Utilizing SAP Security Policies

This past week, I had a request from a client to change the password and login rules for a limited group of dialog users. Our client wanted the users to be set up with password rules that would allow for a four-digit number as the password and that would not expire after 90 days. SAP has recently introduced some new functionality through Identity Management, which makes this task not only possible, but relatively easy.

In order to create a security policy in SAP that can be assigned to a specific group of users, you must follow these steps (with pictures!):

1. Start the transaction for security policies (SECPOL)

2. In change mode, choose New Entries.

2-19-2014 2-36-34 PM

3. Enter a name in the Security Policy field and a description in the Short Text field.

2-19-2014 2-39-28 PM

4. Double-click the Attributes node.
5. Select the security policy, and double-click the Attributes node one more time. You can now assign attributes to the security policy.

2-19-2014 2-41-46 PM
6. Choose New Entries.
7. In the field Policy Attribute Name, enter, for example using the input help. a security policy attribute and, in the Attribute Value field, a value

.2-19-2014 2-46-34 PM


Possible value attributes include:

PASSWORD_LOCK_EXPIRATION: Automatic Expiration of Password Lock
PASSWORD_HISTORY_SIZE: Size of the Password History
PASSWORD_COMPLIANCE_TO_CURRENT_POLICY: Password Change After Rule Tightening
PASSWORD_CHANGE_INTERVAL: Interval for Regular Password Changes
PASSWORD_CHANGE_FOR_SSO: Password Change Req. for SSO Logons
MIN_PASSWORD_UPPERCASE: Minimum Number of Uppercase Letters
MIN_PASSWORD_SPECIALS: Minimum Number of Special Characters
MIN_PASSWORD_LOWERCASE: Minimum Number of Lowercase Letters
MIN_PASSWORD_LETTERS: Minimum Number of Letters
MIN_PASSWORD_LENGTH: Minimum Password Length
MIN_PASSWORD_DIGITS: Minimum Number of Digits
MIN_PASSWORD_DIFFERENCE: No. of Different Chars When Changing
MIN_PASSWORD_CHANGE_WAITTIME: Minimum Wait Time for Password Change
MAX_PASSWORD_IDLE_PRODUCTIVE: Validity of Unused Productive Passwords
MAX_PASSWORD_IDLE_INITIAL: Validity of Unused Initial Passwords
MAX_FAILED_PASSWORD_LOGON_ATTEMPTS: Maximum Number of Failed Attempts
DISABLE_TICKET_LOGON: Disable Ticket Logon
DISABLE_PASSWORD_LOGON: Disable Password Logon
CHECK_PASSWORD_BLACKLIST: Check the Password Blacklist

8. Save your entry. SAP will perform a consistency check to make sure there are no existing issues prior to saving. Any issues must be fixed before continuing.

9.Assign the users to the security policy via transactions SU01 or SU10.

2-19-2014 2-51-50 PM

Note: Security policies should be created in a development environment and transported through to production. Furthermore, each policy attribute has a range of possible values. For example, the maximum allowance for MIN_PASSWORD_CHANGE_WAITTIME is 1000 (days).

If you have yet to register for my SAP Career Advancement Webinar this Friday at 1pm EST, you could still register here.

Happy Hump Day!



P.S. I will be out of commission beginning in 2 weeks and through most the month of March. I’m spending two weeks in Europe (Barcelona, Prague and Paris) and the following week I’ll be traveling to Orlando for GRC 2014! If you forgive me for being MIA, I promise to come back with lots of fun tidbits for you to mull over.


4 thoughts on “Utilizing SAP Security Policies

    • Hi Peter!

      Thanks for the question. It is possible to see all the users designated for a particular security policy via transaction SUIM.
      Users > By Complex Selection Criteria > Additional Selection Criteria (near the bottom of the screen) > Security Policy

      I assume that the information can also be queried in table USR02. The field name is SECURITY_POLICY


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s