{"id":401,"date":"2018-01-30T08:00:57","date_gmt":"2018-01-30T07:00:57","guid":{"rendered":"http:\/\/akquinet-security-en.blog\/?p=401"},"modified":"2020-07-07T11:56:20","modified_gmt":"2020-07-07T09:56:20","slug":"do-sap-security-policies-create-more-security","status":"publish","type":"post","link":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/","title":{"rendered":"Do SAP security policies create more security? Not usually\u2026"},"content":{"rendered":"

\"Motiv_SAST-Security_Bild03_150dpi_1701\"You might already know that, as of Release 7.40 Sp8, you can use SAP security policies to define user-specific security parameters, contrary to the system profile values. But did you also know that you can inadvertently weaken secure values such as login restrictions and password complexity as a result?<\/p>\n

Our practical tip will show you how to effectively prevent such a weakening.<\/p>\n

<\/p>\n

You can set the parameters of your security policies in a different manner according to:
\n1.\u00a0\u00a0\u00a0\u00a0\u00a0 password complexity
\n2.\u00a0\u00a0\u00a0\u00a0\u00a0 password change interval
\n3.\u00a0\u00a0\u00a0\u00a0\u00a0 login restrictions<\/p>\n

You use transaction “SECPOL” to maintain the security policies and you have the option of defining as many policies as you wish.
\nThe relationship between “Security Policy Tag” and system profile values at a glance:
\n\"SAST-Blog_SecurityPolicies_Tabelle_1801\"<\/p>\n

Transaction SU01 is then used for the assignment to users:
\n\"SAST-Blog_SecurityPolicies_Abb1_1801\"<\/p>\n

But be careful because there’s a major catch!<\/strong><\/p>\n

Security Policies do not overwrite<\/span> individual profile values, but replace ALL<\/span> values.<\/p>\n

This means that values that you do not define in a Security Policy are not set to the secure values<\/span> according to RZ10 parameters, but to insecure<\/span> kernel values in user context.<\/p>\n

Thus, you can inadvertently weaken secure values such as login restrictions and password complexity. The following example shows such behavior:
\n\"SAST-Blog_SecurityPolicies_Abb2_1801\"<\/p>\n

Our experience in projects has shown that many customers do not expect this behavior. The general expectation is that parameters can be set contrary to the default settings. However, this is not the case.<\/p>\n

Our tip for you:
\n– Use Security Policies only if you define ALL values in a completely similar manner to the RZ10 parameters and make only a few values stronger or weaker.
\n– Remember that you are adjusting all Security Policies when you strengthen corresponding RZ10 system parameters.<\/p>\n

To secure your SAP systems, our SAST SUITE<\/a> provides extensive testing in the context of Security Policies specifically for this case. The SAST SUITE immediately shows relevant misconfigurations, weaknesses, and assignments of insecure values to users.<\/p>\n

Contact us: knowhow@akquinet.de<\/a><\/p>\n

\"ralfkempf_akquinet\"
\nRalf Kempf
\nTechnical Managing Director “SAST SOLUTIONS” at AKQUINET<\/h6>\n","protected":false},"excerpt":{"rendered":"

You might already know that, as of Release 7.40 Sp8, you can use SAP security policies to define user-specific security parameters, contrary to the system profile values. But did you also know that you can inadvertently weaken secure values such as login restrictions and password complexity as a result?
\nOur practical tip will show you how to effectively prevent such a weakening.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[80],"class_list":["post-401","post","type-post","status-publish","format-standard","hentry","category-sap-security","tag-sap-security"],"yoast_head":"\nDo SAP security policies create more security? Not usually\u2026<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Do SAP security policies create more security? Not usually\u2026\" \/>\n<meta property=\"og:description\" content=\"You might already know that, as of Release 7.40 Sp8, you can use SAP security policies to define user-specific security parameters, contrary to the system profile values. But did you also know that you can inadvertently weaken secure values such as login restrictions and password complexity as a result? Our practical tip will show you how to effectively prevent such a weakening.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/\" \/>\n<meta property=\"og:site_name\" content=\"SAST BLOG\" \/>\n<meta property=\"article:published_time\" content=\"2018-01-30T07:00:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-07-07T09:56:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png\" \/>\n<meta name=\"author\" content=\"securityblog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"securityblog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/\"},\"author\":{\"name\":\"securityblog\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\"},\"headline\":\"Do SAP security policies create more security? Not usually\u2026\",\"datePublished\":\"2018-01-30T07:00:57+00:00\",\"dateModified\":\"2020-07-07T09:56:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/\"},\"wordCount\":342,\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png\",\"keywords\":[\"SAP Security\"],\"articleSection\":[\"SAP Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/\",\"name\":\"Do SAP security policies create more security? Not usually\u2026\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png\",\"datePublished\":\"2018-01-30T07:00:57+00:00\",\"dateModified\":\"2020-07-07T09:56:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#primaryimage\",\"url\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png\",\"contentUrl\":\"https:\\\/\\\/sast-blog.akquinet.com\\\/wp-content\\\/uploads\\\/2018\\\/01\\\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/2018\\\/01\\\/30\\\/do-sap-security-policies-create-more-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Do SAP security policies create more security? Not usually\u2026\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#website\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"name\":\"SAST BLOG\",\"description\":\"SAP Security & Compliance\",\"publisher\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#organization\",\"name\":\"SAST BLOG\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"contentUrl\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/sast-solutions-logo.png\",\"width\":358,\"height\":155,\"caption\":\"SAST BLOG\"},\"image\":{\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/sast-solutions.com\\\/blog-en\\\/#\\\/schema\\\/person\\\/cd70e3749cca136a7e8a37dc1d3cfc26\",\"name\":\"securityblog\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Do SAP security policies create more security? Not usually\u2026","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/","og_locale":"en_US","og_type":"article","og_title":"Do SAP security policies create more security? Not usually\u2026","og_description":"You might already know that, as of Release 7.40 Sp8, you can use SAP security policies to define user-specific security parameters, contrary to the system profile values. But did you also know that you can inadvertently weaken secure values such as login restrictions and password complexity as a result? Our practical tip will show you how to effectively prevent such a weakening.","og_url":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/","og_site_name":"SAST BLOG","article_published_time":"2018-01-30T07:00:57+00:00","article_modified_time":"2020-07-07T09:56:20+00:00","og_image":[{"url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png","type":"","width":"","height":""}],"author":"securityblog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"securityblog","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#article","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/"},"author":{"name":"securityblog","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26"},"headline":"Do SAP security policies create more security? Not usually\u2026","datePublished":"2018-01-30T07:00:57+00:00","dateModified":"2020-07-07T09:56:20+00:00","mainEntityOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/"},"wordCount":342,"publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png","keywords":["SAP Security"],"articleSection":["SAP Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/","url":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/","name":"Do SAP security policies create more security? Not usually\u2026","isPartOf":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#primaryimage"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#primaryimage"},"thumbnailUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png","datePublished":"2018-01-30T07:00:57+00:00","dateModified":"2020-07-07T09:56:20+00:00","breadcrumb":{"@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#primaryimage","url":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png","contentUrl":"https:\/\/sast-blog.akquinet.com\/wp-content\/uploads\/2018\/01\/motiv_sast-security_bild03_150dpi_1701-e1517248210894.png"},{"@type":"BreadcrumbList","@id":"https:\/\/sast-solutions.com\/blog-en\/2018\/01\/30\/do-sap-security-policies-create-more-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sast-solutions.com\/blog-en\/"},{"@type":"ListItem","position":2,"name":"Do SAP security policies create more security? Not usually\u2026"}]},{"@type":"WebSite","@id":"https:\/\/sast-solutions.com\/blog-en\/#website","url":"https:\/\/sast-solutions.com\/blog-en\/","name":"SAST BLOG","description":"SAP Security & Compliance","publisher":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sast-solutions.com\/blog-en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sast-solutions.com\/blog-en\/#organization","name":"SAST BLOG","url":"https:\/\/sast-solutions.com\/blog-en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/","url":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","contentUrl":"https:\/\/sast-solutions.com\/blog-en\/wp-content\/uploads\/2021\/03\/sast-solutions-logo.png","width":358,"height":155,"caption":"SAST BLOG"},"image":{"@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/sast-solutions.com\/blog-en\/#\/schema\/person\/cd70e3749cca136a7e8a37dc1d3cfc26","name":"securityblog"}]}},"_links":{"self":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/comments?post=401"}],"version-history":[{"count":3,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/401\/revisions"}],"predecessor-version":[{"id":1292,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/posts\/401\/revisions\/1292"}],"wp:attachment":[{"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/media?parent=401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/categories?post=401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sast-solutions.com\/blog-en\/wp-json\/wp\/v2\/tags?post=401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}