Enabling Users to Reset Their Own Password

Use

When your business users logon on with user ID and password, inevitably some forget their password. To help these users, you can enable a logon help link on the Welcome screen. Business users choose this link, enter their data in the request form, and, assuming they entered their data correctly, receive a new password from the system. The user management engine (UME) generates the password and e-mails it to the business user.

You can determine what data the business users must provide. The following data is required:

· Logon ID

· E-Mail address

The following data is optional:

· First name

· Last name

The business users must enter this data exactly as it appears in their user profile.

You can configure the use of a security question. This provides an additional layer of security. The user must answer the question correctly in addition to entering data in the request form. You can either use a list of five predefined, hard-coded questions or enable users to write their own security question. When entering the answer to the security question, the AS Java ignores case.

Configure self-registration to enable users to choose their own security question and answer in the self-registration form. Enable self-management so users can maintain the question and answer in their user profile.

If you configure the use of a security question and answer, the user must maintain these fields in the user profile, or the user cannot request a new password.

Prerequisites

· You have SAP NetWeaver Application Server (AS) Java 7.0 SPS 12 and higher.

This Web Dynpro application replaces the legacy Java Server Pages (JSP)-based application. The JSP-based application remains available for backward compatibility.

If you upgraded from a release previous to SAP NetWeaver 7.0 SPS 12 and you already configured logon help, you continue to use the legacy JSP-based application as you configured it. To use the Web Dynpro-based logon help application, follow the configuration steps below.

Users of SAP NetWeaver AS Java 7.0 SPS 12–13, see also SAP Note 1082019.

For more information, see Configuring Legacy Logon Help.

· This procedure requires you to restart the AS Java, so you should plan for the required downtime while the AS Java restarts.

· You have configured e-mail notification.

Without e-mail notification, business users cannot receive new passwords.

For more information, see Configuring E-Mail Notification.

· If you configure the security question and answer, you must configure self-management. Without self-management, business users cannot maintain their security question and answer.

For more information, see Configuring Self-Management.

· To enable users to choose a security question and answer when they register, you have configured self-registration.

For more information, see Configuring Self-Registration.

Procedure

...

1. Start user management configuration.

For more information, see Configuring User Management.

2. Choose the User Admin UI tab.

3. Choose Modify Configuration.

4. Determine which optional features you want to configure and save your changes.

¡ To configure what data business users must provide, set the Require First and Last Names in Logon Help indicator.

¡ To configure a security question choose from the following options:

■ To enable business users to enter their own security question, select Enable Security Question.

■ To enable business users to select their security question from a list of predefined questions, select Use a Predefined Security Question.

5. Assign the UME action UME.Logon_Help to a role assigned to the group anonymous users.

6. Restart the AS Java.

Result

If you have existing users in your installation and you enable the security question and answer, notify your users that they should log on and maintain their security question and answer. Without a security question and answer, these users cannot reset their own passwords.

Password Management

Use

Users require a password to be able to log on with user ID and password. As administrator you need to define or generate an initial password for newly created users. If users forget their passwords, you can also define or generate a new password for them. You can provide a link on the logon screen where users can reset their passwords themselves. If you enable self-management, users can view their profile and change their own passwords.

You can also disable a user’s password. A user with a disabled password cannot log on with a password, but can still log on under certain circumstances.

Prerequisites

If you want to change a user’s password or automatically generate a user’s password, you must enable e-mail notification, otherwise the system cannot notify users about their new password. See Configuring E-Mail Notification.

Features

This section describes the feature of password management.

Security Policy

The security policy defines the password rules. For example, you can define how long until a password expires or how many digits a password must contain. For more information, see Configuring the Security Policy for User ID and Passwords.

Defining Initial Passwords or Changing Passwords

You have the following options for defining initial passwords for new users, or changing an existing user’s password:

When defining or changing passwords, note the following:

● If you change the password for the default administrator user, you must also update the password for this user in the secure storage of the AS Java. For more information, see Modifying the Default Administrator User.

● You must enable e-mail notification for when you define or change passwords, otherwise the system cannot notify users of their new password.

E-Mail notification sends the logon passwords in plain text.

· Define a user’s password in the user details view

The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

· Generate a password for the user in the Details view for the user or for one or more user in the Search view.

The system automatically generates a new password for the user. The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

● Update the user with the import function

Include the password attribute with a new password in the import. The user receives a notification e-mail containing the new password and is prompted to change his or her password the next time he or she logs on.

Help for Forgotten Passwords

Users inevitably forget their passwords. You can enable users to reset their passwords themselves, by configuring a link for logon help on the Welcome screen. Users enter their logon ID and other data.

● If the user enters all this information correctly, the UME generates a new password according to the security policy and e-mails it to the user.

● If the user enters the information incorrectly, an error message appears and the user must contact the administrator directly.

For more information, see Enabling Users to Reset Their Own Password.

Disabling Passwords

You can disable a user’s password. The user can no longer log on using a password, but only with Single Sign-On variants (X.509 certificate, logon ticket). This is useful if you do not require password-based logon. Your users logon in other ways, such as using client certificates. In this case, deactivating the password increases security, as passwords that are not used are often still initial. Initial passwords are often well-known or were sent to the user in an e-mail, unencrypted.

Depending on the security policy settings, the UME can lock a password after too many failed logon attempts.

Self-Management

If you want users to manage their own passwords, assign the action UME.Manage_My_Password to a role assigned to the everyone group. If you enable users to manage their own profiles, this action is not necessary. See also User Profile. This function requires you to set the indicator Allow Users to Change Their Own Passwords in the security policy settings.

Activities

Activity	How to Perform the Activity
Define an initial password for a user	... 1. Search for the user. 2. In the search results list, select the user. The user details view appears. 3. In the Details view, choose Modify. 4. On the General Information tab, select Define Initial Password. 5. Enter the new password in the Define Password field and reenter it in the Confirm Password field. 6. Choose Save. The system sends the user a notification e-mail containing the new password and prompts him or her to change this password the next time he or she logs on.
Generate a new password for a user	... 1. Search for the user. 2. In the search results list, select the user. 3. Choose Generate New Password. The system sends the user a notification e-mail containing the new password and prompts him or her to change this password the next time he or she logs on.
Disable a user’s password	... 1. Search for the user. 2. In the search results list, select the user. The user details view appears. 3. In the user details view, choose Modify. 4. On the General Information tab, select Disable Password. 5. Choose Save.