Password Self Service & End User Logon

Configuration - AC10
GDay All,
Given the importance of Password Self Service and End User Logon, numerous posts out here in regards to its
configuration and problems, coupled with my own interest in it; I began scouring through all the blogs related
to these two topics and the result is as follows. I hope this will help you to some extent in understanding and
configuring PSS and EUL.
As usual please free to correct me, if I made any mistakes or if you would like to add anything to this document.

Password Self Service

Password Self Service is a customizing activity, which enables an end user to reset their own passwords
in the back end system. A user password is usually reset using TCode SU01. However considering this is
restricted to end users and to help admins from being bogged down by constant password reset requests, a
good alternative is to give the end user the option to reset their passwords themselves thereby freeing up the
admins to do other tasks.
When an end user raises a request for a password reset, the application verifies the user based
on the information they maintained for their password self-service settings or against the global
PSS settings. Once the application verifies the user and the system, it resets the password
and sends an e-mail to the users configured e-mail address. The password sent is a generic
password, which the user needs to change upon their login.
* All end users need to have a valid email Id to receive reset password link
Password Self Service Configuration

Connector Settings
Maintain Connector Settings: For each applicable system tick the PSS System Box
SPRO -> IMG -> GRC -> AC -> Maintain Connector Settings

Generated by Jive on 2014-12-30+01:00

1

Password Self Service & End User Logon Configuration - AC10

Maintain Data Sources Configuration: Choose which system you check, for User Id to login
SPRO -> IMG -> GRC -> AC -> Maintain Data Sources Configuration
User Authentication Data Sources: Pick a System (ECC, LDAP, HR etc)
User Search Data Sources: Pick a System (ECC, LDAP, HR etc)
User Detail Data Sources: Pick a System (ECC, LDAP, HR etc)
End User Verification: Choose YES/NO for Password requirement on logon screen

Enabling End User Verification would require the end user to enter their password in order to login.
However if a user needs to request a new password (obviously they forgot the current one), it would be
a catch 22 situation as pointed out by Colleen further down in the document (comments section).
Disabling End User Verification would rectify this problem however that would raise a
security issue, where any user can login using someone elses user id and access their
home screen and raise requests etc. This isnt a huge problem as the request would go to
the email address registered against their user id but still can be frowned upon and should
be discouraged.
A good compromise would be to Disable End User Verification and activate Challenger
question (covered further down in the document). Even this has one potential downside to
it, which is, if the end user hasnt registered their answers against the questions then the
previous scenario would come into play again!!
So any suggestions from the seasoned community members here, who had to deal with this issue
would be very much appreciated!

* You can configure multiple data sources. Preference is set by giving a sequence number

Generated by Jive on 2014-12-30+01:00

2

Password Self Service & End User Logon Configuration - AC10

Password Self Service Settings

Run transaction SPRO.
SPRO-> IMG -> Governance, Risk & Compliance -> Access Control -> User Provisioning -> Maintain
Password Self Service
On the left panel, under Dialog Structure, click PSS Global Configuration Values folder
Click New Entries button.
Under the PSS Global Configuration Values, enter the following:
Authentication Source = Challenge Response
When you select this option, the administrator configures the security questions and
the users register their answers. A user who creates a request to reset their password
must answer the questions as they have registered them. The application only resets the
passwords if the user successfully answers all of the questions
PSS Disable Verification =
None: Select this option if you want to enable PSS verification.
Name Change Self Service: Select this option if you want to disable PSS verification in
case the user only changes their name.
Password Self Service: Select this option if you want to disable PSS verification in case the
user changes their password.
All: Select this option if you want to disable PSS verification in all situations. By choosing
'ALL', user would not need to register questions or receive a step in the password reset
process to answer any questions.

Generated by Jive on 2014-12-30+01:00

3

Password Self Service & End User Logon Configuration - AC10

To answer a question/be challenged.

Number of Questions = 2 (Minimum should be 1)
Number of Attempts = 3 (For Example)
Click Save button.
On the left panel, click the Challenge Response Questions folder.
Click New Entries button.
In the Challenge Response Questions, enter a Question in the field provided.
Check the Active box.
Click Save.

* If you chose HR System as the authentication source, then maintain the PSS HR System settings.

End User Logon

An employee within an organization would require, to raise various types of requests like an
Access Request for a new account/change an existing account etc or reset their own password
etc on a regular basis. End User Logon, facilitates this by giving them access to their own Home
Screen, where they can raise the relevant requests.
In this instance, the end user would need access to raise a request to reset their own password. In order to
achieve that he/she would need authorization to be able to access it and following steps needs to taken to
accomplish that.
End User Logon Configuration

Generated by Jive on 2014-12-30+01:00

4

Password Self Service & End User Logon Configuration - AC10

User Maintenance
A shared User needs to be created and the same user details should be maintained in Web Services
(explained further in the document)
Create a Shared user in SU01
Should be of type communication with the following two roles:
SAP_GRAC_ACCESS_REQUESTER
SAP_GRAC_END_USER
A WF-Batch user needs to be created as well. The email to the end user is sent from the email address
configured against this user
Create WF-Batch user in SU01
Should be of type 'System'
You can configure the email address as 'donotreply@something.something' so end users do
not respond or email this address directly.

* Shared User: Has to exist in the GRC system

Activate End User Logon

Run Transaction SPRO
SPRO -> IMG -> GRC-> AC-> User Provisioning-> End User Login: ServiceName =
GRAC_UIBB_END_USERLOGIN or enter tcode SICF
Under the Virtual Hosts/Services section, double-click GRAC_UIBB_END_USERLOGIN to open it
in edit mode.
The Create/Change a Service screen appears.

Generated by Jive on 2014-12-30+01:00

5

Password Self Service & End User Logon Configuration - AC10

On the Logon Data tab, enter the shared user id, password (you created in SU01) and procedure
(Standard) -> Save

Generated by Jive on 2014-12-30+01:00

6

Password Self Service & End User Logon Configuration - AC10

Repeat steps 1-3 for the following Web Services:

1. GRAC_GAF_PWD_SELFSERVICE_EU
2. GRAC_OIF_USER_REGISTER_EU
3. GRAC_OIF_MY_PROFILE_EU
4. GRAC_GAF_NAME_CHANGE_SERV_EU
5. GRAC_POWL_REQUEST_STATUS_EU
6. GRAC_GAF_ACCREQ_WITH_REQREF_EU
7. GRAC_OIF_REQUEST_SUBMISSION_EU
8. GRAC_GAF_ACCREQ_WITH_TEMPL_EU
9. GRAC_GAF_ACCREQ_WITH_USEREF_EU
Right-click GRAC_UIBB_END_USERLOGIN, and then choose Test Service -> Logon Screen in web
browser.

* Only the first 3 services might suffice if you are enabling just PSS however I've had some
problems (covered in the 'Errors' section) and enabling all 10 seem to address those issues, so if
you encounter any problems you might give this a go!!

Generated by Jive on 2014-12-30+01:00

7

Password Self Service & End User Logon Configuration - AC10

If you would like to disable certain objects you can do so by adding the following line to end of the
web address in the URL window of the browser and press enter.
&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/123
Following screen shows up. If you see Adapt Configuration on the top, right hand
corner; that means you are in config mode.

Enter your username and password, and log onto the system.
The End User Home screen appears.

To make a link invisible, right-click the link and select Settings for Current Configuration.
Select Invisible, Save the entry, and then close the browser.
The link is no longer available for end users. This is applicable for all end users.

Generated by Jive on 2014-12-30+01:00

8

Password Self Service & End User Logon Configuration - AC10

User Access
You got to give the end user the URL address, User ID and Password so they can use those credentials
to login and raise a request. Once they login they can raise a request to reset their password. If request is
successful then the system sends them an email with a temporary password, which they need to change
upon their login. The password generated is a system generated one. The email received by the user looks
something like this:

You can customize the generic password sent by executing:

TCode: SM30
Table: PRGN_CUST - > Maintain -> New Entries -> Add the following Names and corresponding
values you are after and Save.
GEN_PSW_MAX_LENGTH

GEN_PSW_MAX_LETTERS

GEN_PSW_MAX_DIGITS

GEN_PSW_MAX_SPECIALS

End result is as follows with the following customized values:

GEN_PSW_MAX_LENGTH: 10

GEN_PSW_MAX_LETTERS: 5

Generated by Jive on 2014-12-30+01:00

9

Password Self Service & End User Logon Configuration - AC10

GEN_PSW_MAX_DIGITS: 3
GEN_PSW_MAX_SPECIALS: 2

Errors

End User Logon Screen

Sometimes NWBC logon screen shows up as opposed to EU logon screen!
Maintain all 10 Web Services and ensure the Logon Data details(User ID, Password) are exactly the
same in SICF!!

Re-login Screen
When user clicks on one of the services in the Home Screen, it asks for username and password again!
Again same solution as above!!

Generated by Jive on 2014-12-30+01:00

10

Password Self Service & End User Logon Configuration - AC10

Systems not showing up

When the user clicks on the add button to add a system in PSS request, no systems are available!
This could be a problem with connectors not defined properly in Maintain Connector Settings or
PSS isn't enabled against that connector.
Try giving the Shared user 'SAP ALL' authorization. This seems to do the trick sometimes,
however I am not sure if this is the right approach.
For best practices, pitfalls to avoid and things to consider while enabling PSS, please refer to the following
document put together by Col and Ale. Thanks Guys!!
Design Considerations to reduce Password Self Service (PSS) Intruder Risk
Regards,
Leo..

Generated by Jive on 2014-12-30+01:00

11