SAP Security Concepts
Starting reports
In the SAP system, passwords are locked when the maximum number of allowed password login errors is reached. This counter is reset with a password each time you successfully log in. In addition, an initial password can be locked when its validity has expired. Both the validity of the initial password and the maximum value for password login errors are set using profile parameters. For details, see Tip 4, "Set password parameters and valid passwords characters". A password lock only prevents a user from logging in via his password, because the number of errors is only evaluated if the login is done by password. If a login is now made via other authentication methods (such as SSO), these are not affected by the password lock. This also applies to internal expiration procedures (such as background jobs) because you do not need to register a password. This prevents, for example, denial-of-service attacks, which first cause a password to be locked in order to block internal processes. Eine Ausnahme von dieser Regel gibt es allerdings: Auch wenn andere Authentifizierungsverfahren genutzt werden, prüft das System, ob der Benutzer dazu in der Lage ist, sich mit einem Passwort anzumelden. Wenn dies der Fall ist und das Passwort gerade geändert werden muss, wird diese Änderung vom Benutzer abgefragt. Diese Abfrage können Sie aber auch mithilfe des Profilparameters login/password_change_for_SSO ausschalten.
Access to this data is critical, since the hash values can possibly be decrypted using tools, thus enabling unauthorized logon to the SAP system. Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems. The current or former hash values of the passwords are stored in the tables USR02, USH02, USRPWDHISTORY, USH02_ARC_TMP, VUSER001 and VUSR02_PWD. These tables can be accessed either via classic table access transactions such as SE16 or via database administration transactions such as DBACOCKPIT. The authorizations required for table access via database tools depend on the respective system configuration and should be verified via an authorization trace (transaction STAUTHTRACE), if necessary.
What are the advantages of SAP authorizations?
If you use configuration validation, we still recommend that you use the AGS Security Services, such as the EarlyWatch Alerts and SAP Security Optimisation Services, which we describe in Tip 93, "AGS Security Services." SAP keeps the specifications and recommendations in the AGS Security Services up to date and adapts them to new attack methods and security specifications. If you have identified new security issues within a security service, you can set your target systems accordingly and monitor these aspects in the future.
Increasingly, it is possible to make use of automation in the security environment. Although these are not yet used by many companies, they are the next step in digital transformation. By using automation intelligently, companies can free up resources for the innovation topics that really matter. In the future, we can expect both the number and power of automation tools to increase. It is therefore only a matter of time before SAP itself also delivers optimized support in the form of tools as standard.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
The permissions on database objects show you the details of the user's permissions to access the object.
Add or change the permissions, the Maintenance Status changes to either Care or Changed.