Skip to Content
Author's profile photo Himanshu sharma

Important Security Parameters- Helpful for basis!

PARAMETER PARAMETER DESCRIPTION SUGGESTION SAP DEFAULT
Login/fails_to_session_end Number of times a user can enter an incorrect password before the system terminates the logon attempt. Default is 3 3 3
Login/fails_to_user_lock Number of times a user can enter an incorrect password before the system locks the user against further logon attempts. 5 6
Login/system_client Specifies the default client. This client is automatically filled in on the system logon screen. Users can overwrite this. As per team. 001
Login/failed_user_auto_unlock Enable automatic unlock of locked users at midnight. Default is 1 -– allowed 0 1
rdisp/max_alt_modes You can use this parameter to restrict the maximum number of external sessions a user is allowed to open in one logon. 3 6
Login/min_password_lng Minimum length of a password. Default is 3. Any values from 2 – 8. SAP also provides a mechanism for additional customization of password restrictions. 6 3
login/min_password_digits Defines the minimum number of digits (0-9) in passwords 1 0
login/min_password_letters Defines the minimum number of letters (A-Z) in passwords 1 0
login/min_password_specials min. number of special characters in passwords 1 0
Login/password_expiration_time Number of days after which a password must be changed. When the expiration time is reached, the user is asked to enter a new password. Default is ‘0’ – no time limit.User will start getting a pop up 5days before the expiration date. 60 0
Login/no_automatic_user_sap* Disables special properties for user SAP* when this parameter is set to a value greater than zero. When the parameter is reset to 0, it would allow logins with SAP* using the default delivered password and unrestricted system access privileges. The default is 0 – permitted. 1 0
Rdisp/gui_auto_logout Specifies the number of seconds a user session can be idle before being automatically logged off by the system. Default is 0 1800 0
auth/no_check_in_some_cases Used to enable SU24 to activate authorization checks for transactions and to work with the Profile Generator. Default is Y. Y Y
auth/tcodes_not_checked

Checks on object S_TCODE.It disables Tcode checking for SU53 & SU56 analysis In certain cases, this can be shut off, but it results in a big security risk for the system.Do not change unless absolutely necessary.

N Empty string
auth/authorization_trace

Enables easier diagnosis of security failures since allows running of System Trace (transaction ST01).

  Caution: Setting this parameter greatly affects system performance!

N N
login/disable_multi_gui_login Disable multiple sapgui logons (for same R/3 account). Default is ‘0’ – off. 1 0

rsau/enable

Enables security audit logging. Default is ‘0’ à logging not enabled

0 0
rsau/max_diskspace/local

Maximum file size of a security audit file allowed for each event. Default is 1,000,000 B.

  This parameter is relevant only if security audit logging is in use

20M 20M
rsau/selection_slots The parameter specifies the number of selection units that are set using Transaction SM19 and checked by the system during   processing. Default is 2 – meaning two audit files can be open at any given point 2 2
Auth/object_disabling_active

Authorization objects can be deactivated with the transaction AUTH_SWITCH_OBJECTS, if this parameter is set to “Y” or is not set.  If it is set to “N”, it cannot be deactivated.  Default is Y à can be deactivated.

N Y
snc/enable

If SNC (Secure network communications) is activated, then by default all incoming connections will only be accepted if they are secure. If this parameter is set to “1”, the work processes try to activate/initialize the SNC module (Secure Network Communications) when uploading. Default is ‘0’ à not activated

0 0
auth/rfc_authority_check

Activating authorization check against authorization object S_RFC while executing RFC communication. Default is 1 à Authorization check active.

1 1
auth/system_access_check_off

This parameter can be used to switch off the automatic authorization check for particular ABAP/4 language. This parameter is necessary to ensure downward compatibility of the R/3 kernel. Default is ‘0’ à check remains active.

0 0

Regards,

Himanshu Sharma

Assigned tags

      13 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Akshay Gupta
      Akshay Gupta

      Appreciate your compilation.

      Good one!

       

      -Akshay

      Author's profile photo Yves KERVADEC
      Yves KERVADEC

      Nice list, thanks.

      Here are some others (few are duplicates, sorry)

       

      Parameter

      Role

      Default value

      login/disable_multi_gui_login

      disable multiple sapgui logons (for same SAP account)

      0

      login/multi_login_users

      List of  users that can have multiple logon (if  login/disable_multi_gui_login is set)

       

      login/disable_password_logon

      Deactivate password-based logon

      0

      login/password_logon_usergroup

      Users of this group can still logon with passwords (if login/disable_password_logon is set)

       

      login/failed_user_auto_unlock

      Enable automatic unlock off locked user at midnight

      0

      login/fails_to_session_end

      Number of invalid login attempts until session end

      3

      login/fails_to_user_lock

      Number of invalid login attempts until user lock

      5

      login/password_expiration_time

      Dates until password must be changed

      0

      login/password_history_size

      Number of records to be stored in the password history

      5

      login/password_change_waittime

      Password change possible after # days (since last change)

      1

      login/password_max_idle_initial

      maximum #days a password (set by the admin) can be unused (idle)

      0

      login/password_max_idle_productive

      maximum #days a password (set by the user) can be unused (idle)

      0

      login/min_password_diff

      min. number of chars which differ between old and new password

      1

      login/min_password_digits

      min. number of digits in passwords

      0

      login/min_password_letters

      min. number of letters in passwords

      0

      login/min_password_lng

      Minimum Password Length

      6

      login/min_password_lowercase

      minimum number of lower-case characters in passwords

      0

      login/min_password_specials

      min. number of special characters in passwords

      0

      login/min_password_uppercase

      minimum number of upper-case characters in passwords

      0

      login/password_charset

      Define character set used for passwords (only if login/password_downwards_compatibility is set)

      1

      login/password_downwards_compatibility

      password downwards compatibility (8 / 40 characters, case-sensitivity)

      1

      login/password_compliance_to_current_policy

      Activate the check of password policy compliance at each login

      0

      login/update_logon_timestamp

      Update frequency / accuracy of logon timestamp (D day, h hour, m minute, s second)

      m

      login/no_automatic_user_sapstar

      If set to 1 disable the automatic (kernel) login for user SAP*

      1

      login/password_change_for_SSO

      Handling of password change enforcements in Single Sign-On situations

      1

      Author's profile photo Himanshu sharma
      Himanshu sharma
      Blog Post Author

      Thanks Yves.

      Your list will be very helpful.

       

      Regards,

      Himanshu

      Author's profile photo shyam kumar
      shyam kumar

      Hey,

       

      Very useful info.. thanks a lot for sharing..

       

      Regards,

      Shyam Kumar

      Author's profile photo Former Member
      Former Member

      Thanks Himanshu & Yvesh,

       

      your post is very useful.

       

      Regards,

      Shravan

      Author's profile photo Himanshu sharma
      Himanshu sharma
      Blog Post Author

      Thanks a lot Shyam and Shravan.

       

      Regards,

      Himanshu

      Author's profile photo Juan Reyes
      Juan Reyes

      Do you know you can get all this info and more directly from RZ11?

      Author's profile photo Former Member
      Former Member

      Yes Juan, as said by Himanshu it would be handfull in critical situations

      Author's profile photo Juan Reyes
      Juan Reyes

      If correct procedures are in place, it should never get to a point where a security/login parameter is implemented with incorrect values in a production system effectively becoming a critical situation. That is why a standard landscape has three tiers.

      Author's profile photo Himanshu sharma
      Himanshu sharma
      Blog Post Author

      Yes Juan,you are right. It is just the compilation which can be handy at critical times.

      Author's profile photo Yves KERVADEC
      Yves KERVADEC

      By the way it's also possible to get a full parameter list from table TPFYPROPTY

      Author's profile photo Former Member
      Former Member

      Report RSPARAM also gives the same.

      Author's profile photo Former Member
      Former Member

      Why would you want to have security logging disabled (rsau/enable)?

       

       

      also have SNC disabled?