Spotlight on Security Parameters

  • by Gary Byrne, Managing Editor, Financials Expert and SCM Expert
  • September 8, 2011
Configuration parameters play a key role in helping you maintain security controls at any SAP installation. Review a five-point checklist from Richard Castle of Ernst and Young to ensure that you are following best practices for implementing security controls at your organization. Then learn from the comments of Selva Kumar, the vice president of Softsquare LLC and owner of, about challenges related to establishing and maintaining security parameters for SAP systems.
Key Concept

Are your security parameters strong enough to ward off an attacker looking for vulnerability in your system? Are you compliant? What other issues can affect your security parameters? Two experts, Richard Castle of Ernst and Young, and Selva Kumar, of Softsquare LLC, have some advice.

Richard Castle says that configuration parameters play a significant role in maintaining security controls in SAP installations. At the spring SAPinsider GRC 2011 conference, he discussed user provisioning, restricting access to Basis objects and transactions, functional transactions, assigning adequate segregation of duties to users, and limiting access to customized tables, programs, and transactions. In his talk, “An External Auditor’s Guide to Preparing Your Landscape for a Security Audit,” he provided some common security parameters, shown in Table 1.

Parameter Description Recommended value
Minimum password length
Minimum number of digits required in password
Minimum number of letters required in password
Minimum number of special characters required in password
Minimum number of lowercase characters required in password
Minimum number of uppercase characters required in password
login/password_history_size Number passwords that cannot be used again 25
login/password_change_waittime Number of days the user must wait before changing password 10
login/password_max_idle_productive Maximum period time password remains active if not used 30
login/password_max_idle_initial Maximum period of time initial password remains active if not used 30
login/min_password_diff Minimum number of different characters between old and new password 2
login/password_expiration_time Number of days before password expires 30
rdisp/gui_auto_logout Number of seconds of inactivity before automatic log out 1800
login/no_automatic_user_sapstar Controls the emergency user SAP* (SAP Notes 2383 and 68048) 1
login/fails_to_session_end Number of incorrect login attempts before session end 3
login/fails_to_user_lock Number of incorrect login attempts before user account locks 3
Table 1
Security parameters

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.