Skip to main content

Configuring the SAP server after applying OSS Note 750_390

Some Bravura Security Fabric functions perform an administrative password reset. The reset is affected by the OSS Note 750_390 patch.If you have applied the OSS Note 750_390 patch, an administrative password reset on your SAP target system now sets the user’s Ltime field in the SAP database to 000000, which forces the user to reset his password on the next login and effectively makes it a single use password. This also happens when a user resets his SAP password using Bravura Pass .

The solution to this change is to first reset the user’s password to an intermediate value using the standard administrative reset facilities, and then log the user in through the RFC interface to change his password. A problem arises if the user does not have permission to use the RFC interface; in this case, a temporary role (PSYNCH_USER) providing the required RFC permissions must be created and assigned to the user. The role is removed after the user has been logged in and the password has been changed. The following procedure details how to configure this setup.

In the case, where the user has the required RFC permissions, the only configuration step required is to set the value for Method to make a password productive after a reset to Log the user in in the target address configuration.

To configure the SAP server after applying the OSS Note 750_390 patch, do the following:

  1. Run transaction PFCG. Type PSYNCH_USER in the Role field and click Create role. The name of the role is recommended, but it can be set to something different.

  2. On the Bravura Security Fabric server, create a registry string called SAP_PSYNCH_USER_ROLE in the Bravura Security FabricRegistry Path for the instance and set it to the name of the role specified in the previous step.

    • Entry name SAP_PSYNCH_USER_ROLE

    • Value The name of the specified role

    • Data type REG_SZ

  3. Ensure that you are comfortable and knowledgeable in the mechanics of the registry before you attempt to change any configuration settings. Contact support@bravurasecurity.com if in doubt. Select the Authorizations tab and click Change authorization data.

  4. Click Selection criteria to see the Change role: Insert authorizations page.

    1. Choose Cross-application Authorization Objects > Authorization Check For RFC Access.

    2. Click Insert chosen.

  5. Modify its values as follows:

    1. Click in the Activity row, select the 16 Execute checkbox, and click Save.

    2. Edit the Name of RFC to be protected row to SUSO, SYST.

    3. Select Function Group in the Type of RFC to be protected row.

  6. Generate the profile.

  7. Ensure that the Bravura Security Fabric SAP administrative user has S_USER_AGR authorization. This authorization allows the administrative user to add/delete a user to/from the PSYNCH_USER role.

  8. In Bravura Security Fabric , log into the Manage the system (PSA) module and modify the SAP target system address configuration so that the value for Method to make a password productive after a reset is set to Log the user in.

    The Log the user in value indicates a patched server.

In this section: