Important Security Parameters- Helpful for basis!
| PARAMETER | PARAMETER DESCRIPTION | SUGGESTION | SAP DEFAULT | |
|---|---|---|---|---|
| Login/fails_to_session_end | Number of times a user can enter an incorrect password before the system terminates the logon attempt. Default is 3 | 3 | 3 | |
| Login/fails_to_user_lock | Number of times a user can enter an incorrect password before the system locks the user against further logon attempts. | 5 | 6 | |
| Login/system_client | Specifies the default client. This client is automatically filled in on the system logon screen. Users can overwrite this. | As per team. | 001 | |
| Login/failed_user_auto_unlock | Enable automatic unlock of locked users at midnight. Default is 1 -– allowed | 0 | 1 | |
| rdisp/max_alt_modes | You can use this parameter to restrict the maximum number of external sessions a user is allowed to open in one logon. | 3 | 6 | |
| Login/min_password_lng | Minimum length of a password. Default is 3. Any values from 2 – 8. SAP also provides a mechanism for additional customization of password restrictions. | 6 | 3 | |
| login/min_password_digits | Defines the minimum number of digits (0-9) in passwords | 1 | 0 | |
| login/min_password_letters | Defines the minimum number of letters (A-Z) in passwords | 1 | 0 | |
| login/min_password_specials | min. number of special characters in passwords | 1 | 0 | |
| Login/password_expiration_time | Number of days after which a password must be changed. When the expiration time is reached, the user is asked to enter a new password. Default is ‘0’ – no time limit.User will start getting a pop up 5days before the expiration date. | 60 | 0 | |
| Login/no_automatic_user_sap* | Disables special properties for user SAP* when this parameter is set to a value greater than zero. When the parameter is reset to 0, it would allow logins with SAP* using the default delivered password and unrestricted system access privileges. The default is 0 – permitted. | 1 | 0 | |
| Rdisp/gui_auto_logout | Specifies the number of seconds a user session can be idle before being automatically logged off by the system. Default is 0 | 1800 | 0 | |
| auth/no_check_in_some_cases | Used to enable SU24 to activate authorization checks for transactions and to work with the Profile Generator. Default is Y. | Y | Y | |
| auth/tcodes_not_checked |
Checks on object S_TCODE.It disables Tcode checking for SU53 & SU56 analysis In certain cases, this can be shut off, but it results in a big security risk for the system.Do not change unless absolutely necessary. |
N | Empty string | |
| auth/authorization_trace |
Enables easier diagnosis of security failures since allows running of System Trace (transaction ST01). Caution: Setting this parameter greatly affects system performance! |
N | N | |
| login/disable_multi_gui_login | Disable multiple sapgui logons (for same R/3 account). Default is ‘0’ – off. | 1 | 0 | |
|
rsau/enable |
Enables security audit logging. Default is ‘0’ à logging not enabled |
0 | 0 | |
| rsau/max_diskspace/local |
Maximum file size of a security audit file allowed for each event. Default is 1,000,000 B. This parameter is relevant only if security audit logging is in use |
20M | 20M | |
| rsau/selection_slots | The parameter specifies the number of selection units that are set using Transaction SM19 and checked by the system during processing. Default is 2 – meaning two audit files can be open at any given point | 2 | 2 | |
| Auth/object_disabling_active |
Authorization objects can be deactivated with the transaction AUTH_SWITCH_OBJECTS, if this parameter is set to “Y” or is not set. If it is set to “N”, it cannot be deactivated. Default is Y à can be deactivated. |
N | Y | |
| snc/enable |
If SNC (Secure network communications) is activated, then by default all incoming connections will only be accepted if they are secure. If this parameter is set to “1”, the work processes try to activate/initialize the SNC module (Secure Network Communications) when uploading. Default is ‘0’ à not activated |
0 | 0 | |
| auth/rfc_authority_check |
Activating authorization check against authorization object S_RFC while executing RFC communication. Default is 1 à Authorization check active. |
1 | 1 | |
| auth/system_access_check_off |
This parameter can be used to switch off the automatic authorization check for particular ABAP/4 language. This parameter is necessary to ensure downward compatibility of the R/3 kernel. Default is ‘0’ à check remains active. |
0 | 0 |
Regards,
Himanshu Sharma
Appreciate your compilation.
Good one!
-Akshay
Nice list, thanks.
Here are some others (few are duplicates, sorry)
Parameter
Role
Default value
login/disable_multi_gui_login
disable multiple sapgui logons (for same SAP account)
0
login/multi_login_users
List of users that can have multiple logon (if login/disable_multi_gui_login is set)
login/disable_password_logon
Deactivate password-based logon
0
login/password_logon_usergroup
Users of this group can still logon with passwords (if login/disable_password_logon is set)
login/failed_user_auto_unlock
Enable automatic unlock off locked user at midnight
0
login/fails_to_session_end
Number of invalid login attempts until session end
3
login/fails_to_user_lock
Number of invalid login attempts until user lock
5
login/password_expiration_time
Dates until password must be changed
0
login/password_history_size
Number of records to be stored in the password history
5
login/password_change_waittime
Password change possible after # days (since last change)
1
login/password_max_idle_initial
maximum #days a password (set by the admin) can be unused (idle)
0
login/password_max_idle_productive
maximum #days a password (set by the user) can be unused (idle)
0
login/min_password_diff
min. number of chars which differ between old and new password
1
login/min_password_digits
min. number of digits in passwords
0
login/min_password_letters
min. number of letters in passwords
0
login/min_password_lng
Minimum Password Length
6
login/min_password_lowercase
minimum number of lower-case characters in passwords
0
login/min_password_specials
min. number of special characters in passwords
0
login/min_password_uppercase
minimum number of upper-case characters in passwords
0
login/password_charset
Define character set used for passwords (only if login/password_downwards_compatibility is set)
1
login/password_downwards_compatibility
password downwards compatibility (8 / 40 characters, case-sensitivity)
1
login/password_compliance_to_current_policy
Activate the check of password policy compliance at each login
0
login/update_logon_timestamp
Update frequency / accuracy of logon timestamp (D day, h hour, m minute, s second)
m
login/no_automatic_user_sapstar
If set to 1 disable the automatic (kernel) login for user SAP*
1
login/password_change_for_SSO
Handling of password change enforcements in Single Sign-On situations
1
Thanks Yves.
Your list will be very helpful.
Regards,
Himanshu
Hey,
Very useful info.. thanks a lot for sharing..
Regards,
Shyam Kumar
Thanks Himanshu & Yvesh,
your post is very useful.
Regards,
Shravan
Thanks a lot Shyam and Shravan.
Regards,
Himanshu
Do you know you can get all this info and more directly from RZ11?
Yes Juan, as said by Himanshu it would be handfull in critical situations
If correct procedures are in place, it should never get to a point where a security/login parameter is implemented with incorrect values in a production system effectively becoming a critical situation. That is why a standard landscape has three tiers.
Yes Juan,you are right. It is just the compilation which can be handy at critical times.
By the way it's also possible to get a full parameter list from table TPFYPROPTY
Report RSPARAM also gives the same.
Why would you want to have security logging disabled (rsau/enable)?
also have SNC disabled?