Password Self Service & End User Logon Configuration – AC10

Connector Settings

• Maintain Connector Settings: For each applicable system tick the PSS System Box
  • SPRO -> IMG -> GRC -> AC -> Maintain Connector Settings

• Maintain Data Sources Configuration: Choose which system you check, for User Id to login
  • SPRO -> IMG -> GRC -> AC -> Maintain Data Sources Configuration
    • User Authentication Data Sources: Pick a System (ECC, LDAP, HR etc)
    • User Search Data Sources: Pick a System (ECC, LDAP, HR etc)
    • User Detail Data Sources: Pick a System (ECC, LDAP, HR etc)
    • End User Verification: Choose YES/NO for Password requirement on logon screen

• Enabling End User Verification would require the end user to enter their password in order to login. However if a user needs to request a new password (obviously  they forgot the current one), it would be a catch 22 situation as pointed out by Colleen further down in the document (comments section).
• Disabling End User Verification would rectify this problem however that would raise a security issue, where any user can login using someone else’s user id and access their home screen and raise requests etc. This isn’t a huge problem as the request would go to the email address registered against their user id but still can be frowned upon and should be discouraged.
• A good compromise would be to Disable End User Verification and activate Challenger question (covered further down in the document). Even this has one potential downside to it, which is, if the end user hasn’t registered their answers against the questions then the previous scenario would come into play again!!
  • So any suggestions from the seasoned community members here, who had to deal with this issue would be very much appreciated!

* You can configure multiple data sources. Preference is set by giving a sequence number

Password Self Service Settings

• Run transaction SPRO.
  • SPRO-> IMG -> Governance, Risk & Compliance -> Access Control -> User Provisioning -> Maintain Password Self Service
    • On the left panel, under Dialog Structure, click PSS Global Configuration Values folder
    • Click New Entries button.
    • Under the PSS Global Configuration Values, enter the following:
  • Authentication Source = Challenge Response
    • When you select this option, the administrator configures the security questions  and the users register their answers. A user who creates a request to reset their password must answer the questions as they have registered them. The application only resets the passwords if the user successfully answers all of the questions
  • PSS Disable Verification =
    • None: Select this option if you want to enable PSS verification.
    • Name Change Self Service: Select this option if you want to disable PSS verification in case the user only changes their name.
    • Password Self Service: Select this option if you want to disable PSS verification in case the user changes their password.
    • All: Select this option if you want to disable PSS verification in all situations. By choosing ‘ALL’, user would not need to register questions or receive a step in the password reset process to answer any questions.

• • To answer a question/be challenged.
    • Number of Questions = 2 (Minimum should be 1)
    • Number of Attempts  = 3 (For Example)
  • Click Save button.
  • On the left panel, click the Challenge Response Questions folder.
    • Click New Entries button.
    • In the Challenge Response Questions, enter a Question in the field provided.
    • Check the Active box.
    • Click Save.

* If you chose HR System as the authentication source, then maintain the PSS HR System settings.

User Maintenance

• A shared User needs to  be created and the same user details should be maintained in Web Services (explained further in the document)
  • Create a Shared user in SU01
  • Should be of type ‘communication’ with the following two roles:
    • SAP_GRAC_ACCESS_REQUESTER
    • SAP_GRAC_END_USER
• A WF-Batch user needs to be created as well. The email to the end user is sent from the email address configured against this user
  • Create WF-Batch user in SU01
  • Should be of type ‘System’
  • You can configure the email address as ‘donotreply@something.something’ so end users do not respond or email this address directly.

* Shared User: Has to exist in the GRC system

Activate End User Logon

• Run Transaction SPRO
  • SPRO -> IMG -> GRC-> AC-> User Provisioning-> End User Login: ServiceName = GRAC_UIBB_END_USERLOGIN or enter tcode SICF
    • Under the Virtual Hosts/Services section, double-click GRAC_UIBB_END_USERLOGIN to open it in edit mode.
    • The Create/Change a Service screen appears.

• • • On the Logon Data tab, enter the shared user id, password (you created in SU01) and procedure (Standard) -> Save

• • Repeat steps 1-3 for the following Web Services:
    1. GRAC_GAF_PWD_SELFSERVICE_EU
    2. GRAC_OIF_USER_REGISTER_EU
    3. GRAC_OIF_MY_PROFILE_EU
    4. GRAC_GAF_NAME_CHANGE_SERV_EU
    5. GRAC_POWL_REQUEST_STATUS_EU
    6. GRAC_GAF_ACCREQ_WITH_REQREF_EU
    7. GRAC_OIF_REQUEST_SUBMISSION_EU    
    8. GRAC_GAF_ACCREQ_WITH_TEMPL_EU    
    9. GRAC_GAF_ACCREQ_WITH_USEREF_EU
• • Right-click GRAC_UIBB_END_USERLOGIN, and then choose Test Service -> Logon Screen in web browser.

* Only the first 3 services might suffice if you are enabling just PSS however I’ve had some problems (covered in the ‘Errors’ section) and enabling all 10 seem to address those issues, so if you encounter any problems you might give this a go!!

• • If you would like to disable certain objects you can do so by adding the following line to end of the web address in the URL window of the browser and press enter.

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/123

• • • Following screen shows up. If you see ‘Adapt Configuration’ on the top, right hand corner; that means you are in config mode.

• • Enter your username and password, and log onto the system.
    • The End User Home screen appears.

• • • To make a link invisible, right-click the link and select Settings for Current Configuration.
    • Select Invisible, Save the entry, and then close the browser.
    • The link is no longer available for end users. This is applicable for all end users.

User Access

You got to give the end user the URL address, User ID and Password so they can use those credentials to login and raise a request. Once they login they can raise a request to reset their password. If request is successful then the system sends them an email with a temporary password, which they need to change upon their login. The password generated is a system generated one. The email received by the user looks something like this:

• You can customize the generic password sent by executing:
  • TCode: SM30
  • Table: PRGN_CUST – > Maintain -> New Entries -> Add the following Names and corresponding values you are after and Save.
    •     GEN_PSW_MAX_LENGTH
    •     GEN_PSW_MAX_LETTERS
    •     GEN_PSW_MAX_DIGITS
    •     GEN_PSW_MAX_SPECIALS
  • End result is as follows with the following customized values:
    •     GEN_PSW_MAX_LENGTH: 10
    •     GEN_PSW_MAX_LETTERS: 5
    •     GEN_PSW_MAX_DIGITS: 3
    •     GEN_PSW_MAX_SPECIALS: 2