Skip to Content
Technical Articles
Author's profile photo Christina Köhler

Identity and Access Management / User Authentication (Part 3.2)

Risk

Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.

Control Description

Access is authenticated through unique user IDs and passwords or other methods as a mechanism for validating that user are authorized to gain access to the system. Password parameters meet company and/or industry standards (e.g., password minimum length and complexity, expiration, account lockout).

Background

SAP uses the Identity Authentication Service (IAS) to ensure that the person requesting access to SAP S/4HANA is authenticated to do so. IAS supports single sign-on as well as two factor authentication.

A user that is only created in the IAS but not in the productive system and vice versa is uncritical as he or she can either not access SAP S/4HANA or has no possibility to operate in SAP S/4HANA. Therefore, within the IT audit, it is necessary to collect and analyze populations of both systems to determine the set of relevant users.

Password Parameters

Passwords are still paramount for accessing most IT systems. Password parameters are configured in the so-called administrator console, which is connected to all the different SAP S/4 HANA cloud systems a customer has (e.g. the Q and the P system). In the administrator console, one of the administrators can assign a password policy to each system. Furthermore, this administrator console shows two standard password policies which cannot be changed, but also offers the ability to create a custom password policy which can be assigned to the systems.

Note: It is not possible to assign individual password policies to users.

SAP offers three different options of password policies:

  • Standard: (predefined) default setting that meets minimum strength requirements
  • Enterprise: (predefined) enhanced password management features stronger than standard
  • Custom: (configurable) strongest password management features
    • Note: Only possible if a custom password policy has been configured in the administration console for Identity Authentication.

 The following table illustrates the corresponding policy requirements:

Requirement Standard Enterprise Custom
Content of password

·       Minimum length of 8 characters;

·       Maximum length of 255 characters;

·       Characters from at least three of the following groups:

o   Lower-case characters (a-z);

o   Upper-case characters (A-Z);

o   Base 10 digits (0-9);

o   Non-alphabetic characters (!@#$%…);

Session time limit

Indicates when the current session expires.

12 hours

“Remember me” option

Indicates whether the browser can store a cookie with the credentials.

Yes

Forgot password deactivation period

Indicates the period during which users can initiate the number of forgot password e-mails specified by the forgot password counter.

24 hours

Forgot password counter

Indicates how many times a user can initiate forgot password e-mails during the deactivation period. For example, a user can initiate up to 3 forgot password e-mails within 24 hours.

3

Minimum password age

Shows the minimum lifetime of a password before it can be changed.

No Yes, 24 hours Yes, minimum 1 hour, maximum 48 hours

Maximum failed logon attempts

Indicates how many logon attempts are allowed before the user password is locked.

Yes, 5 Yes, 5 Yes, minimum 1, maximum 5

Password locked period

Indicates how long a password is locked for.

Yes, 1 hour Yes, 1 hour Yes, minimum 1 hour, maximum 24 hours

Maximum password age

Shows the maximum lifetime of a password before it has to be changed.

No Yes, 6 months Yes, minimum 1 month, maximum 6 months

Password history

Indicates whether a password history is retained, and how many passwords from the history are retained.

No Yes, the last 5 passwords are retained. Yes, minimum the last 5 passwords, and maximum the last 20 passwords are retained.

Maximum unused period

Indicates how long the system retains unused passwords for.

No Yes, 6 months Yes, minimum 1 month, maximum 6 months

Password behavior

Indicates possibility to force the user to reset or change password if the applied password policy requires stronger password than the current one.

No No Yes, administrator can choose from:

  • Reset password
  • Change password

The security policy can be defined either via IAS, which is a setting that applies to all users, or via an individual password policy only applying to a certain user group. The two options are non-exclusive but it has to be considered that the individual password policy overrules the defined parameters in IAS.

Note 1: Passwords for communication users do not expire.

Note 2: Browser auto logout can be configured for Fiori Launchpad but is set to inactive per default. Moreover, there is no limit to a browser session per user.

 

How to obtain the population for the IT audit 

(Please remember that the process might change with later releases)

  • In Case IAS is used directly

a) To identify which password policy is applied to the system in scope, navigate to Administrator Console> Applications and Resources > Applications. Select the relevant system and navigate to ‘Authentication and Access’. Under the section ‘Policies’, navigate to ‘Password Policy’. In case ‘Enterprise’ is defined, the pre-defined SAP password policy is in place which is in line with the SAP Security Baseline.

b) To identify the policy details per password policy navigate to Administrator Console> Applications and Resources > Policies.

  • In case IAS is forwarding to external Identity Provider (IdP)

If the IAS is forwarding the authentication requests to an external IdP:

a) Navigate to Administrator Console> Identity Providers> Corporate Identity Providers, to determine which identity provider is configured in the SAP system (e.g. Microsoft AD or SAP Single Sign-On).

b) In addition navigate to Administrator Console> Applications and Resources > Applications. Select the relevant system and navigate to ‘Trust’ & select ‘Conditional Authentication’.

 

Engage with us

To read all upcoming posts in this series, please follow the S4HANACloud audit tag we’ve created for this purpose.”

Or contact us on LinkedIn.

 

Your feedback

Feel free to share your feedback and thoughts in the comment section below.

 

A big thank you to my colleagues for their collaboration and support

Matthias Ems (SAP) – Business Information Security Officer SAP S/4HANA and Chief Security Product Owner S/4HANA

With more than 20 years of experience in SAP Security, Auditing and Compliance, Matthias leads a team of Security Experts, responsible for Cloud Operations Security, Secure Development, Data Protection & Privacy and Security Attestation & Certification.

Florian Eller (SAP) – Product Management SAP S/4HANA Security

Florian has more than 15 years of experience working at SAP. For the past 8 years, his focus has been on application security.

Björn Brencher (SAP) – Chief Product Security Architect SAP S/4HANA

Bjoern is working in the field of SAP security for more than 2 decades with additional experience in SAP implementation and IT auditing.

Patrick Boch (SAP) – Product Management SAP S/4HANA Security

Patrick has 20 years experience of working with SAP, with a focus on SAP security for over a decade.

Heiko Jacob (Deloitte) – Partner Risk Advisory (IT & Specialized Assurance)

Heiko Jacob has more than 20 years of experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.

Christina Köhler (Deloitte) – Senior Manager Risk Advisory (IT & Specialized Assurance)

Christina Köhler has more than 5 years of professional experience in the field of IT auditing and IT consulting, both in industry and with financial service providers.

 

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.