cancel
Showing results for 
Search instead for 
Did you mean: 

Automatically rotate passwords on service accounts

patrick_samame
Explorer
845

Hello

We have a requirement to automatically rotate passwords on service accounts every x number of days, for ABAP and possibly HANA db.

This includes service/system accounts used in RFCs (SM59).

This means the password manager would have to simultaneously update passwords in (at least):

- SM59 connections

- SU01 user master

- Connecting systems

Is it possible to use a PAM (Privileged Access Management) solution such as Thycotic for this requirement?

Is there a tool available to perform this function?

Starting with, but not limited to, S/4HANA 2020 FPS02.

Thanks

Patrick

View Entire Topic
Ulrich_Schmidt
Product and Topic Expert
Product and Topic Expert
0 Kudos

This looks like a complicated requirement... But I think, the SAP Business Connector would already have a number of tools that could be used for this.

On the SAP BC, you could create a custom script (Flow, Java, C) which does the following:

  1. Call BAPI_USER_CHANGE in the central system to change the password (SAP BC has the tools for calling RFCs with a few mouse-clicks)
  2. Loop over the list of connecting systems and in each system call RFC_MODIFY_R3_DESTINATION to update new password in SM59 destination
  3. I assume, changing the password in a database can be done via an SQL statement? In that case add a JDBC driver to your package and change PWD via SQL statement. (SAP BC has some tools to execute an SQL statement with a few mouse-clicks.)
  4. If the password needs to be updated in systems that allow pwd-updates via HTTP request, you can also add such an HTTP request to that script with a few mouse-clicks.

This script would then be added to the SAP BC job scheduler to execute every x days.

For more information on the SAP BC, see https://support.sap.com/sbc-download (Download) and https://support.sap.com/en/product/connectors/bc/details.html (Documentation).

patrick_samame
Explorer
0 Kudos

Thanks Ulrich.

We will review...

Wullum
Newcomer
0 Kudos
We have the same requirement to automatically rotate passwords on service accounts periodically, for ABAP and JAVA systems, and Oracle and HANA databases This also includes service/system accounts used in RFCs (SM59). This means the password manager would have to simultaneously update passwords in (at least): - SM59 connections - SU01 user master - Connecting systems (both internal systems and externally at partner firms) - we're talking about tens of thousands of service users in 500+ systems where each connection in each system uses it's own dedicated user, making it almost physically impossible to perform this manually. Is it possible to use a PAM (Privileged Access Management) solution or 3rd party tool for this requirement? Is there a SAP tool available to perform this function? SAP Business connector is mentioned, is any documentation concerning this topic available apart from https://support.sap.com/content/dam/support/en_us/library/ssp/products/connectors/bc/SBC_SecurityBes...?