Profile Parameters for Logon and Password

(Login Parameters)
The following table presents the profile parameters with which you can set password and logon
rules. These profile parameters define the minimum requirements for passwords. However, you
cannot set any upper limits for password rules. For example, users can use any number of special
characters in their passwords, as long as they follow the other password rules. More information
about the procedure for changing profile parameters: Changing and Switching Profile
Parameters.

Note

To make the parameters globally effective in an ABAP System (system profile parameters), set
them in the default system profile DEFAULT.PFL. However, to make them instance-specific, set
the parameters in the profiles of the system application servers.

To display the parameter documentation, in the profile parameter maintenance tool (transaction
RZ11), enter the parameter name and choose Display. On the next screen, choose the
Documentation button.

Password Rules
Parameter
login/min_password_lng
login/min_password_digits
login/min_password_letters
Value Description
Default: 6 Defines the minimum length of
the password.
Permissible values: 3 - 40
Until SAP NetWeaver 6.40
(inclusive), up to 8 characters.
Default: 0 Defines the minimum number of
digits (0-9) in passwords.
Permissible values: 0 - 40
Available as of SAP Web AS
6.10 (Until SAP NetWeaver
6.40 (inclusive), up to 8
characters.)
Default: 0 Defines the minimum number of
letters (A-Z) in passwords.
Permissible values: 0 - 40
Available as of SAP Web AS
6.10 (Until SAP NetWeaver
6.40 (inclusive), up to 8
characters.)
 Parameter
login/min_password_lowercase Default: 0
login/min_password_uppercase Default: 0
login/min_password_specials
login/password_charset
Value Description
Specifies how many characters
in lower-case letters a password
Permissible values: 0 - 40 must contain.
Available after SAP NetWeaver
6.40
Specifies how many characters
in upper-case letters a password
Permissible values: 0 - 40 must contain.
Available after SAP NetWeaver
6.40
Default: 0 Defines the minimum number of
special characters in the
Permissible values: 0 - 40 password Permissible special
characters are, in particular, !"@
$%&/()=?'*+~#-
_.,;:{[]}\<>and space and the
grave accent.
After SAP NetWeaver 6.40, all
characters that are not letters or
digits are regarded as special
characters.
Available as of SAP Web AS
6.10 (Until SAP NetWeaver
6.40 (inclusive), up to 8
characters.)
Default: 1 This parameter defines the
characters of which a password
Permissible values: can consist.
0: Available in the standard system
as of SAP Web AS 6.40.
Restrictive: The
password can only Caution
consist of digits,
letters, and the With
following (ASCII) login/password_charset
special characters: !"@ = 2, the system stores
$%&/()=?'*+~#- passwords in a format that
_.,;:{[]}\<> and systems with older kernels
space and the grave
 Parameter Value Description
accent. cannot interpret. Therefore,
ensure that all systems involved
1: support the new password
coding before setting the profile
Backward compatible. parameter to the value 2.
The password can
consist of any
characters including
national special
characters (such as ,
, from ISO Latin-1,
8859-1). However, all
characters that are not
contained in the set
above (for value = 0)
are mapped to the
same special character,
and the system
therefore does not
differentiate between
them.

2:

Not backward
compatible. The
password can consist
of any characters. It is
converted internally
into the Unicode
format UTF-8. If your
system does not
support Unicode, you
may not be able to
enter all characters on
the logon screen. This
restriction is limited by
the codepage specified
by the system
language.

Password Logon
 Parameter Value Description
login/password_compliance_to_curre Default: 0 Available after SAP
nt_policy NetWeaver 6.40
Permissible values:

0: No Check
1: During the
password check, the
system checks
whether the current
password fulfills the
current password
rules. If this is not the
case, it forces a
password change.

login/disable_password_logon Default: 0 Controls the deactivation

of password-based logon
Permissible values:
This means that the user
0: Password logon is can no longer log on using
possible a password, but only with
1: Password logon is Single Sign-On variants
only possible for users (X.509 certificate, logon
in the group specified ticket). See Logon Data
in the parameter Tab Page
login/password_logon
_usergroup. Available as of SAP Web
2: Password logon is AS 6.10, as of SAP Basis
not possible in general 4.6 by Support Package

login/password_logon_usergroup Default: Controls the deactivation

<empty_character_string> of password-based logon
for user groups

Available as of SAP Web

AS 6.10, as of SAP Basis
4.6 by Support Package
login/password_max_idle_productive Default: 0: the check is Specifies the maximum
deactivated period for which an
unused productive
Permissible values: 0 - 24,000 password (a password set
(unit: days) by the user) remains valid.
After this period has
expired, the user can no
 Parameter
login/password_max_idle_initial
login/password_max_new_valid
Value Description
longer use the password
for authentication. The
user administrator can
reactivate password-based
logon by assigning a new
initial password.
Available after SAP
NetWeaver 6.40
Default: 0: the check is Specifies the maximum
deactivated period for which an
unused initial password (a
Permissible values: 0 - 24,000 password set by the user
(unit: days) administrator) remains
valid. After this period has
expired, the user can no
longer use the password
for authentication. The
user administrator can
reactivate password-based
logon by assigning a new
initial password.
This parameter replaces
the profile parameters
login/password_max_new
_valid and
login/password_max_reset
_valid.
Available after SAP
NetWeaver 6.40
Default: 0 Defines the validity period
of passwords for newly
Permissible values: 0 - 24.000 created users.
0: The initial password Only available in SAP
is valid for an Web Application Server
unlimited period of 6.20 and 6.40.
time.
1: The initial password
is only valid on the
same day.
x: After x days, the
 Parameter Value Description
system rejects a logon
using the initial
password.

login/password_max_reset_valid Default: 0 Defines the validity period

of reset passwords.
Permissible values: 0 - 24.000
Only available in SAP
0: The initial password Web Application Server
is valid for an 6.20 and 6.40.
unlimited period of
time.
1: The initial password
is only valid on the
same day.
x: After x days, the
system rejects a logon
using the initial
password.

Password Changes
Parameter Value Description
login/min_password_diff Default: 1 Defines the
minimum number
Permissible values: 1 - 40 of characters that
must be different
in the new
password
compared to the
old password.

Available as of
SAP Web AS 6.10
(Until SAP
NetWeaver 6.40
(inclusive), up to 8
characters.)
login/password_expiration_time Default: 0 Defines the
validity period of
Permissible values: 0 - 1000 passwords in days.
 Parameter Value Description
login/password_change_for_SSO Default: 1 If the user logs on
with Single Sign-
Permissible values: On, checks
whether the user
0: Requirement to must change his or
change password is her password.
ignored (backward
compatible) Available as of
1: Dialog box with SAP Web AS
options 2 and 3 (user 6.10, as of SAP
decides) Basis 4.6 by
2: Password change Support Package
dialog only (enter: old
and new passwords)
3: Deactivation of the
password
(automatically, no
dialog box)

login/password_history_size Default: 5 Specifies the

number of
Permissible values: 1 - 100 passwords (chosen
(unit: number of entries) by the user, not
the administrator)
that the system
stores and that the
user is not
permitted to use
again.

Available after
SAP NetWeaver
6.40
login/password_change_waittime Default: 1 Specifies the
number of days
Permissible values: 1 - 1,000 that a user must
(unit: days) wait before
changing the
password again.

Available after
SAP NetWeaver
6.40
Other Password Profile Parameters
Parameter Value Description
login/password_downwards_co Default: 1 Specifies the degree of backward
mpatibility compatibility.
Permissible
values: Available after SAP NetWeaver 6.40

0: Caution

Stores With
password login/password_downwards_comp
s in a atibility = 0, the system stores
format passwords in a format that systems with
that older kernels cannot interpret. Therefore,
systems ensure that all systems involved support the
with older new password coding before setting the
kernels profile parameter to the value 0.
cannot
interpret.
The
system
only
generates
new (non-
backward
-
compatibl
e)
password
hash
values.

1:

The
system
also
generates
backward
compatibl
e
password
hash
values
Parameter Value Description
internally,
but does
not
evaluate
these for
password-
based
logons (to
its own
system).
This
setting is
required
if you use
this
system as
the
central
system of
a Central
User
Administr
ation and
systems
that only
support
backward
compatibl
e
password
hash
values are
also
connected
to the
system
group.

2:

The
system
also
generates
backward
Parameter Value Description
compatibl
e
password
hash
values
internally,
which it
evaluates
if a logon
with the
new, non-
backward
compatibl
e
password
failed. In
this way,
the
system
checks
whether
the logon
would
have been
accepted
with the
backward
compatibl
e
password
(truncated
after eight
characters
, and
converted
to upper-
case). The
system
records
this in the
system
logon.
The logon
fails. This
setting is
Parameter Value Description
to allow
the
identificat
ion of
backward
incompati
bility
problems.

3:

As with
2, but the
logon is
regarded
as
successful
. This
setting is
to allow
the
avoidance
of
backward
incompati
bility
problems.

4:

As with
3, but the
system
does not
create an
entry in
the
system
log.

5:

Full
backward
compatibi
 Parameter Value Description
lity: the
system
only
creates
backward
compatibl
e
password
hash
values.

Multiple Logon
Parameter Value Description
login/disable_multi_gui_login Default: 0 Controls the
deactivation of
Permissible values: 0, 1 multiple dialog
logons
1: The systme blocks
multiple dialog logons Available as of
in the same client and SAP Basis 4.6
under the same user
name.

login/multi_login_users Default: <empty_list> List of excepted

users, that is, the
users that are
permitted to log
on to the system
more than once.

Available as of
SAP Basis 4.6

Incorrect Logon
Parameter Value Description
login/fails_to_session_end Default: 3 Defines the number of
unsuccessful logon attempts
Permissible values: 1 - 99 before the system does not
allow any more logon
 Parameter
login/fails_to_user_lock
login/failed_user_auto_unlock
Value
Default: 5
Permissible values: 1 - 99
Default: 0: Locks due to
incorrect logon attempts
remain valid for an unlimited
period
Description
attempts. Set the parameter
to a value lower than the
value of parameter
login/fails_to_user_lock.
Defines the number of
unsuccessful logon attempts
before the system locks the
user.
Defines whether user locks
due to unsuccessful logon
attempts are automatically
removed at midnight.

Permissible values: 0, 1

Logon with SSO Ticket

Parameter Value Description
login/accept_sso2_ticket Default: 0 Allows or locks the
logon using SSO ticket.
Permissible values:
Available as of SAP
0: Logon with an SSO Basis 4.6D, as of SAP
ticket is deactivated. Basis 4.0 by Support
1: Logon with an SSO Package
Ticket is permitted

login/create_sso2_ticket Default: 0 Allows the creation of

login/ticket_expiration_time
SSO tickets.
Permissible values:
Available as of SAP
0: Ticket generation is Basis 4.6D
deactivated
1: SSO ticket including Recommendation
certificate
2: SSO ticket without We recommend you set
certificate this to 2. The SSO
tickets are significantly
smaller without the
certificate and therefore
have less overhead.
Default value: 8; Unit: hours Defines the validity
 Parameter Value Description
period of an SSO ticket.

Available as of SAP
Basis 4.6D
login/ticket_only_by_https Default: 0 Specifies how the
system sets the logon
Permissible values: ticket, generated at
logon using HTTP(S),
0: Browser always in the browser.
sends ticket.
1: Browser only sends Available as of SAP
ticket for HTTPS Basis 4.6D
connections.

login/ticket_only_to_host Default: 0 Specifies how the

system sets the logon
Permissible values: ticket, generated at
logon using HTTP(S),
0: Sends the ticket to in the browser.
all servers in the
domain. Available as of SAP
1: When logging on Basis 4.6D
over HTTP(S), sends
the ticket only to the
server that created the
ticket.

Other Login Parameters

Parameter Value Description
login/disable_cpic Default: 0 Refuse inbound
connections of
Permissible values: 0, 1 (unit: type CPIC
Boolean)

1: Refuses inbound
connections of type
CPIC. Inbound
connections of type
RFC remain
 Parameter Value Description
unaffected.

login/no_automatic_user_sapstar Default: 1, that is, you need to Control the

explicitly activate the emergency user
emergency user SAP* (more
information: SAP
Permissible values: 0, 1 Notes 2383 and
68048 )
login/system_client Default: 000 Specifies the
default client that
Permissible values: 000 - 999 the system
automatically
enters on the
logon screen.
Users can,
however,
overwrite the
default value with
a different client.
login/update_logon_timestamp Default: m Specifies the
exactness of the
Permissible values: logon timestamp.

d: exact to the day Available as of

h: exact to the hour SAP Basis 4.6
m: exact to the minute
s: exact to the second
(backward compatible)

Other User Parameters

Parameter Value
rdisp/gui_auto_logout Default: 0 (unrestricted)
Permissible values: Any
numeric value
Description
Defines the maximum
idle time for a user in
seconds (applies only
for SAP GUI
connections).