Parameter

Meaning

login/min_password_lng

Defines the minimum length of the password.

Default value: 6; permissible values: 3 40
Until SAP NetWeaver 6.40 (inclusive), up to 8 characters.

login/min_password_digits

Defines the minimum number of digits (0-9) in passwords.

Default value: 0; permissible values: 0 40
Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40
(inclusive), up to 8 characters.)

login/min_password_letters

Defines the minimum number of letters (A-Z) in passwords.

Default value: 0; permissible values: 0 40
Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40
(inclusive), up to 8 characters.)

login/min_password_lowercase Specifies how many characters in lower-case letters a password

must contain. Permissible values: 0 40; default value 0
Available after SAP NetWeaver 6.40
login/min_password_uppercase Specifies how many characters in upper-case letters a password
must contain. Permissible values: 0 40; default value 0
Available after SAP NetWeaver 6.40
login/min_password_specials

Defines the minimum number of special characters in the

password Permissible special characters are, in particular, !"@ $
%&/()=?'`*+~#-_.,;:{[]}\<>| and space and the grave accent.
After SAP NetWeaver 6.40, all characters that are not letters or
digits are regarded as special characters.
Default value: 0; permissible values: 0 40
Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40
(inclusive), up to 8 characters.)

login/password_charset

This parameter defines the characters of which a password can

consist.
Permissible values:
0 (restrictive): The password can only consist of digits, letters, and the
following (ASCII) special characters: !"@ $%&/()=?*+~#-_.,;:{[]}\<> and space
and the grave accent.

 1 (backward compatible, default value): The password can consist of any

characters including national special characters (such as , , from ISO
Latin-1, 8859-1). However, all characters that are not contained in the set
above (for value = 0) are mapped to the same special character, and the
system therefore does not differentiate between them.
2 (not backward compatible): The password can consist of any characters. It
is converted internally into the Unicode format UTF-8. If your system does not
support Unicode, you may not be able to enter all characters on the logon
screen. This restriction is limited by the codepage specified by the system
language.

With login/password_charset = 2, passwords are stored in a

format that systems with older kernels cannot interpret. You must
therefore only set the profile parameter to the value 2 after you
have ensured that all systems involved support the new password
coding.
Available in the standard system as of SAP Web AS 6.40.
Password Logon
login/password_compliance_to_current_policy Permissible values: 0 no check; 1 the system
checks during password logon whether the current
password complies with the current password
rules and forces a password change if this is not
the case.
Default value: 0
Available after SAP NetWeaver 6.40
login/disable_password_logon

Controls the deactivation of password-based

logon
This means that the user can no longer log on
using a password, but only with Single Sign-On
variants (X.509 certificate, logon ticket). More
information: Logon Data Tab Page
Available as of SAP Web AS 6.10, as of SAP

Basis 4.6 by Support Package

login/password_logon_usergroup

Controls the deactivation of password-based

logon for user groups
Available as of SAP Web AS 6.10, as of SAP
Basis 4.6 by Support Package

login/password_max_idle_productive

Specifies the maximum period for which a

productive password (a password chosen by the
user) remains valid if it is not used. After this
period has expired, the password can no longer be
used for authentication. The user administrator
can reactivate password-based logon by assigning
a new initial password.
Permissible values: 0 24,000 (unit: days);
Default value 0, that is, the check is deactivated
Available after SAP NetWeaver 6.40

login/password_max_idle_initial

Specifies the maximum period for which an initial

password (a password chosen by the
administrator) remains valid if it is not used. After
this period has expired, the password can no
longer be used for authentication. The user
administrator can reactivate password-based
logon by assigning a new initial password.
This parameter replaces the profile parameters
login/password_max_new_valid and
login/password_max_reset_valid.
Permissible values: 0 24,000 (unit: days);
Default value 0, that is, the check is deactivated
Available after SAP NetWeaver 6.40

login/password_max_new_valid

Defines the validity period of passwords for

newly created users.
Only available in SAP Web Application Server

6.20 and 6.40.

login/password_max_reset_valid

Defines the validity period of reset passwords.

Only available in SAP Web Application Server
6.20 and 6.40.

Password Changes
login/min_password_diff

Defines the minimum number of characters that must be

different in the new password compared to the old password.
Default value: 1; permissible values: 1 40
Available as of SAP Web AS 6.10 (Until SAP NetWeaver 6.40
(inclusive), up to 8 characters.)

login/password_expiration_time Defines the validity period of passwords in days.

Default value: 0; permissible values: 0 1000
login/password_change_for_SSO If the user logs on with Single Sign-On, checks whether the
user must change his or her password.
Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by
Support Package
login/password_history_size

Specifies the number of passwords (chosen by the user, not the

administrator) that the system stores and that the user cannot
use again.
Permissible values: 1 100 (unit: number of entries); default
value 5
Available after SAP NetWeaver 6.40

login/password_change_waittime Specifies the number of days that a user must wait before
changing the password again.
Permissible values: 1 1,000 (unit: days); default value 1
Available after SAP NetWeaver 6.40
Other Password Profile Parameters
login/password_downwards_compatibility Specifies the degree of backward compatibility to be
achieved. The default value is 1, where the values

have the following meaning:

0

With login/password_downwards_compatibility = 0,
passwords are stored in a format that systems with
older kernels cannot interpret. The system only
generates new (backward incompatible) password
hash values.
1
The system also generates backward compatible
password hash values internally, but does not evaluate
these for password-based logons (to its own system).
This setting is required if this system is used as the
central system of a Central User Administration that
systems that only support backward compatible
password hash values are also connected to the system
group.
2
The system also generates backward compatible
password hash values internally, which it evaluates if a
logon with the new, non-backward compatible
password failed. In this way, the system checks
whether the logon would have been accepted with the
backward compatible password (truncated after eight
characters, and converted to upper-case). This is
recorded in the system log. The logon fails. This
setting is to allow the identification of backward
incompatibility problems.
3
As with 2, but the logon is regarded as successful.
This setting is to allow the avoidance of backward

incompatibility problems.
4
As with 3, but no entry is created in the system log.
5
Full backward compatibility: the system only creates
backward compatible password hash values.
Available after SAP NetWeaver 6.40
Multiple Logon
Parameter

Meaning

login/disable_multi_gui_login

Controls the deactivation of multiple dialog logons

Available as of SAP Basis 4.6

login/multi_login_users

List of excepted users (multiple logon)

Available as of SAP Basis 4.6

Incorrect Logon
Parameter

Meaning

login/fails_to_session_end

Defines the number of unsuccessful logon attempts before the

system does not allow any more logon attempts. The parameter is
to be set to a value lower than the value of parameter
login/fails_to_user_lock.
Default value: 3; permissible values: 1 -99

login/fails_to_user_lock

Defines the number of unsuccessful logon attempts before the

system locks the user.
Default value: 5; permissible values: 1 -99

login/failed_user_auto_unlock Defines whether user locks due to unsuccessful logon attempts

should be automatically removed at midnight.
Default value: 0 (locks due to incorrect logon attempts remain in
force for an unlimited period); permissible values: 0, 1
SSO Logon Ticket
Parameter

Meaning

login/accept_sso2_ticket

Allows or locks the logon using SSO ticket.

Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support

Package
login/create_sso2_ticket

Allows the creation of SSO tickets.

Available as of SAP Basis 4.6D

login/ticket_expiration_time Defines the validity period of an SSO ticket.

Default value: 8; Unit: hours
Available as of SAP Basis 4.6D
login/ticket_only_by_https The logon ticket is only transferred using HTTP(S).
Available as of SAP Basis 4.6D
login/ticket_only_to_host

When logging on over HTTP(S), sends the ticket only to the server
that created the ticket.
Available as of SAP Basis 4.6D

Other Login Parameters

Parameter

Meaning

login/disable_cpic

Refuse inbound connections of type CPIC

login/no_automatic_user_sapstar Controls the emergency user SAP* (SAP Notes 2383 and
68048)
Default value: 1, that is, the emergency user must be explicitly
activated
Permissible values: 0, 1
login/system_client

Specifies the default client. This client is automatically filled in

on the system logon screen. Users can type in a different client.

login/update_logon_timestamp

Specifies the exactness of the logon timestamp.

Available as of SAP Basis 4.6

Other User Parameters

Parameter

Meaning

rdisp/gui_auto_logout Defines the maximum idle time for a user in seconds (applies only for SAP
GUI connections).
Default value: 0 (no restriction); permissible values: any numerical value