Skip to Content
S A

Password Self Service & End User Logon Configuration – AC10

G’Day All,

Given the importance of Password Self Service and End User Logon, numerous posts out here in regards to its configuration and problems, coupled with my own interest in it; I began scouring through all the blogs related to these two topics and the result is as follows. I hope this will help you to some extent in understanding and configuring PSS and EUL.

As usual please free to correct me, if I made any mistakes or if you would like to add anything to this document.

 

Password Self Service

Password Self Service is a customizing activity, which enables an end user to reset their own passwords in the back end system. A user password is usually reset using TCode SU01. However considering this is restricted to end users and to help admins from being bogged down by constant password reset requests, a good alternative is to give the end user the option to reset their passwords themselves thereby freeing up the admins to do other tasks.

When an end user raises a request for a password reset, the application verifies the user based on the information they maintained for their password self-service settings or against the global PSS settings. Once the application verifies the user and the system, it resets the password and sends an e-mail to the user’s configured e-mail address. The password sent is a generic password, which the user needs to change upon their login.

* All end users need to have a valid email Id to receive reset password link

Password Self Service Configuration

Connector Settings

  • Maintain Connector Settings: For each applicable system tick the PSS System Box
    • SPRO -> IMG -> GRC -> AC -> Maintain Connector Settings

Maintain Connector Settings.png

  • Maintain Data Sources Configuration: Choose which system you check, for User Id to login
    • SPRO -> IMG -> GRC -> AC -> Maintain Data Sources Configuration
      • User Authentication Data Sources: Pick a System (ECC, LDAP, HR etc)
      • User Search Data Sources: Pick a System (ECC, LDAP, HR etc)
      • User Detail Data Sources: Pick a System (ECC, LDAP, HR etc)
      • End User Verification: Choose YES/NO for Password requirement on logon screen

Data Source Connector.png

EUV - No.png

  • Enabling End User Verification would require the end user to enter their password in order to login. However if a user needs to request a new password (obviously  they forgot the current one), it would be a catch 22 situation as pointed out by Colleen further down in the document (comments section).
  • Disabling End User Verification would rectify this problem however that would raise a security issue, where any user can login using someone else’s user id and access their home screen and raise requests etc. This isn’t a huge problem as the request would go to the email address registered against their user id but still can be frowned upon and should be discouraged.
  • A good compromise would be to Disable End User Verification and activate Challenger question (covered further down in the document). Even this has one potential downside to it, which is, if the end user hasn’t registered their answers against the questions then the previous scenario would come into play again!!
    • So any suggestions from the seasoned community members here, who had to deal with this issue would be very much appreciated!

* You can configure multiple data sources. Preference is set by giving a sequence number

Password Self Service Settings

  • Run transaction SPRO.
    • SPRO-> IMG -> Governance, Risk & Compliance -> Access Control -> User Provisioning -> Maintain Password Self Service
      • On the left panel, under Dialog Structure, click PSS Global Configuration Values folder
      • Click New Entries button.
      • Under the PSS Global Configuration Values, enter the following:
    • Authentication Source = Challenge Response
      • When you select this option, the administrator configures the security questions  and the users register their answers. A user who creates a request to reset their password must answer the questions as they have registered them. The application only resets the passwords if the user successfully answers all of the questions
    • PSS Disable Verification =
      • None: Select this option if you want to enable PSS verification.
      • Name Change Self Service: Select this option if you want to disable PSS verification in case the user only changes their name.
      • Password Self Service: Select this option if you want to disable PSS verification in case the user changes their password.
      • All: Select this option if you want to disable PSS verification in all situations. By choosing ‘ALL’, user would not need to register questions or receive a step in the password reset process to answer any questions.

PSS - None.png

PSS - Security Question.png

PSS - Success.png

    • To answer a question/be challenged.
      • Number of Questions = 2 (Minimum should be 1)
      • Number of Attempts  = 3 (For Example)
    • Click Save button.
    • On the left panel, click the Challenge Response Questions folder.
      • Click New Entries button.
      • In the Challenge Response Questions, enter a Question in the field provided.
      • Check the Active box.
      • Click Save.

* If you chose HR System as the authentication source, then maintain the PSS HR System settings.

End User Logon

An employee within an organization would require, to raise various types of requests like an Access Request for a new account/change an existing account etc or reset their own password etc on a regular basis. End User Logon, facilitates this by giving them access to their own ‘Home Screen’, where they can raise the relevant requests.

In this instance, the end user would need access to raise a request to reset their own password. In order to achieve that he/she would need authorization to be able to access it and following steps needs to taken to accomplish that.

End User Logon Configuration

User Maintenance

  • A shared User needs to  be created and the same user details should be maintained in Web Services (explained further in the document)
    • Create a Shared user in SU01
    • Should be of type ‘communication’ with the following two roles:
      • SAP_GRAC_ACCESS_REQUESTER
      • SAP_GRAC_END_USER
  • A WF-Batch user needs to be created as well. The email to the end user is sent from the email address configured against this user
    • Create WF-Batch user in SU01
    • Should be of type ‘System’
    • You can configure the email address as ‘donotreply@something.something’ so end users do not respond or email this address directly.

* Shared User: Has to exist in the GRC system

Activate End User Logon

  • Run Transaction SPRO
    • SPRO -> IMG -> GRC-> AC-> User Provisioning-> End User Login: ServiceName = GRAC_UIBB_END_USERLOGIN or enter tcode SICF
      • Under the Virtual Hosts/Services section, double-click GRAC_UIBB_END_USERLOGIN to open it in edit mode.
      • The Create/Change a Service screen appears.

EUL Settings.png

      • On the Logon Data tab, enter the shared user id, password (you created in SU01) and procedure (Standard) -> Save

EUL Logon Data.png

    • Repeat steps 1-3 for the following Web Services:
      1. GRAC_GAF_PWD_SELFSERVICE_EU
      2. GRAC_OIF_USER_REGISTER_EU
      3. GRAC_OIF_MY_PROFILE_EU
      4. GRAC_GAF_NAME_CHANGE_SERV_EU
      5. GRAC_POWL_REQUEST_STATUS_EU
      6. GRAC_GAF_ACCREQ_WITH_REQREF_EU
      7. GRAC_OIF_REQUEST_SUBMISSION_EU    
      8. GRAC_GAF_ACCREQ_WITH_TEMPL_EU    
      9. GRAC_GAF_ACCREQ_WITH_USEREF_EU
    • Right-click GRAC_UIBB_END_USERLOGIN, and then choose Test Service -> Logon Screen in web browser.

* Only the first 3 services might suffice if you are enabling just PSS however I’ve had some problems (covered in the ‘Errors’ section) and enabling all 10 seem to address those issues, so if you encounter any problems you might give this a go!!

EUL - Normal Mode.png

    • If you would like to disable certain objects you can do so by adding the following line to end of the web address in the URL window of the browser and press enter.

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/123

      • Following screen shows up. If you see ‘Adapt Configuration’ on the top, right hand corner; that means you are in config mode.

EUL - Config Mode.png

    • Enter your username and password, and log onto the system.
      • The End User Home screen appears.

EUH - NI.png

      • To make a link invisible, right-click the link and select Settings for Current Configuration.
      • Select Invisible, Save the entry, and then close the browser.
      • The link is no longer available for end users. This is applicable for all end users.

EUH - All Hidden.png

User Access

You got to give the end user the URL address, User ID and Password so they can use those credentials to login and raise a request. Once they login they can raise a request to reset their password. If request is successful then the system sends them an email with a temporary password, which they need to change upon their login. The password generated is a system generated one. The email received by the user looks something like this:

PSS - Email.png

  • You can customize the generic password sent by executing:
    • TCode: SM30
    • Table: PRGN_CUST – > Maintain -> New Entries -> Add the following Names and corresponding values you are after and Save.
      •     GEN_PSW_MAX_LENGTH
      •     GEN_PSW_MAX_LETTERS
      •     GEN_PSW_MAX_DIGITS
      •     GEN_PSW_MAX_SPECIALS
    • End result is as follows with the following customized values:
      •     GEN_PSW_MAX_LENGTH: 10
      •     GEN_PSW_MAX_LETTERS: 5
      •     GEN_PSW_MAX_DIGITS: 3
      •     GEN_PSW_MAX_SPECIALS: 2

PSS - NPSuccess.png

Errors

End User Logon Screen

Sometimes NWBC logon screen shows up as opposed to EU logon screen!

  • Maintain all 10 Web Services and ensure the Logon Data details(User ID, Password) are exactly the same in SICF!!

Re-login Screen

When user clicks on one of the services in the Home Screen, it asks for username and password again!

  • Again same solution as above!!

Systems not showing up

When the user clicks on the add button to add a system in PSS request, no systems are available!

  • This could be a problem with connectors not defined properly in Maintain Connector Settings or PSS isn’t enabled against that connector.
  • Try giving the Shared user ‘SAP ALL’ authorization. This seems to do the trick sometimes, however I am not sure if this is the right approach.

For best practices, pitfalls to avoid and things to consider while enabling PSS, please refer to the following document put together by Col and Ale. Thanks Guys!!

Design Considerations to reduce Password Self Service (PSS) Intruder Risk

Regards,

Leo..

16 Comments
You must be Logged on to comment or reply to a post.
  • Hi Leo

    Good effort here to pull this together and I can see those new to GRC appreciating the piece. If you happened to have used SCN content then it would be nice for you to reference which posts you referred to  🙂


    Some improvement ideas:

    1. SICF listing – I would limit to the ones that apply to PSS. If PSS is in scope but Access Requests is not they do not need to activate them and may even remove them from display. Glad you provided recommendation on restricting the GUEST user access. I thought GUEST was a service account not communications?

    2. PRGN_CUST – I mentioned this table to you a while back, but in configuring this password entries you can control the length/format of the generated password (instead of getting a really long password)

    3. Reason System not show up

    Another reason for system not showing up – if they user does not have access to that system in the first place they will not see it. There is also a security authorization check but I assume the GUEST account has full access from the roles you mentioned.

    4. Data Sources for Authentication

    Watch out for the catch 22 – For example if ECC is your authentication source and also happens to be the account you need a password for. You need to know the password to authenticate to request a password –> you become stuck.

    5. End User Verification as YES or NO

    possible spell out the risk more on setting it to NO. Setting to NO overcomes the point I made about the catch 22 but then you need to manage risk or someone else masquerading as the user but using Challenge Response or trusting their email address is secured.

    6. Challenge Response Questions

    This goes hand in hand with the End User Verification. But also do you want users registering their own or system. How do you go about on-boarding registration of questions? What are the risks either way.

    Elaborating a bit more on the risks and options for configuring PSS will take this blog to the next level. But again, useful already a good checklist to work through.

    Regards

    Colleen

    • Hello Colleen,

      Thank you for the great feedback. As usual it is very much appreciated.

      I take everything you mentioned here on board and I understand where you coming from. My goal (as with all my documents) is to keep it simple and my target audience are first timers. Once they understand the basics they can go and do their own digging and experiment. I believe you learn better that way.

      My plan is to build in stages and reference the documents, so that way there is a natural progression. However input and feedback from people like yourself will help in that progression.

      it would be nice for you to reference which posts you referred to  🙂

      I usually do but in this instance there isn’t a document per se. However it was from questions raised and various answers from the community. A good amount is from your answers in the following blog. Thanks for that!!.

      GRC AC-Password self service

      PRGN_CUST – I mentioned this table to you a while back, but in configuring this password entries you can control the length/format of the generated password (instead of getting a really long password)


      Brilliant!! I was wondering how on earth can I achieve this. I’ll get straight on it.

      I’ve got a query if I may. Is giving the ‘SAP_ALL’ to the Shared user the right way to go? because if I don’t then the systems aren’t showing up!

      Also is there a way we can disable how often one can raise a PSS request in a day? Right now, it is only once a day.

      Regards,

      Leo..

      • Hey Leo

        SAP_ALL – do not assign this to any users. System users, like an end user, must only be given the permissions for the job they are meant to do. If you service user has SAP_ALL and password is known it is a massive risk.

        PRGN_CUST – look for the PASS_GEN* entries. I think there are 4-6 of them to control length, special character, number, letters, etc.

        Number of passwords – the one a day limit would be due to SAP user master password limit. GRC is leveraging the BAPIs for password reset (it’s why the password length is also control from PRGN_CUST). You cannot reset your own password more than one time a day. Multiple resets must be handled by the administrator.

        Regards

        Colleen

        • Thanks Colleen. I’ll have a crack at that table and also its good to know that there is no way around the once a day thing!

          I was aware that SAP_ALL should not be given to end user but I thought the shared user is of type ‘Communication’ (I read in one of the blogs here and it seems to be working) so it does not have login option (Or maybe I am getting confused with another user type). I wonder what authorization in SAP_ALL is enabling the systems to show up!!

          Regards,

          Leo..

      • Hello,

        Thanks for putting out the blog and explaning in details.

        I have one query on End User logon page.I made AD(LDAP) as data source for end user logon and it is working fine as expected. The issue is as per the policy when the user try to login into end user page using initial password set in AD it should ask for changing the password before getting into the the page.

        Is there any way we can activate the functionality?

        Thanks,

        Trinetra

  • Excellent guide Leo.

    Here is a suggestion if you want to avoid the end user verification and challenge question risk highlighted.This works if your organization uses SAP portal with LDAP authentication.

    We disabled both end user verification and challenge questions for PSS. We added the PSS link/Iview to the Portal and forced the users to first access our portal with AD ID and password before going to the PSS link. This has worked great for us.

    Thanks

    Anthony

    • Thanks for your positive feedback Anthony. Appreciate it. You are right! the portal scenario you mentioned is a good approach to overcome some, if not most of the problems addressed in this document. A mate of mine tried the same in his organization and apparently it works like a charm!!

      Regards,

      Leo..

    • Hi Anthony

      If someone knows the End User Login URL directly are they able to launch it outside of the portal and just enter their User Id to proceed?

      Regards

      Colleen

  • Hi Leo,

    Thanks for the document, it clears out lots of questions around PSS. Great work!!

    It helped me a lot to set up PSS for our client.

    I just want to add regarding the ‘Guest’ user or the shared user which we maintained at GRC side in our services (through SICF).

    – The Guest user has to be service type in SU01.

    – SAP_ALL to service user is strict No.

    – When we maintain it in services it has to be marked as Internet user.

    – This user will need RFC authorizations similar to the RFC users we use in our target ECC/BW etc systems, so we can utilize the same roles.

    – Add authorization to  GRAC_SYS auth object to Guest user to ensure the systems appear in the System list in last step of PSS.

    Hope these points will help.

    Thanks,

    Priyanka

  • Hi Leo

    Thank you very much for the efforts. I’m a little confused. After completing all the settings, I can login using that shared user (GUEST) and then raise a password reset request for my own ID (like ZTEST )?

    Appreciate if you can kindly answer my question.

  • Hello,

    This document is really great – I am working on implementing PSS and have run into an issue – I have created my shared user as a communication user – set up the SICF services, when trying to perform the test -> Right click GRAC_UIBB_END_USER_LOGIN I am promted to change the password – could anybody perhaps have an idea why and where I should look to correct this ?

    Thanks in advance,

    Kind Regards,

    Siobhan

  • Hello Leo,

    I am trying to configure PSS using HR as authentication source. While testing, I am seeing a vicious issue. While adding system for password reset, I see my ID as XYZCLNT100 and ABCCLNT100 but when I use a test ID, it only has one entry ABCCLNT100.

    MY test user is present in XYZCLNT100 thus ideally it should be visible. Connector config should be okay as I am able to reset myself in XYZCLNT100 and ABCCLNT100. I have tried with SAP_ALL option for test ID also. It does not seems to be an authorization issue. Would you know what else could be missing.

    BR,

    Anish

     

  • Hi

    Was wondering if someone can help me. I have played with this and evrythign is working

     

    WE have a set of users that has the company domain email address  and when they go into PSS  and reset the password the mail gets sent.. and then we have another set of users wit a different email address and when they go and reset they get all the SLG1 no mail comes thRU. but if we do anything else IN SELF SERVICE MENU ,we see the mail in sost and scot but just not for Password reset.

     

    Appreciate any help