SAP - Password Self Service
Standard Operating Procedure (SOP): Password Self Service
Configuration and End User Logon
1. Introduction
Password Self Service (PSS) is a customizable feature that
allows end users to reset their own passwords in an SAP system, thus reducing
the administrative burden on IT teams. Normally, a password reset is carried
out by administrators using transaction code SU01. However, by enabling PSS,
end users can reset their passwords themselves, freeing up administrators for
other critical tasks. This SOP outlines the configuration steps for setting up
Password Self Service (PSS) and End User Logon functionality.
2. Password Self Service Overview
Password Self Service allows an end user to reset their own
password through the system. Once a user requests a password reset, the
application validates their identity through pre-configured data sources and
authentication methods, resets the password, and sends a generic password to
the user's registered email address. The user must then change this password
upon their next login.
Pre-requisite:
- All
end users must have a valid email ID to receive the reset password link.
3. Password Self Service Configuration
3.1. Connector Settings
The first step in configuring Password Self Service is to
define the connector settings for the applicable systems.
- Navigate
to SPRO:
- SPRO
→ IMG → GRC → AC → Maintain Connector Settings.
- Configure
the PSS System:
- For
each system that will support password self-service, check the PSS
System box.
- Save
the configuration.
3.2. Maintain Data Sources Configuration
Data sources define where the system will search for user
login credentials.
- Navigate
to SPRO:
- SPRO
→ IMG → GRC → AC → Maintain Data Sources Configuration.
- Configure
Data Sources:
- User
Authentication Data Sources: Select a system (e.g., ECC, LDAP, HR).
- User
Search Data Sources: Select a system for user search.
- User
Detail Data Sources: Select a system for user details.
- End
User Verification: Choose YES/NO based on whether the user must enter
their password to log in.
3.3. End User Verification
- Enabled:
Requires the user to enter their password during login.
- Disabled:
Removes this requirement but can introduce a security risk, as any user
could access the system using another user's ID. To mitigate this,
consider using Challenge Response questions.
Suggested Configuration:
- Disable
End User Verification and activate Challenge Response questions
if additional security is required.
3.4. Challenge Response Configuration
If Challenge Response is selected, configure the questions
and answers that the user must answer to reset their password.
- Navigate
to SPRO:
- SPRO
→ IMG → Governance, Risk & Compliance → Access Control → User
Provisioning → Maintain Password Self Service.
- Configure
Global Settings:
- Set
Authentication Source to Challenge Response.
- Define
the number of questions (minimum 1) and the number of attempts (e.g., 3).
- Enter
Challenge Questions:
- Click
New Entries in the Challenge Response Questions section.
- Add
questions and ensure the Active checkbox is selected.
- Save
your entries.
3.5. PSS Global Configuration Values
Configure global PSS settings to control verification
requirements:
- Navigate
to SPRO:
- SPRO
→ IMG → Governance, Risk & Compliance → Access Control → User
Provisioning → Maintain Password Self Service.
- Configure
PSS Settings:
- Set
PSS Global Configuration Values such as:
- PSS
Disable Verification: Choose None for standard PSS
verification or other options based on requirements (e.g., Password
Self Service or Name Change Self Service).
- Save
Configuration.
4. End User Logon Configuration
4.1. User Maintenance for End User Logon
To enable end users to reset their passwords, configure
shared user and WF-Batch users:
- Create
a Shared User in SU01:
- Type:
Communication
- Roles:
SAP_GRAC_ACCESS_REQUESTER, SAP_GRAC_END_USER
- Create
a WF-Batch User in SU01:
- Type:
System
- This
user will send the password reset email.
- Configure
a generic email address such as donotreply@something.something.
4.2. Activate End User Logon
- Navigate
to SPRO:
- SPRO
→ IMG → GRC → AC → User Provisioning → End User Login.
- Activate
Service:
- Service
Name: GRAC_UIBB_END_USERLOGIN (or use transaction code SICF).
- On
the Logon Data tab, enter the shared user ID, password (from SU01), and
standard procedure.
- Save
the configuration.
4.3. Activate Other Web Services
If enabling multiple features, activate additional services
by repeating the above steps for the following services:
- GRAC_GAF_PWD_SELFSERVICE_EU
- GRAC_OIF_USER_REGISTER_EU
- GRAC_OIF_MY_PROFILE_EU
- GRAC_GAF_NAME_CHANGE_SERV_EU
- GRAC_POWL_REQUEST_STATUS_EU
- GRAC_GAF_ACCREQ_WITH_REQREF_EU
- GRAC_OIF_REQUEST_SUBMISSION_EU
- GRAC_GAF_ACCREQ_WITH_TEMPL_EU
- GRAC_GAF_ACCREQ_WITH_USEREF_EU
4.4. Test Service
- Right-click
on GRAC_UIBB_END_USERLOGIN and choose Test Service → Logon Screen in
web browser.
- Log in using the provided credentials and confirm that the End User Home screen appears.
5. User Access
To enable end users to log in and reset their password,
provide them with the following details:
- URL
Address
- User
ID
- Password
(temporary, system-generated password)
The system will send a temporary password to the user's
registered email address, which they must change upon their first login.
Customizing Password Generation:
If needed, customize the password criteria (length, letters, digits, specials)
using transaction SM30 and table PRGN_CUST.
- Navigate
to TCode: SM30.
- Maintain
Values for Password Generation:
- GEN_PSW_MAX_LENGTH:
10
- GEN_PSW_MAX_LETTERS:
5
- GEN_PSW_MAX_DIGITS:
3
- GEN_PSW_MAX_SPECIALS:
2
- Save
your settings.
6. Conclusion
By enabling Password Self Service and configuring End User
Logon, organizations can significantly reduce the burden on administrators and
empower users to manage their own password resets. Proper configuration of
authentication sources, challenge responses, and user access settings ensures a
secure and efficient self-service experience.
Comments
Post a Comment