Update of password for Lotus Notes' Interface

Soady, Phil phil.soady at sap.com
Thu Jul 3 08:27:38 EDT 2003 

IDEA A) Why are the managers login on to SAP directly?
Is it possible for your tool (.lsx) to connect directly and call
a bapi to approve the invoice?
If so this user can be a background or service user.
Such users are exempt from the password change issue.
 
If not....
 
 
Solution B)
implement a true Single Sign On solution making direct logon to SAP unnecessary.
The way recommended by SAP. SAP uses this approach internally.
 
 
Solution C)
Change the security policy.
Why was is set to 30 days? Is 90 more appropriate ?
Perhaps there was a reason it was set at 30.
(See SAP settings, login/password_expiration_time in RZ10)
 
Solution D)
Expose the entire security of the system by synchronising the
password. Ie Make a tool that has the power to call BAPI_USER_CHANGE
with plan text password.
Be aware that anyone with a packet sniffer, or access to the user id that
is authorized to call BAPI_USER_CHANGE, or even the custom tool itself,
they can change passwords at will. Therefore they can logon as anyone they like !
This approach is possible, it is NOT recommended by the SAP security group.
I actually built a tool to do this once.
Nearly got shot by our security group!
Solution C is only marginally better than D', which is to disable passwords.
If people don't like passwords, turn the feature off.  Not really an option ?
In other words, the business process/requirement to secure access to the system,
 is more important that than the inconvenience of passwords.
 
 
IDEA E)
Point out to managers that don't like changing their password
that without SSO software, it is a necessary evil.
How much do they dislike changing their password.
How much pain does it cause. Put a $ figure on it.
Then price an SSO solution.
Use digital certificates and other things like
secure connections over the internet to help mount a business
case for SSO. Until then... cie la vie ?
 
 
 
 
 
 
Phil Soady
Senior Consultant
Business Technologies
SAP Australia
* : 0412 213 079
* : phil.soady at sap.com
 
 
 
 
 
-----Original Message-----
From: Christophe DArgembeau [mailto:christophe.dargembeau at dieteren.be]
Sent: Thursday, July 03, 2003 7:24 PM
To: SAP-WUG at MITVMA.MIT.EDU
Subject: Update of password for Lotus Notes' Interface
 
 
Hello,
 
I implement an invoice approval. We are in 4.6C and we use the SAPForms to "upload" Workitems into Lotus Notes.  Each month, SAP system  asks to users to change their password.
 
Does it exist a method or a tool to change automatically tthe password for the Lotus Notes Interface ? Because, managers are not used with computers and don't like to change their password in each applications (SAP or not SAP).
 
Any help can be usefull for me.
 
Thanks.
 
Kindest Regards,
 
Christophe d'Argembeau
Senior SAP Consultant
Computer Sciences Corporation
Belgium

More information about the SAP-WUG mailing list