Updating SAP security policy to fix SAP & 3rd party Integration issue

One common business need is to integrate SAP applications with other applications (SAP and non-SAP applications). SAP applications integrates easily with other SAP applications without security issues. SAP applications integrates well with 3rd party applications as well but non-SAP applications may use different standards and policies, which can create integration issues. Lots of  documentation available for 3^rd party integrations, this blog focus on challenge faced if SAP system (S/4HANA) and 3^rd party has different security policy related to password.

Challenge: SAP systems provides flexibility to have password policy of your choice, there is possibility to have minimum password length, number of letters, special characters etc.  It always recommended to have strong password policy with combination of number, letters, special characters, upper case, lower case, and long password length etc.3^rd party applications may not have such flexibilities and in some cases don’t have such strong password policies as well. For business need if you need to create RFC between SAP and 3^rd party system with different password policy then 3^rd system may not allow you to do that.

E.g. You want to create RFC between SAP S/4HANA with complex password policy and 3^rd party system with weaker password policy(only numbers allowed in password) using SAP system user , 3^rd party system may not let you use complex password with letters and special characters for RFC or for different password lengths can also create issue.

You have following options to handle this:

Option 1: Make stronger policy in 3^rd party system and match to SAP system policy. This option seems good fit and It can work in some cases but not always because not all systems provide flexibility to update password policy.

Option 2: Update SAP profile parameters to make a weaker policy to match 3^rd party system policy e.g.   numeric only passwords. It does not make sense to change SAP profile parameters as it will impact all SAP users and will reduce security so it’s big no for this option.

Option 3: Most suitable option will be to not change any SAP profile parameter for Global password policy but adopt more tailored approach by creating one additional custom policy for required RFC or system users only.

This can achieve using transaction SECPOL. Following steps explains that how such tailored policy can be created and can be made applicable to certain users only.

1. Go to transaction SECPOL and create new policy.
2. Give name and short text for policy.
3. Select the policy and go to Attributes.
4. Select F4 to find available attributes and tailor the policy as per requirement.
5. If you don’t maintain any attribute it will take default values for policy as shown below.
6. Once attributes created, save the policy
7. Next is to assign policy to user, go to transaction SU01 or SU10 for mass change and under Logon Data tab, in security policy field, enter policy name as save.

Policy will be immediately effective for the assigned user and you can test this by changing the password as per new policy.

Advantage of this tailored approach is this security policy overrides instance profile parameters and gives flexibility to certain users as it can be applicable to required users only so it will keep global password policy strong. It can be transported across landscape. It will be immediately effective and you need not to involve basis team for system restart.

Please feel free to provide your suggestions and comments.