SAP Convergent Charging 5.

0
CONFIGURATION GUIDE | PUBLIC
Document Version: : 1.0 – 2019-09-09

Users Management
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
Content

1 Document History .................................................................................................................................................. 3

2 Users Management ................................................................................................................................................ 4

2.1 Isolating Service Users from Individual Users............................................................................................................... 4
2.2 Password Management Policy ....................................................................................................................................... 5
2.3 Managing User Sessions Within User Interfaces .......................................................................................................... 8
2.4 Creating Users ................................................................................................................................................................. 9
2.5 Resetting the Emergency User ....................................................................................................................................... 9

Users Management - v1.0

2 PUBLIC Content
1 Document History

The following table provides an overview of the most important document changes.

Version Date Description

1.0 2019-09-09 First maintenance version.

Users Management - v1.0

Document History PUBLIC 3
2 Users Management

Keywords

User, password, security policy, user isolation, user session, concurrent edition, role, right

Preliminary Notes

For further information, refer to the following SAP CC documentations:

• User Administration and Authentication section of the SAP CC Security Guide documentation

• User Session Management section of the SAP CC Application Help documentation

• Launching Admin+ and Launching Core Tool sections of the SAP CC Installation Guide documentation

• Security Management Settings and System: User Management Settings groups in the SAP CC System
Parameters Reference documentation

• Users section of the SAP CC Core Tool documentation

• list_clients, disconnect_client, purge_object_change_logs and purge_user_operations commands of the SAP CC

Admin+ User Interface documentation

Description

SAP Convergent Charging provides proprietary mechanisms to manage users and associated concepts such as
password policy, user roles, working sessions, and so on. You can use the following procedures to configure the
management of users within your SAP CC landscape and thus fit your specific needs:

• Isolating Service Users from Individual Users

• Password Management Policy

• Managing User Sessions Within User Interfaces

• Creating Users

• Resetting the Emergency User

2.1 Isolating Service Users from Individual Users

SAP Convergent Charging defines 2 types of users:

• Individual users, whose passwords are encrypted and must be regularly changed

• Service users, whose passwords are less secured (for performance reasons) and never expire

SAP CC 5.0 gives the possibility to specify whether service users must be isolated from individual users, or not. This
function named User Isolation modifies the access rights that are associated to the security profiles of the SAP CC
users.

When the User Isolation is enabled:

Users Management - v1.0

4 PUBLIC Isolating Service Users from Individual Users
• Only service users can use the operations provided by the Web Services (WS) and the Message TCP technical
interfaces

• Only individual users can use the SAP CC user interfaces and the operations provided by the HTTP
Communication Interface (HCI) technical interface

When the User Isolation is disabled, service users and individual users can use the SAP CC user interfaces as well as
the operations provided by the HTTP Communication Interface (HCI) , the Web Services (WS) , and the Message TCP
technical interfaces of SAP Convergent Charging.

Notes
• The User Isolation function is enabled by default at the time of installation.

• The User Isolation function is checked before checking roles and authorizations

To enabled or disable the User Isolation, modify the USER_ISOLATION_ENABLED system parameter for the Updater
instances of the Core Server system.

2.2 Password Management Policy

Every user defined in your SAP CC landscape is protected by a password. The Password Management Policy allows you
to configure password policy to fit specific needs.

To enabled or disable the Password Management Policy, modify the PASSWORD_MANAGEMENT_ENABLED system
parameter for the Updater instances of the Core Server system.

It is possible to define several policy options to be taken into account when the Password Management Policy is
enabled:

Policy option Description

Mandatory Determines whether passwords are mandatory or not.

Caution
This option is always enabled, and cannot be modified

Different from login Determines whether passwords must be different from login.

Caution
This option is always enabled, and cannot be modified

Minimum length The PASSWORD_MANAGEMENT_MINIMUM_LENGTH system parameter defines the

minimum length a password must have.

Note
If the value of this parameter is 0, there is no mandatory minimum length for the
passwords.

Complexity The PASSWORD_MANAGEMENT_COMPLEXITY defines the password complexity rules.

It consists in a list of types of characters that must be present at least once in the
passwords.

Users Management - v1.0

Password Management Policy PUBLIC 5
 Policy option Description
The possible values are (they must be separated by commas):

• uppercase: capital letters (from A to Z ).

• lowercase: small letters (from a to z ).

• digit: digits (from 0 to 9 ).

• special: special characters, including accented characters.

Note
If the value of this parameter is empty or malformed, there are no complexity rules
for the passwords.

Maximum duration The PASSWORD_MANAGEMENT_EXPIRATION_DELAY system parameter specifies the

number of days before the password of an SAP CC individual user expires.

This period begins when the password is modified by an SAP CC user. When the
password expires, the only allowed operation is the modification of the password.

Note
If the value of this parameter is set to 0, passwords never expire.

Maximum idle duration The PASSWORD_MANAGEMENT_MAX_IDLE_DELAY system parameter defines the

number of days from which a user who has not logged in the system is locked.

Note
If the value of this parameter is set to 0, users are never locked if they did not log in
the system after an extended period.

Reuse cycle The PASSWORD_MANAGEMENT_REUSE_CYCLE system parameter defines the

number of password modifications that must occur before a user can reuse a password
he used in the past.

Note
If the value of this parameter is set to 0, there is no limit to the reuse of passwords.

Reuse delay The PASSWORD_MANAGEMENT_REUSE_DELAY system parameter defines the

number of days before an SAP CC user can reuse a password he used in the past.

Note
If the value of this parameter is set to 0, the reuse of passwords is not limited.

Modification interval The PASSWORD_MANAGEMENT_CHANGE_DELAY system parameter defines the

number of days between two password modifications by an SAP CC user.

Users Management - v1.0

6 PUBLIC Password Management Policy
 Policy option Description

Note
If the value of this parameter is set to 0, the frequency of password modifications is
not limited.

Failed login attempts The PASSWORD_MANAGEMENT_FAIL_LIMIT system parameter defines the number of
successive failed logon attempts before a user account is locked. When an account is
locked, no operations are allowed until the account is unlocked.

Note
If the value of this parameter is set to 0, the number of failed logon attempts is not
limited.

SHA-256 hash rounds The PASSWORD_HASH_ROUNDS_FOR_INDIVIDUAL_USERS system parameters

defines the number of rounds of SHA-256 for hashing the password of an individual
user. This has a direct impact on performance, as password hashing is done for each
call to CC through Web Services or CC internal API.

Note
• Generally, individual users choose passwords they can easily remember, and
thus the hash of their password is more vulnerable to attacks based on
dictionary. Also, an individual user can stand with a supplementary latency of
4-8 milliseconds, as such a delay cannot be perceived. It is thus recommended
to set this parameter to 10,000 rounds (*) for individual users.
(*) For 1000 rounds, the latency is expected to increase of 1 ms approximately.

• When this parameter is modified, the new value is taken into account when a
new user is created and when an existing user modifies his/her password. The
number of hash rounds is not immediately modified for existing users.

The PASSWORD_HASH_ROUNDS_FOR_SERVICE_USERS system parameter defines

the number of rounds of SHA-256 for hashing the password of a service user of SAP
Convergent Charging. It has a direct impact on performance, as password hashing is
done for each call to CC through Web Services or CC internal API.

Note
• The password for a service user does not need to be remembered, as it is
stored in a system. So it can be far stronger than a password for an individual
user. As a result, it is possible to reduce the number of hash rounds with
limited impact to security and get better performances. It is thus
recommended to set this parameter to 100 rounds (*) for service users.
(*) 100 rounds has a negligible impact on performance.

• When this parameter is modified, the new value is taken into account when a
new user is created and when an existing user modifies his/her password. The
number of hash rounds is not immediately modified for existing users.

To configure the Password Management Policy, define the policy options through the corresponding system
parameters for the Updater instances of the Core Server system.

Users Management - v1.0

Password Management Policy PUBLIC 7
2.3 Managing User Sessions Within User Interfaces

User Session Management and Concurrent Edition Management feature give the possibility to control working sessions
within the SAP CC User Interfaces in terms of:

• Concurrent edition within the Core Tool, used to prevent multiple users working on the same master data

• Multiple accesses to a given user interface by a given individual user

• Security regarding inactivity between the user interface and the Core Server

To enable or disable the User Session Management and Concurrent Edition Management, execute the following
procedure:

1. For the Updater instances of the Core Server system, modify the USER_SESSION_ENABLED system parameter.
2. Restart the Updater instances of the Core Server system

It is possible to define several policy options when the User Session Management and Concurrent Edition Management
are enabled:

Policy option Description

Simultaneous The USER_SESSION_SESSION_LIMIT_PER_USER_AND_TOOL system parameter defines the

connections maximum number of opened sessions per SAP CC user and per user interface (SAP CC tool,
other application).

Note
If the value of this parameter is 0 , an SAP CC user can open as many sessions as he/she
wants on SAP CC Core Tool and SAP CC BART Tool.

Inactivity period The USER_SESSION_VALIDITY_PERIOD system parameter defines the maximum period
during which an SAP CC user can leave a session inactive without being disconnected from SAP
CC Core Tool and SAP CC BART Tool.

Note
If this parameter is set to 0 , user sessions never expire.

Caution
The objects being edited in the SAP CC Core Tool user interface are not protected against
concurrent edition any longer when the session expires. SAP recommends that you increase
the value of this parameter if SAP CC users need to work on the same objects without saving
them for a long time.

Note
In case of user session failure, you can use the search_user_session and the delete_user_session command of the
Admin+ user interface.

When a session is deleted, the objects opened in “edition” mode during this user session are released and can be
modified within another session.

To configure the User Session Management and Concurrent Edition Management, execute the following procedure:

1. Define the policy options through the corresponding system parameters for the Updater instances of the Core
Server system.

Users Management - v1.0

8 PUBLIC Managing User Sessions Within User Interfaces
2. Restart the Updater instances of the Core Server system

2.4 Creating Users

Both individual users and service users defined in SAP Convergent Charging are:

• Protected by a password that respects a security policy you can configure to fit specific needs.

Note
For further information refer to the Password Management Policy dedicated section.

• Assigned to roles that represent access rights to sets of master data domains

To create users within your SAP Convergent Charging landscape, execute the following procedure:

1. Launch the Core Tool user interface and identify as the administrator of the Core Server system or as a user
granted the User Administrator role
2. Create the relevant users, assigning them the adequate roles

Note
For further information about SAP CC Users creation, refer to the Working with SAP CC Users section available in
the Core Tool user interface documentation.

2.5 Resetting the Emergency User

In case you created users in an incorrect way that avoids you to log on to any SAP CC user interface, you can reset the
emergency user. This user corresponds to the first super administrator user created at installation time, with whom you
will be able to log on again and perform adequate modifications.

Note
For further information refer to SAP Note 1890952.

Users Management - v1.0

Resetting the Emergency User PUBLIC 9
Important Disclaimers and Legal Information

Disclaimer

Some components of this product are based on Java™. Any code change in these components may cause
unpredictable and severe malfunctions and is therefore expressly prohibited, as is any decompilation of these
components.

Any Java™ Source Code delivered with this product is only to be used by SAP’s Support Services and may not be
modified altered in any way.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means
that experimental features may be changed by SAP at any time for any reason without notice. Experimental features
are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the experimental
features in a live operating environment or with data that has not been sufficiently backed up.

The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the
future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that intellectual
property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code

Any software coding and/or code snippets are examples. They are not for productive use. The example code is only
intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the correctness and
completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example code
unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language

We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may
use masculine word forms to refer to all genders.

Users Management - v1.0

10 PUBLIC Important Disclaimers and Legal Information
www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.