Good Morning All,
Below is a list of the Instance Profile Parameters related to security and there associated definitions that I have been able to find.
Eventually I want to have a comprehensive listing which can be added to the community library as a word document.
Instance Parameters
For Passwords
Login/min_password_lng
This parameter defines the minimum password length. The default is three characters, but this value can be set from three to eight characters.
Login/min_password_digits
Controls the minimum number of digits SAP Instance Profile Parameters, allowed values and meaning in a password. Possible entries: 0-40 SAP Instance Profile Parameters, allowed values and meaning
Login/min_password_letters
Controls the minimum number of letters SAP Instance Profile Parameters, allowed values and meaning in a password. Possible entries: 0-40 SAP Instance Profile Parameters, allowed values and meaning
Login/min_password_specials
Controls the minimum number of special characters in a password, such as !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space.
Possible entries: 0-40 SAP Instance Profile Parameters, allowed values and meaning
Login/min_paswword_lowercase
Controls the minimum number of lower-case letters in a password.
Possible entries:0-40 SAP Instance Profile Parameters, allowed values and meaning
Login/min_password_uppercase
Controls the minimum number of upper-case letters in a password.
Possible entries: 0-40 SAP Instance Profile Parameters, allowed values and meaning
Login/min_password_diff
Controls the number of characters that have to be different form the previous password.
Possible entries: 1-40 SAP Instance Profile Parameters, allowed values and meaning
Login/password_charset
0 u2013restrictive. Only letters, digits and the following special characters are allowed !"@ $%&/()=?'`*+~#-_.,;:{[]}<>│] and space in a password.
1 u2013 downwards compatible.
The password may consist of various characters SAP Instance Profile Parameters, allowed values and meaning All characters aside from the above listed will then be stored as one special character, and can therefore not be differentiated.
2 u2013 not downwards compatible. The password may consist of any character and will be stored in UTF-8 format SAP Instance Profile Parameters, allowed values and meaning.
If the system does not support unicode, not every character can be entered during login.
This parameter should only be set to 2, if the systems supports the code.[ with rel. 6.4]
Login/password_expiration_time
This parameter defines the number of days after which a password must be changed. The parameter allows users to keep their passwords without time limit and leaves the value set to the default, 0.
Login/password_history_size
Controls the number of passwords that are stored as history and cannot be used.
Login/password_change_waittime
Controls the number of days a user has to wait to be allowed to change his password again.
Possible entries: 1-1000 SAP Instance Profile Parameters, allowed values and meaning
Login/password_downwards_compatibility
Controls the downwards compatibility of password security.
0 u2013 no downwards compatibility. The system only generates only new hash values that cannot be interpreted by older kernel versions.
1 u2013 The system internally generates downwards compatible hash values, but does not evaluate them upon logon. This setting is required in a CUA controlled landscape with systems that have older kernel releases.
2- The system generates downwards compatible hash values and checks them -logged in system log- upon failed login attempts to detect compatibility issues. The login fails.
3 u2013 as 2, but with successful login
4 u2013 as 3, but without system log entry.
5 u2013 Completely downwards compatible. SAP Instance Profile Parameters, allowed values and meaning
Login/password_compliance_to_current_policy
1 - The system check during login if the password is compliant with the password security settings. If not, a password change will be enforced.
0 u2013 no check
Users of type Service and System are generally excluded from password change requirements. SAP Instance Profile Parameters, allowed values and meaning
Login/password_change_for_SSO
If the user logs on with Single Sign-On, checks whether the user must change his or her password.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Login/password_login_usergroup
Controls the deactivation of password-based logon for user groups
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Login/password_max_idle_productive
Controls the number of days that may pass from the last password change of a user to his next logon. After that period of time, the password is rejected.
0 u2013 unlimited validity
1- only valid for same day
>1 u2013 number of days before rejection
Login/disable_password_logon
Controls the deactivation of password-based logon
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
For Multiple Logon
Login/disable_multi_gui_login
Controls whether multiple logins are enabled or disabled.
0 = enable
1 = disable
Login/multi_login_users
Here a list SAP Instance Profile Parameters, allowed values and meaning can be deposited that would allow users a multiple login even though the multi login is generally disabled. The multiple login information are stored in the table URSR41_MLD.
For Incorrect Login
Login/fails_to_session_end
This parameter defines the number of times a user can enter an incorrect password before the system terminates the logon attempt. The default is three characters, but this value can be set to any number between 1u201399.
Loginh3. ls_to_user_lock
This parameter defines the number of times a user can enter an incorrect password before the system locks the user from making additional logon attempts. If the system locks, an entry is written to the system log, and the lock is released at midnight. The default is 12 times, but this value can be set to any value between 1u201399.
Login/failed_user_auto_unlock
This parameter unlocks users who got locked out by logging on incorrectly. If the parameter is set to 1 (the default), due to a previous incorrect logon attempt, the system does not consider users locked. The locks remain if the parameter value is 0.
Initial Password: Limited Validity
Login/password_max_new_valid
Defines the validity period of passwords for newly created users.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
Login/password_max_reset_valid
Defines the validity period of reset passwords.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
For SSO Logon Ticket
Login/accept_sso2_ticket
Allows or locks the logon using SSO ticket.
Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package
Login/create_sso2_ticket
Allows the creation of SSO tickets.
Available as of SAP Basis 4.6D
Login/ticket_expiration_time
Defines the validity period of an SSO ticket.
Available as of SAP Basis 4.6D
Login/ticket_only_by_https
The logon ticket is only transferred using HTTP(S).
Available as of SAP Basis 4.6D
Login/ticket_only_to_host
When logging on over HTTP(S), sends the ticket only to the server that created the ticket.
Available as of SAP Basis 4.6D
Other Login Parameters
Login/disable_cpic
Refuse incoming connections of type CPIC
Login/no_automatic_user_sap*
If the parameter is set to 1, then SAP* has no special default properties. Resetting the parameter to 0 allows logins with SAP, password PASS, and unrestricted system access privileges. Even if you set the parameter, ensure that there is a user master record for SAP. If a user master record for SAP* exists, it behaves like a normal user, is subject to authorization checks, and its password can be changed.
Login/system_client
This parameter specifies the default client. This client is automatically filled in on the system logon screen. Users can enter a different client.
Login/update_logon_timestamp
Specifies the exactness of the logon timestamp.
Available as of SAP Basis 4.6
Other User Parameters
Rdisp/gui_auto_logout
Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections).
Default value: 0 (no restriction); permissible values: any numerical value
Login/ext_security
Since Release 3.0E, external security tools such as Kerberos or Secude have managed R/3 System access. If this parameter is set, an additional identification can be specified for each user (in user maintenance) where users log on to their security system. To activate, set the value to X.
Start_menu
This parameter specifies the default start menu for all users and can be overwritten with the user-specific start menu (transaction SU50). The default is S000, and this value can be set to any other area menu code.
Auth/authorization_trace
The combination of transaction and authorization object is written to table USOBX upon authorization check, if it does not exist. Setting this value effect system performance!
Auth/no_check_in_some_cases
By using transaction SU24, you can activate or deactivate authorization checks for transactions. This function is active only if you set the system profile parameter to Y. By default, the function is inactive, and the parameter value is N. To activate the parameter, set the value to Y. If you want to work with the PG, the parameter must be set.
Auth/rfc_authority_check
You can use this parameter to determine whether object S_RFC is checked during RFC calls.
u2022 Value = 0, no check against S_RFC
u2022 Value = 1, check active but no check for SRFC-FUGR
u2022 Value = 2, check active and check against SRFC-FUGR
Auth/system_access_check_off
Use this parameter to turn off the automatic authorization check for particular ABAP language elements (file operations, CPIC calls, and calls to kernel functions). This parameter ensures the downward compatibility of the R/3 kernel. By default, the function is inactive (value = 0 and check remains active). To turn the check off, set the value to 1.
Auth/auth_number_in_userbuffer
To have a good performance in the system, the names of all the authorizations included in a user master for a user are buffered in a table. In the standard, this buffer can deal with up to 1,000 authorizations. If a user has more than 1,000 authorizations the value can be set to 2000. The default value is 800, but this default value can be set to between 1u20132000. If for any reason you have to reset the user buffer, see Online Service System note 84209 and 75908 for detailed information.
Auth/no_check_on_tcode
From Release 3.0E, the system checks on object S_TCODE. In specific instances, you can turn this check off, but this step results in a big security risk for your system. By default, the function is inactive, and the parameter value is N. To switch the check off set the value to Y.
Auth/check_value_write_on
By entering transaction SU53 in the Command field, you can analyze an authorization denied error that has just occurred in your session. This function is active only if you have set the system profile parameter to a value greater than 0. By default, the function is inactive, and the parameter value is 0.
The following are parameters that I need to find the documentation on. If anyone can help that would be much appreciated!!
Login/isolate_rfc_system_calls
Auth/tcodes_not_checked
Auth/trfc_no_authority_check
Auth/object_disabling_active
Auth/shadow_upgrade
Auth/check/calltransaction
Auth/new_buffering
Login/certificate_request_ca_url
Login/certificate_request_subject
login/ticketcache_entries_max
login/ticketcache_off
Login/password_max_idle_initial