You can use SAP NW Identity Management to develop a central password self-service applications which can be used by all users to set their password in various backend systems. Well, I agree that implementing Single Sign-On is always better than dealing with numerous passwords, but if Single Sign-On is not possible for some reasons we can try to make the life easier to handle passwords.
Using a central application to provision passwords produce a very specific issue because backend systems always follow their own rules about validating passwords. The central application has to cover all rules which exist out there. This includes simple rules about the mimimum password length as well as rules about the mandatory usage of character classes and finally very specific rules of the backend.
In SAP NW Identity Management you can assign a regular expression (Regex) to validate the input for an attribute which is resented on the user interface of IdM. Julien Hartmann has written a nice blog "Extended use cases for input validations with SAP Identity Management" describing how to implement input validation in IdM. Let's have a closer look to this.
Let's start with a simple approach. This Regex ensures that the password at least contains one letter [a-zA-Z] and one digit [0-9]. No other characters are allowed:
([a-zA-Z]+[0-9]+[a-zA-Z0-9]*|[0-9]+[a-zA-Z]+[a-zA-Z0-9]*)
This is far from being sufficient to cover the ABAP password rules.
In the original blog you can find a more sophisticated example which shows the usage of look ahead conditions for the password attribute:
^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{4,8}$This way following rules are implemented:
- At least one digit: (?=.*\d)
- At least one lower case letter: (?=.*[a-z])
- At least one upper case letter: (?=.*[A-Z])
- Password length 4-8: .{4,8}
How to support all ABAP password rules
Using this method let's try to cover all ABAP password rules.
The first three characters cannot all be the same. This is a hard-coded rule which you cannot switch off in the ABAP system. You can verify that the first three characters are not identical by preceding the Regex with a look ahead condition:
(?!^(.)\1\1)
(?! ) indicates a negative look ahead condition which does not consumes the characters.
^ indicates the beginning of the string
(.) catches the first character (you can use other character classes as well, e.g. use \S instead of . to block white space)
\1 and \1 represent two repetitions of the first character
Using another look ahead you can check the length, e.g. for minimum 8 characters according to profile parameter login/min_password_lng = 8:
(?=.{8,})(?= ) describes a positive look ahead condition.
At least one upper case letter (if profile parameter login/min_password_uppercase = 1):
(?=.*[A-Z])
At least one lower case letter (if profile parameter login/min_password_lowercase = 1):
(?=.*[a-z])
I assume, that we can skip a condition for profile parameter login/min_password_letters .
At least one digit (if profile parameter login/min_password_digits = 1):
(?=.*[0-9])
or
(?=.*\d)
At least one special character if profile parameter login/min_password_specials = 1 (see also login/password_charset 😞
(?=.*[\Q!"@$%&/()=?'`*+~#-_.,;:{[]}\<>\E])Some special character needs to be escaped: ^ - [ ] \ / giving \^ \- \[ \] \\ \/ if you escape them individually. However, it's better to use a special feature of the Java Regex Engine which is used by IDM using the \Q ... \E syntax.
You may add more special characters like §|\^´°€
Limitation: Using this simple method you cannot check for more than one character of a specific character class. However, you easily can repeat the pattern, e.g. to request two characters of specific characters class.
(?=.*[A-Z].*[A-Z])
We do not need to validate that the password cannot be PASS or SAP* because the minimal password length prohibits these passwords anyway.
The first character may not be an exclamation point (!) or a question mark (?😞
(?!^[!?])
At the very end of the Regex you simply use all characters respective all non-whitespace characters:
.*
or
\S*
Result combining all rules listed above (you can replace 8 with another number describing the minimal length and you can reduce the list of allowed special characters):
(?!^(.)\1\1)(?!^[!?])(?=.{8,})(?=.*[A-Z])(?=.*[a-z])(?=.*[\Q!"@$%&/()=?'`*+~#-_.,;:{[]}\<>\E])\S*You may add a ^ at the beginning and a $ at the end to indicate the beginning and ending of the input string.
Test Regex online
You can find Regex tester applications online:
http://www.regexplanet.com/advanced/java/index.html
or (with slightly different options and calculation rules)
https://regex101.com
http://regexpal.com
To experiment with such Regex testers use some tiny modifications which separate the input into words using \b instead of starting at the very beginning using ^ to allow testing various samples simultaneously:
\b(?!\b(.)\1\1)(?!^[!?])(?=.{8,})(?=.*[A-Z])(?=.*[a-z])(?=.*[\Q!"@$%&/()=?'`*+~#-_.,;:{[]}\<>\E])\S*Use the modifier g to show all matches.
Sample input:
?Abc@A6789
AAA
Ab34567
AAAb5678
ABC45678
abc456789
aBc#56789
Abc@A6789
A?bc@A6789
AAA#a456789
Ab34567890
Ab22222222
Abc#A67899990
References:
