Académique Documents
Professionnel Documents
Culture Documents
TheBestRunBusinessesRunSAP
PasswordPolicyConfigurationOptions
The PasswordPolicyandBlacklist pageintheSAPHANAcockpitandthe Security editorintheSAPHANA
studioallowyoutoviewthepasswordpolicyandtochangeitsdefaultconfiguration.
Thepasswordpolicyisdefinedbyparametersinthe passwordpolicy sectionoftheindexserver.ini
configurationfile.Thefollowingsectionsdescribetheseparameters,whichcorrespondtotheconfiguration
optionsavailableintheSAPHANAcockpitandtheSAPHANAstudio.
Note
Thepasswordpolicyparametersforthesystemdatabaseofamultiplecontainersystemaremaintainedin
thenamesever.inifile,nottheindexserver.inifile.
MinimumPasswordLength
LowercaseLetter/UppercaseLetter/NumericalDigit/SpecialCharacterRequired
PasswordChangeRequiredonFirstLogon
NumberofLastUsedPasswordsThatCannotBeReused
NumberofAllowedFailedLogonAttempts
UserLockTime
MinimumPasswordLifetime
MaximumPasswordLifetime
LifetimeofInitialPassword
MaximumDurationofUserInactivity
NotificationofPasswordExpiration
ExemptSYSTEMUserfromLocking
DetailedErrorInformationonFailedLogon
MinimumPasswordLength
Theminimumnumberofcharactersthatthepasswordmustcontain
Parameter minimal_password_length
DefaultValue 8(characters)
AdditionalInformation Youmustenteravaluebetween6and64.
UILabel MinimumPasswordLength
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 1/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
LowercaseLetter/UppercaseLetter/NumericalDigit/Special
CharacterRequired
Thecharactertypesthatthepasswordmustcontainatleastonecharacterofeachselectedcharactertypeis
required
Parameter password_layout
DefaultValue Aa1
AdditionalInformation Thefollowingcharactertypesarepossible:
Lowercaseletter(az)
Uppercaseletter(AZ)
Numericaldigits(09)
Specialcharacters(underscore(_),hyphen(),andsoon)
Anycharacterthatisnotanuppercaseletter,alowercaseletter,ora
numericaldigitisconsideredaspecialcharacter.
Thedefaultconfigurationrequirespasswordstocontainatleastone
uppercaseletter,atleastonenumber,andatleastonelowercaseletter,with
specialcharactersbeingoptional.
Note
Passwordscontainingspecialcharactersotherthanunderscoremustbe
enclosedindoublequotes(").TheSAPHANAStudiodoesthis
automatically.Whenapasswordisenclosedindoublequotes("),any
Unicodecharactersmaybeused.
Caution
Theuseofpasswordsenclosedindoublequotes(")maycauselogon
issuesdependingontheclientused.TheSAPHANAStudio,forexample,
supportspasswordsenclosedindoublequotes("),whiletheSAPHANA
HDBSQLcommandlinetooldoesnot.
Note
Ifconfiguringthisoptionintheindexserver.inifileusingthe
password_layout parameter,youcanuseanyspecificletters,numbers
andspecialcharacters,andthecharacterscanbeinanyorder.For
example,thedefaultvalueexamplecouldalsoberepresentedbya1A,
hQ5,or9fG.Ifyouwanttoenforcetheuseofatleastoneofeach
charactertypeincludingspecialcharacters,youspecifyA1a_or2Bg?.
UILabels LowercaseLetter/UppercaseLetter/NumericalDigit/SpecialCharacter
Required
PasswordChangeRequiredonFirstLogon
Defineswhetherusershavetochangetheirinitialpasswordsimmediatelythefirsttimetheylogon
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 2/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
Parameter force_first_password_change
DefaultValue True
AdditionalInformation Ifthisparameterissettotrue,userscanstilllogonwiththeinitialpassword
buteveryactiontheytrytoperformwillreturntheerrormessagethattheymust
changetheirpassword.
Ifthisparameterissettofalse,usersarenotforcedtochangetheirinitial
passwordimmediatelythefirsttimetheylogon.However,ifauserdoesnot
changethepasswordbeforethenumberofdaysspecifiedintheparameter
maximum_unused_initial_password_lifetime ,thenthepasswordstillexpires
andmustberesetbyauseradministrator.
Auseradministrator(thatis,auserwiththesystemprivilegeUSERADMIN)
canforceausertochangehisorherpasswordatanytimewiththefollowing
SQLstatement:ALTERUSER <user_name> FORCEPASSWORDCHANGE
Auseradministratorcanoverridethispasswordpolicysettingforindividual
users(forexample,technicalusers)withthefollowingSQLstatement:
CREATEUSER <user_name> PASSWORD <password> [NO
FORCE_FIRST_PASSWORD_CHANGE]
ALTERUSER <user_name> PASSWORD <password> [NO
FORCE_FIRST_PASSWORD_CHANGE]
UILabel PasswordChangeRequiredonFirstLogon
NumberofLastUsedPasswordsThatCannotBeReused
Thenumberoflastusedpasswordsthattheuserisnotallowedtoreusewhenchanginghisorhercurrent
password
Parameter last_used_passwords
DefaultValue 5(previouspasswords)
AdditionalInformation Ifyouenterthevalue0,theusercanreusehisorheroldpassword.
UILabel NumberofLastUsedPasswordsThatCannotBeReused
NumberofAllowedFailedLogonAttempts
Themaximumnumberoffailedlogonattemptsthatarepossibletheuserislockedassoonasthisnumberis
reached
Parameter maximum_invalid_connect_attempts
DefaultValue 6(failedlogonattempts)
AdditionalInformation Youmustenteravalueofatleast1.
Auseradministratorcanresetthenumberofinvalidlogonattemptswiththe
followingSQLstatement:ALTERUSER <user_name> RESETCONNECT
ATTEMPTS
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 3/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
Thefirsttimeauserlogsonsuccessfullyafteraninvalidlogonattempt,an
entryismadeintheINVALID_CONNECT_ATTEMPTSsystemviewcontaining
thefollowinginformation:
Thenumberofinvalidlogonattemptssincethelastsuccessfullogon
Thetimeofthelastsuccessfullogon
Auseradministratorcandeleteinformationaboutinvalidlogonattemptswith
thefollowingSQLstatement:ALTERUSER <user_name> DROPCONNECT
ATTEMPTS
Recommendation
Createanauditpolicytologactivityinthe
INVALID_CONNECT_ATTEMPTSsystemview.Forexample,createan
auditpolicythatlogsdataqueryandmanipulationstatementsexecuted
onthisview.
Note
AlthoughthisparameterisnotvalidfortheSYSTEMuser,theSYSTEM
userwillstillbelockediftheparameter password_lock_for_system_user
issettotrue.If password_lock_for_system_user issettofalse,the
SYSTEMuserwillnotbelockedregardlessofthenumberoffailedlogon
attempts.
UILabel NumberofAllowedFailedLogonAttempts
UserLockTime
Thenumberofminutesforwhichauserislockedafterthemaximumnumberoffailedlogonattempts
Parameter password_lock_time
DefaultValue 1440(minutes)
AdditionalInformation Ifyouenterthevalue0,theuserisunlockedimmediately.Thisdisablesthe
functionalityofparameter maximum_invalid_connect_attempts .
Auseradministratorcanresetthenumberofinvalidlogonattemptsand
reactivatetheuseraccountwiththefollowingSQLstatement:ALTERUSER
<user_name> RESETCONNECTATTEMPTS.Itisalsopossibletoreactivate
theuserintheusereditoroftheSAPHANAStudio.
Tolockauserindefinitely,enterthevalue1.Onthe PasswordPolicyand
Blacklist pageoftheSAPHANAcockpitorinthe Security editoroftheSAP
HANAstudio,thiscorrespondstoselectingthe LockUserIndefinitely
checkbox.Theuserremainslockeduntilreactivatedbyauseradministrator
asdescribedabove.
UILabel UserLockTime
MinimumPasswordLifetime
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 4/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
Theminimumnumberofdaysthatmustelapsebeforeausercanchangehisorherpassword
Parameter minimum_password_lifetime
DefaultValue 1(day)
AdditionalInformation Ifyouenterthevalue0,thepasswordhasnominimumlifetime.
UILabel MinimumPasswordLifetime
MaximumPasswordLifetime
Thenumberofdaysafterwhichauser'spasswordexpires
Parameter maximum_password_lifetime
DefaultValue 182(days)
AdditionalInformation Youmustenteravalueofatleast1.
Auseradministratorcanexcludeusersfromthispasswordcheckwiththe
followingSQLstatement:ALTERUSER <user_name> DISABLEPASSWORD
LIFETIME.However,thisisrecommendedonlyfortechnicalusersonly,not
databaseusersthatcorrespondtorealpeople.
Auseradministratorcanreenablethepasswordlifetimecheckforauserwith
thefollowingSQLstatement:ALTERUSER <user_name> ENABLE
PASSWORDLIFETIME.
UILabel MaximumPasswordLifetime
LifetimeofInitialPassword
Thenumberofdaysforwhichtheinitialpasswordoranypasswordsetbyauseradministratorforauseris
valid
Parameter maximum_unused_initial_password_lifetime
DefaultValue 7(days)
AdditionalInformation Youmustenteravalueofatleast1.
Ifauserhasnotloggedonusingtheinitialpasswordwithinthegivenperiod
oftime,theuserwillbedeactivateduntiltheirpasswordisreset.
Note
InSAPHANA1.0SPS12andearlier,thisparameterwasmisspelledas
maximum_unused_inital_password_lifetime .Ifthisparameterhada
userspecifiedvaluebeforeupgrade,thisvaluewillbesetasthevalueof
theparameter maximum_unused_initial_password_lifetime .The
misspelledparameterisunsetanddisappearsfromthecustom
configurationfile.
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 5/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
UILabel LifetimeofInitialPassword
MaximumDurationofUserInactivity
Thenumberofdaysafterwhichapasswordexpiresiftheuserhasnotloggedon
Parameter maximum_unused_productive_password_lifetime
DefaultValue 365(days)
AdditionalInformation Youmustenteravalueofatleast1.
Ifauserhasnotloggedonwithinthegivenperiodoftimeusingany
authenticationmethod,theuserwillbedeactivateduntiltheirpasswordis
reset.
UILabel MaximumDurationofUserInactivity
NotificationofPasswordExpiration
Thenumberofdaysbeforeapasswordisduetoexpirethattheuserreceivesnotification
Parameter password_expire_warning_time
DefaultValue 14(days)
AdditionalInformation Notificationistransmittedviathedatabaseclient(ODBCorJDBC)anditisup
totheclientapplicationtoprovidethisinformationtotheuser.
Ifyouenterthevalue0,theuserdoesnotreceivenotificationthathisorher
passwordisduetoexpire.
Thesystemalsomonitorswhenuserpasswordsareduetoexpireandissues
amediumpriorityalert(check62).Thismaybeusefulfortechnicaldatabase
userssincepasswordexpirationresultsintheuserbeinglocked,whichmay
affectapplicationavailability.Itisrecommendedthatyoudisablethepassword
lifetimecheckoftechnicaluserssothattheirpasswordneverexpires.For
moreinformationabouthowtodisablethischeck,seeSAPNote1991615.
UILabel NotificationofPasswordExpiration
ExemptSYSTEMUserfromLocking
IndicateswhetherornottheuserSYSTEMislockedforthespecifiedlocktime( password_lock_time )after
themaximumnumberoffailedlogonattempts( maximum_invalid_connect_attempts )
Parameter password_lock_for_system_user
DefaultValue true
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 6/7
17/3/2017 PasswordPolicyConfigurationOptionsSAPHANASecurityGuideSAPLibrary
UILabel ExemptSYSTEMUserfromLocking
DetailedErrorInformationonFailedLogon
Indicatesthedetailleveloferrorinformationreturnedwhenalogonattemptfails
Parameter detailed_error_on_connect
DefaultValue false
AdditionalInformation Ifsettofalse,onlytheinformationauthenticationfailedisreturned.
Ifsettotrue,thespecificreasonforfailedlogonisreturned:
Invaliduserorpassword
Userislocked
Connecttryisoutsidevalidityperiod
Userisdeactivated
UILabel DetailedErrorInformationonFailedLogon
RelatedInformation
ExecuteSQLStatementsinSAPHANAStudio
CreateanAuditPolicy
SAPNote1991615
C OPYR I GH T BY SAP SE OR AN SAP AF F I LI AT E C OM PAN Y. ALL R I GH T S R ESER VED . PR I N T ED F R OM SAP H ELP POR TAL.
http://helplegacy.sap.com/saphelp_hanaplatform/helpdata/en/61/662e3032ad4f8dbdb5063a21a7d706/content.htm#id_w5w_jkl_45 7/7