This is one of the most important concepts for any IT related system. It is one of the starting points for access to any system and care should be taken that only legitimate users get access to (or are able to login to) any SAP system.
From an Administration point of view it is important that the users in a system are genuine and care should be taken to make sure that necessary mechanisms are in place to make sure that existing users do not get impersonated.
User authentication process in R/3 takes place when a user tries to login to the system using his user id and password. System verifies whether the user’s logon credentials are correct.
If the logon credentials are authentic, user is able to get access to the system, otherwise not. Necessary mechanisms need to be in place so that existing users do not get impersonated. So, it becomes pertinent that some strict password rules be applied.
One of the basic password rules is to force the user to change his password after certain interval of time. Other password rule is to lock a user after certain number of incorrect logon attempts to prevent unauthorized users from gaining access to the system. Proper profile parameters need to be in place for applying these rules.
Some of the profile parameters are discussed in our post related to Security Audit.