Courion Tip – SAP Password Resets and Account Locks

With respect to unlocking accounts and password resets, Courion offers only a checkbox on the PMM Gateway Connector, unlock account before a password reset. Checking this box unlocks the user and then does the password reset. The issue is that enabling this also unlocks administrative locks, not just an account that is locked because of excessive password retries. There is no option in the Unique Resource Data that applies to this situation.

  1. SAP Note 826050 – I was unable to research this. There are no references “in the wild” on the internet, and I do not have an SAP support logon.
  2. Setting up a separate account to do password resets (separate from the account management account), and adjusting permissions for that account such that it cannot over ride administrative lockouts. I have not been able to test this, and do not have the necessary background with SAP permissions.
  3. Support call into Courion.  I am not sure they have a magic solution to this issue.

IF administrative locks are accompanied by, for instance, moving the user into the DISABLED group, it should be possible to use Option 2 above, and not give the password management account permissions to the DISABLED group.
Courion Documentation on this checkbox: (bolding is mine…) Configuring_PMMs_Connectors_and_Agents.pdf, page 454.

UNLOCK USER BEFORE A PASSWORD RESET — This option only applies to an SAP system in which the patch described in SAP Note 826050 has not been applied. If a user is locked, the user will not be unlocked unless this option is checked. This option will unlock all lock types when doing a password reset. SAP provides three lock types:

  • too many failed logon attempts
  • local administrative lock, and
  • global administrative lock.

Note: On an SAP system in which the patch described in SAP Note 826050 has been applied, this option has no functionality. Instead the following behavior applies:

  • If the lock is caused by too many failed logon attempts, the account will be  unlocked before a password reset.
  • If the lock is an administrative lock, the account will remain locked.

Posted September 22, 2011 by mmdmurphy in Courion Tip

Tagged with

%d bloggers like this: