Password expired in SAP


Issue: In the production system, Basis Team had set following profile parameters:

login/password_max_idle_initial = 30 days

login/password_max_idle_productive = 30 days

As a result, password of those users who did not login to the SAP System for more than 30 days got expired.

It so happened that no user logged in to a particular production client for more than 30 days. And hence the password of all users of that client got expired.

Now none of the users could login to that client. Not even the Basis and Security consultants who had full authorization to the client. They could however login to the other clients.

Question is – To restore the access, how to login to that Production client without deleting user sap* from database (and hence without using credentials sap*/pass) ?

There can be other different ways to successfully login. We are sharing one of the methods to do so when a user’s (who has full authorization in that client) password gets deactivated.

To create this scenario, lets assume that there is this user ZTEST with full sap authorization in client 000. The password of this user has got deactivated (as per the original issue).

Now since this user’s password has got deactivated in 000, he cannot login to client 000 using his user id and password. But as already mentioned earlier, this user has access to other clients in the same system. Lets say client 001.

We will use this access of the user to log into client 000.

To do so, lets create a Trusted RFC from client 001 to client 000 using tcode SM59. As we have already discussed in the topic of RFC Authorization, that a user needs authorization object S_ICF in the source system/client and authorization objects S_RFC and S_RFCACL in the destination system/client with proper field values to successfully login to the destination system using Trusted RFC.

For more details on RFC Authorization, please refer to this link

During this discussion, we have repeatedly mentioned that this deactivated user has full authorization in client 000. Which means that this user has access to authorization objects S_RFC and S_RFCACL (Object S_RFCACL is very critical and is by default missing from even SAP_ALL). Access to S_RFCACL should not be given to every one as it can create a security risk as we can see in this scenario where user is able to login from other client or system (in case the system is a trusted system) even when the password is deactivated.

Once the trusted RFC is created using SM59 in client 001, do the connection test. Now login to client 001 using user id ZTEST. In case user ZTEST does not exist in client 001, create a user ZTEST. Make sure that it has the necessary authorization values for object S_ICF along with necessary access to tcode SM59. Go to the Trusted RFC which was created and click on Remote Logon. User ZTEST will automatically login to client 000!