This blog will explain the use of security policies in user maintenance.
Questions that will be answered are:
- Why to use security policies?
- How to setup security policies?
- How to assign a security policy to a user?
Why to use security policies?
Security policies can be used to set more strict password rules on critical user ID’s like the system administrators, user administrators and background users. This is one of the measures to avoid password attacks as explained in the password hash hacking blogs.
How to setup security policies?
Security policies can be setup in customizing under the following node (or by using transaction SECPOL):
On the next screen create the needed security polices as definition (identifier and description):
Select one of the policies, to set the detailed attributes per policy:
In this example the policy for ADMIN is set more strict than the system settings. Setting it less strict than the password rules set in the system profile is not allowed.
Assign security policy to user
In SU01 on the tab Logon Data you can now assigned the appropriate Security Policy for the user:
Unfortunately the Security Policy cannot be made a mandatory field. See OSS note 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification.
Different use case for security policies
There is a second use case for security policies: in the new netweaver releases you can set parameter to lock out users for maintenance rather than locking them in SU01 or SU10. For more information read this blog.
Background OSS notes
Relevant OSS notes:
- 2018918 – User-specific settings for password rules, password changes, and logon restrictions
- 2890297 – Assigning SECPOL policies as a mandatory field for user creation/modification –> it is saying you cannot do it, but you can do this by building a transaction variant: see blog
- 3075533 – Login parameters (login/*) not effective with Security Policies