Updating SAP security policy to fix SAP & 3rd party Integration issue
One common business need is to integrate SAP applications with other applications (SAP and non-SAP applications). SAP applications integrates easily with other SAP applications without security issues. SAP applications integrates well with 3rd party applications as well but non-SAP applications may use different standards and policies, which can create integration issues. Lots of documentation available for 3rd party integrations, this blog focus on challenge faced if SAP system (S/4HANA) and 3rd party has different security policy related to password.
Challenge: SAP systems provides flexibility to have password policy of your choice, there is possibility to have minimum password length, number of letters, special characters etc. It always recommended to have strong password policy with combination of number, letters, special characters, upper case, lower case, and long password length etc.3rd party applications may not have such flexibilities and in some cases don’t have such strong password policies as well. For business need if you need to create RFC between SAP and 3rd party system with different password policy then 3rd system may not allow you to do that.
E.g. You want to create RFC between SAP S/4HANA with complex password policy and 3rd party system with weaker password policy(only numbers allowed in password) using SAP system user , 3rd party system may not let you use complex password with letters and special characters for RFC or for different password lengths can also create issue.
You have following options to handle this:
Option 1: Make stronger policy in 3rd party system and match to SAP system policy. This option seems good fit and It can work in some cases but not always because not all systems provide flexibility to update password policy.
Option 2: Update SAP profile parameters to make a weaker policy to match 3rd party system policy e.g. numeric only passwords. It does not make sense to change SAP profile parameters as it will impact all SAP users and will reduce security so it’s big no for this option.
Option 3: Most suitable option will be to not change any SAP profile parameter for Global password policy but adopt more tailored approach by creating one additional custom policy for required RFC or system users only.
This can achieve using transaction SECPOL. Following steps explains that how such tailored policy can be created and can be made applicable to certain users only.
- Go to transaction SECPOL and create new policy.
- Give name and short text for policy.
- Select the policy and go to Attributes.
- Select F4 to find available attributes and tailor the policy as per requirement.
- If you don’t maintain any attribute it will take default values for policy as shown below.
- Once attributes created, save the policy
- Next is to assign policy to user, go to transaction SU01 or SU10 for mass change and under Logon Data tab, in security policy field, enter policy name as save.
Policy will be immediately effective for the assigned user and you can test this by changing the password as per new policy.
Advantage of this tailored approach is this security policy overrides instance profile parameters and gives flexibility to certain users as it can be applicable to required users only so it will keep global password policy strong. It can be transported across landscape. It will be immediately effective and you need not to involve basis team for system restart.
Please feel free to provide your suggestions and comments.
Hello Uppdeep Singh Mann ,
thanks for your blogpost. I'm afraid your descriptions are not clear enough, at least for me. The Security Policy is applied to passwords maintained in the users' master data in SAP (stored in table USR02). It is not (!) applied for passwords maintained in the password field of a remote destination (stored in the SSFS).
Knowing this, your instructions are only applicable for interfaces where a third-party product initiates the connection to SAP, but not the other way around.
For connections from SAP to a third-party product, where the user and its credentials are maintained in the third-party product, no password policy is enforced at SAP-side. You can enter any kind of password in the remote destination.
Yes ,Its applicable where a third-party product initiates the connection not the other way around