Hi Team,
Is there any way to find on which date the password was expired.
the parameter login/password_expiration_time value is showing as 0. But one RFC user password was expired in status which caused issues. So we are investigating in the way the, on which date the password was expired.
or
Is there any default period of expiration even though the parameter value is 0.
Thanks,
Sankar.
Hi Sankar
Did the RFC user got locked ?? or the password expired.
I was just wondering If value is 0, password should not expire..
If your RFC is communication type , it will have the same password policy as that of a dialog user,
login/password_expiration_time value.
Its not a gud practice to set the value to 0 for login/password_expiration_time value.
make the RFC user system. so that password never expires.
Cheers
Pavan M
Hello Sankar,
You can use transactio SUIM -> Change Documents to check the related user. It will show there when the user has its password expired.
Maybe the same information can be seen in table USR02 for BNAME = <user>.
I hope this helps.
Best Regards,
Guilherme de Oliveira
Thanks a lot.
Yes my user is Communicaiton user.
But my query is, is htere any way to find whne the user was expired / when the RFC is failed because of the password expiry.
Thanks,
Sankar.
Hi Laura,
You are welcome 
, have you tried automatic SU10 with SAPGUI scripting or SECATT ? I am familiar with your scenarios
Thanks and Regards,
Syam
Hi Sankar,
I had this issue in my new APO system, I think it is product error . But there is way for us to mitigate it as I have already mentioned earlier. If you find its not product error, but something configuration - do let me know.
Thanks and Regards,
Syam
To display the documentation for one of the parameters, choose Tools→CCMS→Configuration→Profile Maintenance (transaction RZ10),
Click Default in the profile . and click on Extended maintenance.
here you will see all the parameters and the values and u can specify the parameter name, and choose Display.On the following screen, choose the Documentation pushbutton.
Yes, there is some black magic in the statement itself.
You could call RFC_PING (physical connection test in SRFC) before you call RFCPING (application authentication test in SYST), but you don't have to. The CALL FUNCTION func DESTINATION statement has built in exceptions which it throws back to the calling program that either the server could not be reached or it was reached but failed to respond. You can catch those exceptions in addition to any exporting parameters from the FM itself. See transaction ABAPDOCU for the DESTINATION statement.
Cheers,
Julius
Pavan is on the right track with the user type, but has been brought off-track by the profile parameter which would appear to most likely be the cause.
Instead of login/password_expiration_time, check your login/password_downwards_compatibility. I bet my hat on it that this is now set to value 1, but at the time of creating the user and setting its password, this parameter did not exist or was set to 5.
What this means for the user is that it has a usr02-bcode value (old hash) but not a corresponding usr02-passcode value (new hash). The difference is that (contrary to what the documentation in Rz11 implies) for users of type SYSTEM and SERVICE, there is a passive tolerance for compatibility built into the login program.
-> the hashing and comparing of the PASSCODE value fails, and then for SYSTEM type users it also hashes and compares to BCODE and if they match then the login is successful. This passive tolerance is however not done for DIALOG and COMMUNICATION type users.
So.. to prevent you from being forced to reset the password (which might be in several connection data...), you can simply change the user type to SYSTEM.
Cheers,
Julius
Hi Carlina
it is not on follow-up action of an activity. I want to disable the CRM Sales Order (all assignment blocks in the Transaction overview page in CRM UI) based on status value selected in status field using CRM security objects.
Thanks
Chand
Hi Javier,
I'm not sure for how many users (why not all?) you need to set this up, but you can use wildcards (*) in the user name fields (see below).
Also, by default I think there are just 2 slots available for creating filters. You can use more if you adjust the rsau/selection_slots parameter.
Also, the rsau/user_selection parameter seems to be of advantage for you:
Defines the user selection method used inside kernel functions. Set this parameter to enable the use of ABAP patterns asterisk (*) for any character string, plus sign
for any single character, and number sign (#) to escape wildcards, spaces at the ends of strings, and such. Otherwise only asterisk (*) is a wildcard.
Note
To create an audit log for the user SAP*, you must enable generic user selection and escape the asterisk. Enter SAP#*.
see here for more info
Hi All,
We have a situation that a person could do all the changes needed for another person from portal but the same is not getting reflected in Back end R3 system. For example X is the manager of Y, in this case X could change Y's mail id, exit date, etc., from Portal without any issue but it is not getting reflected in the back end R3 system. The changed data is not being saved in back end. Can any one help me with this on what needs to be done. Thanks in advance !
Hi Arunkumar
if you can login in the backend with manager user details, try to repeat the activity and see if it works (if it doesn't, just run SU53 after the changes), otherwise trace with st01 (authorization flag only) the linked manager backend user and check the return codes
Let me know if you need further details
cheers
a
Hi,
it is possible with guiXT.
use google: Autologon SAP and there are tutorials how to do it.
it takes 5 minute.
Boris
Hi,
I've seen recently customers to implement CUA for same reasons as you stated. I just checked and the latest version supports relatively new attribute "Security Policy". I think it was introduced after stating CUA is in maintenance mode only. So it looks like there are still small changes.
Cheers
Hello Simon,
If you are talking about web access to the system then this scenario can be implemented when SAML 2.0 is used. For a web application which provides sensitive data you can either force re-authentication with a password or require specific SAML 2.0 authentication context means authentication method, e.g. PIN. In this case even the user is authenticated with the ABAP system when he navigates to such application he will be redirected to the SAML 2.0 identity provider (IDP) to re-authenticate, either with a password or with a PIN. If you are interested in further details let me know.
Regards,
Dimitar
P.S. SAP provides SAML 2.0 compliant IDP which can easily be extended to support any authentication method using JAAS login modules: http://scn.sap.com/community/netweaver-sso/blog/2013/02/28/competitive-advantages-of-sap-identity-provider. With the next SP of NW SSO we plan to support by default also authentication with time-based one-time passwords (TOTP) - http://tools.ietf.org/html/rfc4226.
Hi Hima
Why dont you guys use Su01d tcode for display
cheers
Thanks
Pavan M
Hi Pavan,
Thank you. But here the issue we have is with SU3 where some users need to change their own data and some users should not change their own data.So we need to restrict for some users only for display with tcode SU3 and it is not egtting restricted with display.
Hi Hima
Which own information or data does user's need to change ?? and why ?
If its for Time Zone, Decimal Notation, Parameters addition
It will be done security team right ??
For changing parameters , Su2 can be used.
Do you have the specific list of users , who should have access to Su3 ?? and who should not ?
Cheers
Pavan M
Hi Javier
How many IT users are there.
In general you can use wildcards * value in users for all users.
Set parameter rsau/selection_slots value to 10 ..
10 is maximum filters you can set
if you have IT guys less than 9 or 9, you can meet the requirement by selecting 10 filters. and you can use 1 slot for all the users (*)
Cheers
for any single character, and number sign (#) to escape wildcards, spaces at the ends of strings, and such. Otherwise only asterisk (*) is a wildcard.