SAP Knowledge Base Article - Public

3264665 - What's New "New Password Security Policy for Business Users" in SAP Business ByDesign

Symptom

In this document explains SAP Password Security Policy for Business Users in SAP Business ByDesign and some of the important related KBA's for the Security Policy.

Environment

SAP Business ByDesign

Resolution

What's New

"A new password security policy called S_BUSINESS_USER_V2 is now available in SAP Business ByDesign and the existing password security policy S_BUSINESS_USER is now deprecated. If you have set the S_BUSINESS_USER policy as the default, then after the upgrade the new S_BUSINESS_USER_V2 policy will be set as the default. However, if you have set any other password security policy as the default, the same setting will remain in the system."

The following are the improvements in the new password security policy as compared to the existing S_BUSINESS_USER policy.

Attribute

S_BUSINESS_USER

S_BUSINESS_USER_V2

Minimum number of characters

8

15

Password History

5

15

Is Default

Changed to No

Yes

FAQ:

1. Does this improvement affect existing Users?

Ans: This change will not affect existing users. If a user has password policy S_BUSINESS_USER, the password rules are still bound by the S_BUSINESS_USER policy. Customer can change the password policy assigned to a business user anytime from the Business User Edit Attributes screen.

2. For whom it will be impacted and How?

Ans: If a password policy is default, it means that any new employee hired in the system (or in other words, new business users created in the system), will have this particular password policy. In this case, previous default password policy is 'S_BUSINESS_USER'. Now if default password policy is set to 'S_BUSINESS_USER_V2', this does not affect the users having either of the password policies, it only means that for any new business users created in the system, the password policy 'S_BUSINESS_USER_V2' will be assigned as default.

3. My default security is not S_BUSINESS_USER but S_BUSINESS_USER_WITHOUT_PASSWORD. What would be the risk if I do not change those users (for integration) security policies to S_BUSINESS_USER_V2? Would the basic authentication loses its functionality?

S_BUSINESS_USER_V2 provides a much more stricter policy for passwords of Business User. That's where our recommendation is to move to new security policy. However, if there is no change done then system will continue to work.

4. When would be the full deprecation of S_BUSINESS_USER ?

As of now full deprecation of S_Business_user is not planned.. We will give at least one release notice in advance before stopping the support

See Also

Important KBA's:

1881710 - Unable to change the parameters for SAP delivered security policy.

2949663 - Activate SHA256 Security Policy

2951799 - How To Export Security Policy and Business User Details

2462998 - How-to update the security policy of multiple business user

2820544 - All Users Able To Log Via SSO Regardless Security Policy

2608632 - Frequently Asked Questions on Identity and Access Management

2595989 - How to Enable Only SSO Login for Business Users

Help Portal Link:

What's New: New Password Security Policy for Business Users

Security Policy Qucik Guide

Keywords

What's New, Security Policy, Password Policy, Password Security Policy, IAM, Identity and Access Management, Business User, Password. , KBA , what's new , password policy , security policy , SRD-CC-IAM , Identity & Access Management , How To

Product

SAP Business ByDesign 2211