Identity and Access Management / User Authentication (Part 3.1)
Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that user are authorized to gain access to the system. Password parameters meet company and/or industry standards (e.g., password minimum length and complexity, expiration, account lockout).
SAP uses the Identity Authentication Service (IAS) to ensure that the person requesting access to SAP S/4HANA is authenticated to do so. IAS supports single sign-on as well as two factor authentication.
A user that is only created in the IAS but not in the productive system and vice versa is uncritical as he or she can either not access SAP S/4HANA or has no possibility to operate in SAP S/4HANA. Therefore, within the IT audit, it is necessary to collect and analyze populations of both systems to determine the set of relevant users.
Passwords are still paramount for accessing most IT systems. Password parameters are configured in the so-called administrator console, which is connected to all the different SAP S/4 HANA cloud systems a customer has (e.g. the Q and the P system). In the administrator console, one of the administrators can assign a password policy to each system. Furthermore, this administrator console shows two standard password policies which cannot be changed, but also offers the ability to create a custom password policy which can be assigned to the systems.
Note: It is not possible to assign individual password policies to users.
SAP offers three different options of password policies:
- Standard: (predefined) default setting that meets minimum strength requirements
- Enterprise: (predefined) enhanced password management features stronger than standard
- Custom: (configurable) strongest password management features
- Note: Only possible if a custom password policy has been configured in the administration console for Identity Authentication.
The following table illustrates the corresponding policy requirements:
|Content of password||
· Minimum length of 8 characters;
· Maximum length of 255 characters;
· Characters from at least three of the following groups:
o Lower-case characters (a-z);
o Upper-case characters (A-Z);
o Base 10 digits (0-9);
o Non-alphabetic characters (!@#$%…);
Session time limit
Indicates when the current session expires.
“Remember me” option
Indicates whether the browser can store a cookie with the credentials.
Forgot password deactivation period
Indicates the period during which users can initiate the number of forgot password e-mails specified by the forgot password counter.
Forgot password counter
Indicates how many times a user can initiate forgot password e-mails during the deactivation period. For example, a user can initiate up to 3 forgot password e-mails within 24 hours.
Minimum password age
Shows the minimum lifetime of a password before it can be changed.
|No||Yes, 24 hours||Yes, minimum 1 hour, maximum 48 hours|
Maximum failed logon attempts
Indicates how many logon attempts are allowed before the user password is locked.
|Yes, 5||Yes, 5||Yes, minimum 1, maximum 5|
Password locked period
Indicates how long a password is locked for.
|Yes, 1 hour||Yes, 1 hour||Yes, minimum 1 hour, maximum 24 hours|
Maximum password age
Shows the maximum lifetime of a password before it has to be changed.
|No||Yes, 6 months||Yes, minimum 1 month, maximum 6 months|
Indicates whether a password history is retained, and how many passwords from the history are retained.
|No||Yes, the last 5 passwords are retained.||Yes, minimum the last 5 passwords, and maximum the last 20 passwords are retained.|
Maximum unused period
Indicates how long the system retains unused passwords for.
|No||Yes, 6 months||Yes, minimum 1 month, maximum 6 months|
Indicates possibility to force the user to reset or change password if the applied password policy requires stronger password than the current one.
|No||No||Yes, administrator can choose from:
The security policy can be defined either via IAS, which is a setting that applies to all users, or via an individual password policy only applying to a certain user group. The two options are non-exclusive but it has to be considered that the individual password policy overrules the defined parameters in IAS.
Note 1: Passwords for communication users do not expire.
Note 2: Browser auto logout can be configured for Fiori Launchpad but is set to inactive per default. Moreover, there is no limit to a browser session per user.
How to obtain the population for the IT audit
(Please remember that the process might change with later releases)
- In Case IAS is used directly
a) To identify which password policy is applied to the system in scope, navigate to Administrator Console> Applications and Resources > Applications. Select the relevant system and navigate to ‘Authentication and Access’. Under the section ‘Policies’, navigate to ‘Password Policy’. In case ‘Enterprise’ is defined, the pre-defined SAP password policy is in place which is in line with the SAP Security Baseline.
b) To identify the policy details per password policy navigate to Administrator Console> Applications and Resources > Policies.
- In case IAS is forwarding to external Identity Provider (IdP)
If the IAS is forwarding the authentication requests to an external IdP:
a) Navigate to Administrator Console> Identity Providers> Corporate Identity Providers, to determine which identity provider is configured in the SAP system (e.g. Microsoft AD or SAP Single Sign-On).
b) In addition navigate to Administrator Console> Applications and Resources > Applications. Select the relevant system and navigate to ‘Trust’ & select ‘Conditional Authentication’.
Engage with us
To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”
Or contact us on LinkedIn.
Feel free to share your feedback and thoughts in the comment section below.
A big thank you to my colleagues for their collaboration and support
Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA
With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.
Florian Eller (SAP) – Product Management SAP S/4HANA Security
Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.
Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA
Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.
Patrick Boch (SAP) – Product Management SAP S/4HANA Security
Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.
Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)
Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.
Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)
Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.