yes, I understand that.

but - I looking for some a bypass:

some other function that can help me reset the pass without this limitation.

tx

Hi Matt,

Let me explain something here.

I'm writing a program that manage the passwords - so if I'm reseting a pass I don't want it to be changed again.

therefore I'm looking for a way to solve it.

tx.

Hi dev,

I did not have time the other day to post a more thorough answer, so let me please explain what I mean.

I understand your requirements. We hear this request often, so let me state some of our (SAPs) thoughts on this matter.

- We know about the issue that BAPI_USER_CHANGE offers no official way to set a productive password.

- SAP does not want to built a simple remote callable set-productive-password function - it would not match our security rules

See Note 376856. However with the increased adoption of Identity Management solutions in many cases the controlling entity for identities transfers to the IDM system (being it SAP NW IDM, IBM TIM, SUN IDM, or other). It is quite a common requirement for customers to have a central u201Cchange passwordu201D workflow/web page on top of an IDM solution which allows the IDM solution to call multiple connectors to set the identical passwords in several systems. Naturally there are far reaching security impacts that customers need to be aware off.

That being said, the "identity management" is the task of an IDM system - but not the "identity validation" (here: "password authentication"). The "controlling entity" is still the backend system (validating the password, implementing it's own password security policy). So, please do not mix up "Identity Manager" with "Identity Provider" (like SAML defines this system entity's role). An Identity Provider (IdP) is the central place where credential validation takes place - making "synchronization" obsolete.

Unfortunately, many people believe that password authentication is the one and only way of user authentication. So, they conclude that "Single Sign-On" (logon only once and then be able to use many service providers in a system landscape) would impose the requirement for "password synchronization". SSO does not impose this requirement, though.

There could be alternatives to set a productive password:

0) Wait until SAP offers an official API for setting productive passwords.

SAP position:

- SAP strategic solution is to work with single sign-on instead of distributing passwords. This could change in the future, though.

A) Call BAPI_USER_CHANGE to set a new random initial password. Then call SUSR_USER_CHANGE_PASSWORD_RFC using this password to set the new productive password

SAP position:

We do not recommend it because there are several drawbacks and limitations. Examples:

- The central server does not know about the local password policy. It might happen that the 2nd step fails but the 1st step has already "destroyed" the old password of the user.

- The new password is transported as a normal function parameter field. Therefore, you would see the value in a trace or a dump.

Best Regards,

Matt