Use of security policies in user maintenance

This blog will explain the use of security policies in user maintenance.

Questions that will be answered are:

  • Why to use security policies?
  • How to setup security policies?
  • How to assign a security policy to a user?

Why to use security policies?

Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.

How to setup security policies?

Security policies can be setup in customizing under the following node (or by using transaction SECPOL):

SPRO entry for security policies

On the next screen create the needed security polices as definition (identifier and description):

Create security policy

Select one of the policies, to set the detailed attributes per policy:

ADMIN security policy attributes

In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.

Assign security policy to user

In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:

Security policy assignment in user data

Unfortunately the Security Policy cannot be made a mandatory field. See OSS note 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification.

Different use case for security policies

There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.

Background OSS notes

Relevant OSS notes: