Is it possible to customize passwords for categories of users? Where and how are passwords managed in SAP?
How can these aspects be checked during an audit?
In SAP, user passwords, reside in USR02 table. They are stored in BCODE, PASSCODE and PWDSALTEDHASH in an encrypted way. During the various SAP releases the password encryption algorithm has undergone several updates.
In older releases the password is saved in BCODE and PASSCODE fields, in the most recent releases in the PWDSALTEDHASH field.
While in the CODVN field you can view the version of the cryptographic algorithm used by SAP. The field may contain the following values:
In the SAP instance profile (visible via RSPFPAR transaction) it is possible, through the parameter login/password_hash_algorithm to verify which is the hashing algorithm in use.
Have you read the NIST sp800-63b publication? NIST (National Institute of Standards and Technology) is an agency of the government of the United States of America that deals with the management of the technologies.
The obligation to change the password periodically is no longer considered necessary.
See also here some tips:The Definitive Guide to Passwords in Your Organization
The Security Policy concept was introduced by SAP in the version SAP NetWeaver 7 Enhancement Pack 3 (SAP_BASIS 7.03).
This function can be used for:
Security policies can be defined through the transaction SECPOL Maintain Security Policies.
Security policies are a kind of "classification": allow for exceptions to global policies in the system.
Using SAP instance profiles starting with login* (you can see them through the RSPFPAR transaction) you can define how the system should behave when a password is created and selected by an administrator or user.
In some cases, however, it is necessary to have different policies depending on the user. For example, for system administrators the password must be at least 15 characters, while for end users of 10 characters.
Once the classification is defined, in the "Attributes" part you can define the criteria of password complexity defined for that security policy.
It has been given also the possibility of:
Once security policies are defined, they must be assigned to users. This is done directly through the SU01 transaction (or similar massive transactions)
Through the S_YI3_39000082 transaction, available also in the transaction SUIM -> Where-Used List -> Security Policies -> Users you can see users with security policy assigned or not.
Through the note OSS 2318872 - SU01 field Security Policy is not available in field mapping you can also manage this field in the GRC Access Control Access Request Management.
Security policies can also be used for operational system management aspects. That is, during system maintenance or special times, user groups should not access the system. For example during maintenance, during upgrades or accounting closures.
In the security policy is present an attribute called SERVER_LOGON_PRIVILEGE which allows you to restrict access only to certain users. The parameter can have the following values:
External logos are for example RFC destinations. The relative profile of instance is as follows: login/server_logon_restriction see also OSS note (1891583 - Restricting logon to the application server)
SAP uses special utilities for some purposes, these utilities have public and known passwords, here are:
Blog post originally translated from: https://www.aglea.com/blog/sap-password-policy