SAP Security Tutorials: Profile Parameters for Logon

To make the parameters globally effective in an SAP System (system profile parameters), set them in the default system profile DEFAULT.PFL. However, to make them instance-specific, you must set them in the profiles of each application server in your SAP System.
To display the documentation for one of the parameters, choose Tools >> CCMS>> Configuration >> Profile Maintenance (transaction RZ10), specify the parameter name and choose Display.
Password Checks

Parameters	Explanation
login/min_password_lng	Defines the minimum length of the password. Default value: 3; permissible values: 3 – 8
login/min_password_digits	Defines the minimum number of digits (0-9) in passwords. Default value: 0; permissible values: 0 – 8 Available as of SAP Web AS 6.10
login/min_password_letters	Defines the minimum number of letters (A-Z) in passwords. Default value: 0; permissible values: 0 – 8 Available as of SAP Web AS 6.10
login/min_password_specials	Defines the minimum number of special characters in the password Permissible special characters are ()!\"@ $%&/()=?'`*+~#-_.,;:{[]}\\<> Default value: 0; permissible values: 0 – 8 Available as of SAP Web AS 6.10
login/min_password_diff	Defines the minimum number of characters that must be different in the new password compared to the old password. Default value: 1; permissible values: 1 – 8 Available as of SAP Web AS 6.10
login/password_expiration_time	Defines the validity period of passwords in days. Default value: 0; permissible values: any numerical value
login/password_change_for_SSO	If the user logs on with Single Sign-On, checks whether the user must change his or her password. Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
login/disable_password_logon	Controls the deactivation of password-based logon Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
login/password_logon_usergroup	Controls the deactivation of password-based logon for user groups Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

Multiple Logon

Parameters	Explanation
login/disable_multi_gui_login	Controls the deactivation of multiple dialog logons Available as of SAP Basis 4.6
login/multi_login_users	List of excepted users (multiple logon) Available as of SAP Basis 4.6

Incorrect Logon

Parameters	Explanation
login/fails_to_session_end	Defines the number of unsuccessful logon attempts before the system does not allow any more logon attempts. The parameter is to be set to a value lower than the value of parameter login/fails_to_user_lock. Default value: 3; permissible values: 1 -99
login/fails_to_user_lock	Defines the number of unsuccessful logon attempts before the system locks the user. By default, the lock applies until midnight. Default value: 12; permissible values: 1 -99
login/failed_user_auto_unlock	Defines whether user locks due to unsuccessful logon attempts should be automatically removed at midnight. Default value: 1 (Lock applies only on same day); permissible values: 0, 1

Initial Password: Limited Validity

Parameters	Explanation
login/password_max_new_valid	Defines the validity period of passwords for newly created users. Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package
login/password_max_reset_valid	Defines the validity period of reset passwords. Available as of SAP Web AS 6.10, as of SAP Basis 4.6 by Support Package

SSO Logon Ticket

Parameters	Explanation
login/accept_sso2_ticket	Allows or locks the logon using SSO ticket. Available as of SAP Basis 4.6D, as of SAP Basis 4.0 by Support Package
login/create_sso2_ticket	Allows the creation of SSO tickets. Available as of SAP Basis 4.6D
login/ticket_expiration_time	Defines the validity period of an SSO ticket. Available as of SAP Basis 4.6D
login/ticket_only_by_https	The logon ticket is only transferred using HTTP(S). Available as of SAP Basis 4.6D
login/ticket_only_to_host	When logging on over HTTP(S), sends the ticket only to the server that created the ticket. Available as of SAP Basis 4.6D

Other Login Parameters:

Parameters	Explanation
login/disable_cpic	Refuse incoming connections of type CPIC
login/no_automatic_user_sapstar	Controls the emergency user SAP* (SAP Notes 2383 and 68048)
login/system_client	Specifies the default client. This client is automatically filled in on the system logon screen. Users can type in a different client.
login/update_logon_timestamp	Specifies the exactness of the logon timestamp. Available as of SAP Basis 4.6

Other User Parameters

Parameters	Explanation
rdisp/gui_auto_logout	Defines the maximum idle time for a user in seconds (applies only for SAP GUI connections). Default value: 0 (no restriction); permissible values: any numerical value