How do I disallow user from changing passwords through su01?
Requirement: Authorization needs to be given to end-user to lock a particular user only. This has been done through pfcg and works perfectly for all the su01 options. User is not allowed to create/copy/delete users. He is able to lock and unlock too.
But the only thing is he is able to change the password too. How do I stop this? Is there any authorization?
Restrict Activity 05 in S_USER_GRP object to disallow password reset. Please note this will also impact lock and unlock functions.
How to set the SAP user password as unchangeable for all?
You can get rid of the "new password" button that is visible in transaction SU01.
Call transaction SE41
Under tab Subobjects
Field Status --> fill in 0020
Go into change mode and remove the button from the application toolbar.
This change should be done in development and then transported into your landscape.
Points for pondering:
A password is a private secret - supposed to be known only by the user him-/herself. For exactly that reason the system prompts the user to change the password if the password was set by an administrator (who then also knows the password) or when the password was generated (since then the password was not chosen by the user, as well).
That kind of password change (performed by the user) requires that the user is able to present a valid current password ("old password"). Only if the "old password" was validated successfully (s)he can set a "new password". No special authorization is required for that action.
That's different from the operation an user administrator performs (using SU01): the admin sets a new password - without being forced to know the current password. But that action requires user administration authorizations.
---
First of all, only security responsible persons should be able to change other user's passwords, not basis administrators. There should be a clear segregation between these two duties/teams. As a consequence, no basis admins should have access to SU01.
Secondly, as already pointed out, users should themselves be able to change their own passwords. If this is not desirable, for instance regarding specific training accounts where passwords should remain whatever is defined by the training responsible person), you can set the user type to S (Service). This will disable the request for the user to change his/her password upon first login after a password reset.
Of course, such accounts should be kept locked between training sessions and have new passwords attributed every time they're activated. Also, such accounts should be in segregated systems without any rfc-connectibility to other SAP environments (but this is another topic altogether).
To sum up:
- Password resets/master changes are handled by Security team.
- No SU01 for Basis admins (possibly except to handle RFC/system users in dev/sbx systems, but even this is disputable).
- Users can change their own passwords, but not those of anybody else.
0 Comments