User Authentication and Management

If an unauthorized user can access SAP system under a known authorized user and can make configuration changes and manipulate system configuration and key policies. If an authorized user has access to important data and information of a system, then that user can also access other critical information as well. This enhances the use of secure authentication to protect the Availability, Integrity and Privacy of a User System.

Authentication Mechanism in a SAP System

Authentication mechanism defines the way you access your SAP system. There are various authentication methods that are provided −

  • User Id’s and user management tools
  • Secure Network Communication
  • SAP Logon Tickets
  • X.509 Client Certificates

User ID’s and User Management Tools

Most common method of authentication in a SAP system is by using the username and password to login. The User ID’s to login are created by the SAP Administrator. To provide secure authentication mechanism via the username and password, there is a need to define password policies that doesn’t allow users to set easy predicted password.

SAP provides various default parameters that you should set to define password policies- password length, password complexity, default password change, etc

User Id

User Management Tools in a SAP System

SAP NetWeaver System provides various user management tools that can be used to effectively manage users in your environment. They provide very strong authentication method for both type of NetWeaver Application servers – Java and ABAP.

Some of the most common User Management Tools are −

User Management for ABAP Application Server (Transaction Code: SU01)

You can use user management Transaction-Code SU01 to maintain users in your ABAP based Application Servers.

User management Tool

SAP NetWeaver Identity Management

You can use SAP NetWeaver Identity Management for user management as well as for managing roles and role assignments in your SAP environment.

Display Identity

PFCG Roles

You can use profile generator PFCG to create roles and assign authorizations to users in ABAP based systems.

Transaction Code − PFCG

Show Documentation

Central User Administration

You can use CUA to maintain users for multiple ABAP-based systems. You can also sync it with your directory servers. Using this tool, you can manage all the user master record centrally from the client of the system.

Transaction Code − SCUA and create distribution model.

Central User Administration

User Management Engine UME

You can use UME roles to control the user authorization in the system. An administrator can use actions which represent the smallest entity of UME role that a user can use to build access rights.

You can open UME administration console using SAP NetWeaver Administrator option.

Password Policy

A password policy is defined as a set of instructions that a user must follow to improve system security by using strong passwords and by using them properly. In many organizations, password policy is shared as a part of security awareness training and it is mandatory for users to maintain the policy for security of critical systems and information in an organization.

Using password policy in a SAP system, an administrator can setup system users to deploy strong passwords that are not easy to break. This also helps to change the password at the regular time intervals for system security.

The following password policies are commonly used in a SAP System −

Default/Initial Password Change

This allows the users to change the initial password immediately when used for the first time.

Password Length

In a SAP system, the minimum length for passwords in SAP Systems is 3 by default. This value can be changed using profile parameter and maximum length that is allowed is 8.

Transaction Code − RZ11

Parameter Name − login/min_password_lng

Maintain Profile Parameters

You can click on documentation of the profile parameter for this policy and you can see the detailed documentation as from SAP as follows −

Performance Assistant

Parameter − login/min_password_lng

Short text − Minimum password length

Parameter Description − This parameter specifies the minimum length of the logon password. The password must have at least three characters. However, the administrator can specify a greater minimum length. This setting applies when new passwords are assigned and when existing passwords are changed or reset.

Application Area − Logon

Parameter Unit − Number of characters (alphanumeric)

Default Value − 6

Who is permitted to make changes? Customer

Operating System Restrictions − None

Database System Restrictions − None

Illegal Passwords

You cannot select the first character of any password as a question mark (?) or an exclamation mark (!). You can also add the other characters that you want to restrict in the illegal password table.

Transaction Code − SM30 Table Name: USR40.

Illegal Passwords

Once you enter the table − USR40 and click on Display at the top, it will show you the list of all the impermissible passwords.

Impermissible Passwords

Once you click on New Entries, you can enter the new values to this table and also select the case sensitive check box.

Case Sensitive Check Box

Password Pattern

You can also set that the first three characters of the password cannot appear in the same order as part of the user name. Different password patterns that can be restricted using password policy include −

  • The first three characters cannot all be the same.
  • The first three characters cannot include space characters.
  • The password cannot be PASS or SAP.

Password Change

In this policy, a user can be allowed to change his or her password almost once a day, but an administrator can reset a user’s password as often as necessary.

A user shouldn’t be allowed to reuse the last five passwords. However, an administrator can reset the password that is used by a user previously.

Profile Parameters

There are different profile parameters that you can define in a SAP system for user management and password policy.

In a SAP system, you can display the documentation for each profile parameter by going to Tools → CCMS → Configuration →Profile Maintenance(Transaction: RZ11). Enter the parameter name and click on Display.

Profile Parameters

In the next window that shows up, you must enter the parameter name, you can see 2 options −

Display − To display the value of parameters in SAP system.

Display Docu − To display SAP documentation for that parameter.

Display Document

When you click on the Display button, you will be moved to Maintain Profile Parameter screen. You can see the following details −

  • Name
  • Type
  • Selection Criteria
  • Parameter Group
  • Parameter Description and many more

At the bottom, you have current value of parameter login/min_password_lng

Current Value Of Parameter

When you click on Display Doc option, it will display SAP documentation for the parameter.

SAP documentation for the parameter

Parameter Description

This parameter specifies the minimum length of the logon password. The password must have at least three characters. However, the administrator can specify a greater minimum length. This setting applies when new passwords are assigned and when existing passwords are changed or reset.

Each parameter has a default value, permitted value as below −

Parameter Description

There are different password parameters in a SAP system. You can enter each parameter in the RZ11 transaction and can view the documentation.

  • login/min_password_diff
  • login/min_password_digits
  • login/min_password_letters
  • login/min_password_specials
  • login/min_password_lowercase
  • login/min_password_uppercase
  • login/disable_password_logon
  • login/password_charset
  • login/password_downwards_compatibility
  • login/password_compliance_to_current_policy

To change the Parameter value, run Transaction RZ10 and select the Profile as shown below −

  • Multiple application servers − Use DEFAULT profile.

  • Single Application servers − Use Instance Profile.

Select Extended Maintenance and click Display.

Edit Profiles

Select the parameter that you want to change and click on Parameter at the top.


When you click on the Parameter tab, you can change the value of parameter in new window. You can also create the new parameter by clicking on Create (F5).

You can also see the status of the parameter in this window. Type the parameter value and click on Copy.

Copy Button

You will be prompted to save when you exit the screen. Click on Yes to save the parameter value.

parameter value