Identity Manager 8.1.5 - Administration Guide for Connecting to SAP R/3

You can add words to a list of restricted terms to prohibit them from being used in passwords.

NOTE: The restricted list applies globally to all password policies.

To add a term to the restricted list

In the Designer, select the Base Data | Security settings | Restricted passwords category.
Create a new entry with the Object | New menu item and enter the term you want to exclude from the list.
Save the changes.

Checking a password

When you check a password, all the password policy settings, custom scripts, and the restricted passwords are taken into account.

To check if a password conforms to the password policy

In the Manager, select the SAP R/3 | Basic configuration data | Password policies category.
Select the password policy in the result list.
Select the Change master data task.
Select the Test tab.
Select the table and object to be tested in Base object for test.
Enter a password in Enter password to test.

A display next to the password shows whether it is valid or not.

Testing password generation

When you generate a password, all the password policy settings, custom scripts and the restricted passwords are taken into account.

To generate a password that conforms to the password policy

In the Manager, select the SAP R/3 | Basic configuration data | Password policies category.
In the result list, select the password policy.
Select the Change master data task.
Select the Test tab.
Click Generate.

This generates and displays a password.

Initial password for new SAP user accounts

Table 38: Configuration parameters for formatting initial passwords for user accounts
Configuration parameter	Meaning
QER \| Person \| UseCentralPassword	This configuration parameter specifies whether the employee's central password is used in the user accounts. The employee’s central password is automatically mapped to the employee’s user account in all permitted target systems. This excludes privileged user accounts, which are not updated.
QER \| Person \| UseCentralPassword \| PermanentStore	This configuration parameter controls the storage period for central passwords. If the configuration parameter is enabled, the central password is stored in the One Identity Manager database and is used for new users. If the configuration parameter is disabled, the central password is deleted from the One Identity Manager database following publishing to the existing user accounts. The central password is not available for new user accounts.
TargetSystem \| SAPR3 \| Accounts \| InitialRandomPassword	This configuration parameter specifies whether a random generated password is issued when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

You can issue an initial password for a new SAP user account in the following ways:

Create user accounts manually and enter a password in their master data.
Assign a randomly generated initial password to enter when you create user accounts.
- In the Designer, set the TargetSystem | SAPR3 | Accounts | InitialRandomPassword configuration parameter.
- Apply target system specific password policies and define the character sets that the password must contain.
- Specify which employee will receive the initial password by email.
Use the employee's central password. The employee’s central password is mapped to the user account password. For detailed information about an employee’s central password, see the One Identity Manager Identity Management Base Module Administration Guide.