topic Re: Password never expires - for selective ECC users in Application Development and Automation Discussions

Password never expires - for selective ECC users

Former Member — Thu, 14 Apr 2011 06:24:01 GMT

Dear Sir/Madam,

We have ECC integrated with EP, and users through EP server access cProjects applications of ECC server. EP users are integrated with our company Active Directory and hence have Windows password. Since the user accesses cProjects too in ECC, the same user id is created in ECC with a different SAP password.

Now, security policies are implemented in ECC server with the maximum password age as 2 months. Hence the Portal user has to change his ECC password every 2 months. Portal Users now have to change and remember 2 passwords viz. one the AD and second the SAP password.

Is there any mechanism by which the ECC password can be u2018NEVER EXPIRESu2019 for selective Portal users, so that they seamlessly enter cProjects without bothering to change it every 2 months? Balance ECC users should have the 2 months limit set.

Pl. respond at the earliest, how we can set this up?

Thanks in advance

Re: Password never expires - for selective ECC users

mvoros — Thu, 14 Apr 2011 06:42:44 GMT

Hi,

I assume that you have SSO between portal and ECC. You can use paramter login/password_change_for_SSO to stop showing dialog box for password change if user is authenticated via non password method. In this case it should be SSO ticket from portal. If your portal users don't need to log on to ECC directly then you can disable password for them. Check paramters login/password_logon_usergroup and login/disable_password_logon.

Cheers

Re: Password never expires - for selective ECC users

tim_alsop — Thu, 14 Apr 2011 06:51:17 GMT

You can also setup SNC authentication using Kerberos library on your ECC system, so that SAP passwords are not used anymore. Instead, Active Directory authentication can be used. Then, SAP passwords will be deactivated as they are not used anymore.

Re: Password never expires - for selective ECC users

Former Member — Thu, 14 Apr 2011 07:37:05 GMT


> Is there any mechanism by which the ECC password can be u2018NEVER EXPIRESu2019 for selective Portal users,  so that they seamlessly enter cProjects without bothering to change it every 2 months? Balance ECC users should have the 2 months limit set.> 
> M

Considering that you need to stop password expiry only for selective users in ECC, I dont think login/password_change_for_sso will work- this paramter will affect all users on the system.

Solution could be for you to 'de-activate' password for the selected portal users in ECC. Do this only if you are sure those portal users will not need to login through GUI OR they have SSO enabled for any GUI login they need.

An important consideration here is whether your users generally use SSO to login to ECC(GUI)? If so, why do you need the password expiry at all? The paramter setting like Martin suggests could work easily, if you are using SSO that is.

Soumya

Re: Password never expires - for selective ECC users

Former Member — Fri, 15 Apr 2011 08:59:00 GMT

Hi,

To test the portal user access for Cprojects,and test the password requirement by portal, we created a user in ECC and portal without giving any password (i.e we deactivated the password of the user in ECC) and tried to access with portal but we were not able to see the Cprojects as it required ECC logon details (i.e password of the ECC) which we deactivated. Kindly suggest a solution for this.

Thanks and Regards.

Basistechie.

Re: Password never expires - for selective ECC users

Former Member — Fri, 15 Apr 2011 10:13:27 GMT

Hi, I dont think that currently its feasible (by standard settings) to keep the password of only some dialog users from expiring....if user credentials are getting checked while connecting to ECC then it means SAP expects those users to have passwords maintained....

I have seen a system where we had a custom code which works like this though... they classified all their 'special dialog users' into one user group ... wrote a report which will prompt all dialog users to change password every 45/90 days (as u like it).. in this report users belonging to your special user group was exempted...So that way system will never bother them....Also in such scenario I think the system parameters for password change were not put into use.

Soumya

Re: Password never expires - for selective ECC users

Former Member — Fri, 15 Apr 2011 11:06:54 GMT

Thanks, Martin.

Your suggestions proved to be valuable. Since our portal users did not have aneed to log on to ECC directly hence we deactivated their ECC password.

Since the SSO between EP and ECC is present, now when the EP user logs in with his Windows password, then on clicking cProjects option, the system directly takes him to cProjects screen. It is working fine.

Also some users wanted to access SAPGUI directly. We had a role which had a iView showing the R/3 screens. On giving this role access in EP to user, he was also able to login to R/3 though his R/3 password was deactivated.

Thanks once again. You made my day.

I have asked users to do thorough testing.

Regards