Implementing a Compliant Account and Password Policy

In the rapidly evolving landscape of enterprise IT, security is a non-negotiable priority. As part of its proactive landscape stabilization initiatives, SAP Enterprise Cloud Services (ECS) has identified key measures to mitigate risks such as unplanned downtime, security threats, performance issues, and non-compliance. This article highlights the essential steps and recommendations for implementing a compliant account and password policy in SAP NetWeaver AS ABAP systems, as documented in SAP Note 3250501.

Introduction to the Policy

By adhering to its security hardening guidelines, SAP underscores the importance of securing ABAP systems. Implementing a robust account and password policy is a non-negotiable requirement for audit and security compliance, with a strict six-month timeline for implementation. Failure to comply exposes businesses to potential risks like unplanned downtime and security vulnerabilities.

Key Recommendations

Move Away from Passwords

To enhance security, SAP recommends transitioning to Single Sign-On (SSO) methods, such as SAP Single Sign-On (SSO) 3.0. For technical users requiring passwords, SAP advises programmatically generating long, complex passwords and applying stringent policies. Personal users who continue to use passwords should implement group-specific security policies via transaction SECPOL, ensuring alignment with SAP-recommended profile parameters.

Mandatory Security Parameters

SAP Note 3250501 provides a comprehensive list of mandatory security parameters. Key highlights include:

• Enforcing a minimum password length of 15 characters.
• Requiring a mix of uppercase, lowercase, digits, and special characters in passwords.
• Implementing password expiration policies, with a maximum validity of 90 days.
• Maintaining a password history of at least 15 entries to prevent reuse.
• Prohibiting backward compatibility for passwords.

Custom Security Policies

For greater flexibility, organizations can leverage transaction SECPOL to define client-specific or user-specific rules. This approach enables:

• Separate policies for dialog users, technical users, and administrators.
• Enhanced granularity in security policy enforcement.

Implementation Tips

Implementing account and password policies across an SAP landscape can be complex, requiring technical expertise and strategic planning. By following these tips, you can ensure efficient policy management while maintaining compliance. Leveraging the right tools and approaches is key to success, whether managing policies landscape-wide, creating custom rules, or automating assignments.

Landscape-wide Policy Management

• Profile parameters are maintained per system, and remote maintenance is not possible. Utilize tools like the Xiting Authorizations Management Suite (XAMS) to centrally monitor your entire landscape in real-time and be actively informed if one of your systems does not meet your defined policy.

Custom Policies:

• Use transaction SECPOL for custom policies. Screen variants (transaction SHD0) allow you to define default values in transactions like SU01.
• Utilize tools like report ZSHOW_SECPOL (example code here: https://github.com/SAP-samples/security-services-tools) to review security policies.
• Assign policies to users via transactions SU01 (individual assignment) or SU10 (mass assignment), and check your external Identity Management (IDM) systems for automated policy assignments.

Integrations and Automation:

• Implement enhancements such as?BADI_IDENTITY_CREATE?and?BADI_IDENTITY_CHECK?to enforce default policy during user creation. Use Enhancement Spot SUID_IDENTITY for default SECPOL assignments.

Operational Challenges to Consider

When implementing new policies for accounts and passwords, a few practical considerations should be kept in mind. First, note that changes to some parameters will require a system restart, which might necessitate careful scheduling to avoid disruptions. Additionally, any undefined attributes in the policy will default to kernel values rather than the profile parameters, so it’s important to explicitly define critical settings. Finally, rolling out new policies isn’t just about the technical implementation; effective communication and thorough training for users are essential to ensure a smooth transition and widespread adoption.

Enhancing User Awareness

Password policies are only effective if users are aware of and adhere to them. Proactively identifying at-risk users with tools like the RSUSR200 report can help prevent issues such as password expiration. Additionally, integrating pop-ups or email notifications through user exits like SUSR0001 provides timely reminders for users to update their passwords, ensuring greater compliance and satisfaction.

Why Compliance Matters

Adopting SAP’s recommended account and password policies goes beyond audit checkboxes—it’s a vital step in safeguarding your organization’s systems and data. These guidelines significantly reduce the risk of unauthorized access, ensure regulatory compliance, and foster a culture of accountability.

To maintain and monitor compliance effectively, solutions like Xiting Security Architect, part of the Xiting Authorizations Management Suite (XAMS), are indispensable. Security Architect provides robust tools to document, monitor, and enforce policies in real-time across your entire SAP landscape. With its proactive capabilities, you can detect and resolve vulnerabilities before they escalate, ensuring your systems remain secure, reliable, and prepared for the future.

Conclusion

By swiftly adopting SAP’s guidelines and leveraging solutions like XAMS, your organization can establish a secure and compliant framework. This mitigates risks and ensures your systems are resilient and prepared for sustainable security management. For further technical details, refer to SAP documentation and SAP Note 3250501.