2931642 - SAP SuccessFactors Employee Central: Default Password Generation

As a part of our commitment to improving security, we have modified how default passwords are generated during the following processes via the Hire UI:

• Add New Employee
• Add New Employee for Fixed Term
• Add Contingent Worker
• Add Onboardee (Onboarding 2.0)
• Manage Pending Hires
• Rehire with New Employee

Also be sure to validate the email configuration for the welcome message - Configuration of the email template remains the same – Admin Center -> Send User Welcome Email:

The Welcome Email template can alternatively be configured in Admin Center > E-Mail Notification Templates:

Note:

Important: If no email is maintained for the user, and the password needs to be reset manually, this can be achieved via import or in Admin Center > 'Reset User Passwords'. Please use the following KBAs:

• 2088643 - Passwords: Using the Employee Import to Manage Passwords (mass update) 
• 2088527 - How to reset user's passwords in SuccessFactors

 

Hire via Imports

Prior to this change, 'Employee Data Import (for Employee Central only)' jobs could use either of the three options configured in Company System and Logo Settings: Same as User Name, Same as User ID, Random Password. As of June 19th, all existing import jobs that were configured to use the insecure password options ("Same as User Name" or "Same as User ID"), would still continue to use same password until October 9th. After the second patch on October 9th, all new and existing import jobs will use a random system generated password option.

New Import jobs in Provisioning:

For all new Import jobs after June 19th, users will only be able to select ‘Random Password’ as the default option under ‘Company System and Logo Settings’ in the admin center. The other two options Same as User Name, Same as User ID, were not selectable as shown in the screenshot below:

After October 9th, these options are no longer available in Company System and Logo Settings as the 'Random Password' option is defaulted.

Existing Import jobs in Provisioning:

As of June 19th, all existing import jobs that were configured to use the insecure password options ("Same as User Name" or "Same as User ID"), would continue to use same password option until October 9th, after which the 'Random Password' option is defaulted. Please review the following two scenarios regarding the 'Sending Welcome Email' option:

• Customers who wish to change to ‘Random Password’ option and have already configured ‘Sending Welcome Email’ option or don’t need ‘Sending Welcome Email’ option, can safely enabled ‘Random Password’ option under ‘Customer System and Logo Settings’ in the admin center.
• Customers who wish to change to ‘Random Password’ option and also want to configure the option of ‘Sending Welcome Email’, would have to contact either your implementation partner or SAP support to cancel the existing jobs in provisioning and create a new job with ‘Send Welcome Email’ option enabled in provisioning.

Important Note: Using ‘Random Password’ will not enable the option of ‘Sending Welcome Email’ in provisioning. If you want to start sending emails for existing jobs, then please contact your Implementation partner or SAP support to enable the option in provisioning

 

Enforce Password Reset after First Successful Logon

Security issues might occur if the system doesn’t force end users to reset their password after their first successful logon, when they login to the system with the password provided through one or more of these methods:

• Admin Center - Employee Import in Admin Center in instances that do not have Employee Central enabled,
• Provisioning (in the Manage Scheduled Job page in Provisioning) - Employee Import / Bulk Employees Import / Delta Employees Import 
• User SFAPI calls

** Users Impacted

End user’s password is filled in by customer admin and by one of the above-mentioned methods in instances that use SAP SuccessFactors password authentication (excluding users authenticated by SAP IAS or 3rd party IDP services).

Please Note: Users using SSO authentication, integrated external learners, and onboardees are not impacted.

** What do customers need to do?

• Communicate with your end users and ask them to reset password after first successful logon from login page.
• For new tenants provisioned after Aug 14’s release, ensure that you have changed the initial passwords set by admin for SFAPI and update the password in your integration programs.

** Migration Guidance

After first successful logon, a pop-up dialog "Password Change" will require the end user to reset the password:

 

SFAPIs:

For new tenants provisioned after Aug 14’s release, please ensure that you have changed the initial password for your SFAPI integration account set by admin:

1. Login to your tenant with username and password provided by admin.
2. Change the password on the “Password Change” pop-up dialog following the company password policy.
3. Use new password in the integration program.

Note: For existing tenants, there is no impact.

OData APIs:

No change has been made to OData APIs

 

Import Password Validation

 Security issues might occur if the system does not validate the password with the password policy configured through one or more of these methods:

• Admin Center - Employee Import in Admin Center in instances that do not have Employee Central enabled
• Provisioning (in the Manage Scheduled Job page in Provisioning) - Employee Import / Bulk Employees Import / Delta Employees Import

** Users Impacted

End user's password is filled in by a customer admin and by one of the above mentioned methods in instances that use SAP SuccessFactors password authentication (excluding users authenticated by SAP IAS or 3rd party IDP services).

Please Note: Users using SSO authentication, integrated external learners, and onboardees are not impacted.

** What do customers need to do?

• Make migration plan to ensure password policy compliance in Import tools mentioned above

** Migration Guidance

• Review password policy settings in Admin Center > Company Settings > System Logo and Password and ensure password in the import file follows the policy.

 

Ability to enable 'Send Welcome Email' option from Admin Center for EC Import Jobs

Prior to October 9th, customers wanting to send welcome emails for EC Import jobs had to contact SAP Support or their implementation partner to enable the option in provisioning, as shown below:

After October 9th, customers can enable the feature 'Send Welcome Message' for Imports from the Admin Center. This setting can be found in Admin Center > Platform Feature Settings > Send Welcome Message:

Please Note: This will only work if an Email address is already updated. If no email is preselected, welcome emails will not be sent. This option will also override 'Send Welcome Message' setting during Basic CSV Import:

 

Frequently Asked Questions

1. Is there a customer facing communication sent regarding the change? 
   
   ANSWER: An email notification was sent to the identified company administrators regarding this change.
   
   
   
2. What’s the impact if you haven’t finished the migration after the patch is delivered on June 19th?
   
   ANSWER: Only “System generated” option for default password is supported in Admin Center > Employee Import. The options to set username / userid / email as default password will be deprecated. Aside from this, All submitted Employee Import/Bulk Employees Import/Delta Employees Import jobs in Provisioning, that specify username/userid/email as default password, will continue to run but with a warning message shown in Monitor job > job details.  Please select the two opt-in in Admin Tool Platform Feature Settings to change your provisioning jobs to use system generated password.
   
   
   
3.  I use SSO to login in BizX, will I be impacted of this change?
   
   ANSWER: NO
   
   
   
4. Will the change impact external learning users and onboardees?
   
   ANSWER: NO
   
   
   
5. My BizX instance is integrated with third-party applications that is set to use User Name/ UserID as default password. What should we do?
   
   ANSWER: We recommend you to change this kind of integration because of security risk. You may use pre-defined password in the import file for integration.
   
   
   
6. We already have a couple of users were created with User Name / UserID as default password for login. Is there anything that we can do from our side to ensure that their logins are secured?
   
   ANSWER: Please encourage the users to reset their passwords ASAP using one of the following three methods.
   
   
• These users can reset passwords themselves by using the set password link (valid in 1~30 days, according to your company-level password policy setting) in the welcome notification.
• These users can reset passwords themselves by navigating to Options > Password in the system
• Admin can reset password for these users by navigating to Admin Center > Reset User Passwords and deliver new passwords to users offline. Password Changed email notifications with a set password link will be sent to users when the Password Changed Notification with the [[SET_PASSWORD_URL]] token has been enabled in E-mail Notification Template Settings and the user notification option is on in Admin Center -> Options -> Change User Notification

  For details on resetting user passwords, please refer to the admin guide for the detailed steps.

 

7.  What are the different combination of selecting 'Send Welcome Email' options?

• ANSWER: Admin Center 'Send Welcome Message' options will always override both provisioning and CSV import setting when the Admin Center switch is enabled. Following tables will provide a better illustration of all possible scenarios:

• Admin Center Setting	Provisioning Setting	Welcome Email
  Disabled	Disabled	Not Sent
  Disabled	Enabled	Sent
  Enabled	Disabled	Sent
  Enabled	Enabled	Sent

  
  

  Admin Center Setting	Basic CSV Import Setting	Welcome Email
  Disabled	Disabled	Not Sent
  Disabled	Enabled	Sent
  Enabled	Disabled	Sent
  Enabled	Enabled	Sent

Important: For customers experiencing any issues or have additional questions/concerns related to the Employee Central default password generation changes, please create a support ticket using component LOD-SF-EC-ADM. For general Platform related password generation changes, please refer to KBA 2932190 - Changes to Default Password Generation in BizX Users.