attributes (Definition)
A security policy attribute is always an element of a security policy. You can use security policy attributes to define behavior with regard to:
- Password Rules
- Password Changes
- Logon Restrictions
In the application for Maintaining Security Policies (Transaction- SECPOL), you can documentation for an attribute by calling the input help (F4) for the relevant attribute value.
How to create /access Security policies:
Use transaction code SECPOL – Switch to change mode and Click on “New entries” to create a new security policy.
Once you have created the security policy, select the policy and double click on “Attributes”
Below screen will be displayed and here you need to select the attributes required for the same under “Policy attribute Name” .
Below are the available attributes for security policies.
The button “Effective” shows the result of the policy in the security policy screen shows as below.
“Superfluous” shows if there are any unnecessary entries (for example the global values and security policy values are same). In the below screen you can see that system shows “CHECK_PASSWORD_BLACKLIST” is unnecessary item as this value is same as system parameter value.
How to add this security policy to a User:
Edit the required user in transaction SU01, and enter the required security policy in Logon data tab as shown below.
Note: My ECC system’s version is EHP6 FOR SAP ERP 6.0.