Comment on page
SAP User Unlock and Password Reset Automation
Unlocking users due to constant incorrect login attempts and password resets can consume time and resources for customers and their help desk/security teams, while having to validate and verify user identities manually. Furthermore, the loss of productivity while waiting for password resets can stop critical business processes.
IT-Conductor can automate this service desk function, enabling self-service password resets and user unlocking based on the customer's security policy. Depending on the customer's requirements, the reset password can be sent directly to the end user, a designated distribution list, or a specified group as needed.
The identification of locked SAP users is based on monitoring CCMS Alerts. The override targets specific CCMS alerts and uses alert user details for further processing. The overrides can have different recovery actions depending on the customer’s scenario.
This is triggered as an auto-recovery action by a CCMS alert (User Locked due to consecutive failed login attempts), which dynamically generates a unique password for the user, unlocks the user, retrieves the user's email and full name, and sends an email to the user with the new temporary password.
The SAP user details are first pulled from SAP. Based on the role type and user status, the password is reset with a randomly generated character string, then the user is unlocked. The notification with the new password can be sent to a specified email address, such as the end-user or an SAP Admin, etc.
Several scenarios are supported, such as creating a filter to identify users for whom this should apply, setting up multiple monitors based on UserID groups, and defining separate thresholds for various user requirements. This includes the ability to identify a particular lock type that differentiates between when a user was locked by the System Admin, incorrect password entry, and enforcement of the validity period.
- 1.Add system to IT-Conductor for monitoring and automation.
- 2.Create SAP user with Admin rights.
- 3.Add an e-mail address in the master record for all users.
- 7.Create Process definition(s) based on the customer’s workflow process.
- 8.Configure recovery action using the defined override and process definition.
After several failed attempts to log into SAP, a user eventually gets locked.
Figure 1: Locked SAP User Due to Consecutive Failed Attempts
After a few minutes, a CCMS alert will be generated in IT-Conductor, and the user will get notified that they have been locked out due to a failed login attempt.
Figure 2: Generated CCMS alert in IT-Conductor
Once the locked user is detected, the IT-Conductor Process definition is triggered as a recovery activity to reset the user’s password and notify them of their new temporary password.
Figure 3: Triggered Alerts in IT-Conductor
Figure 4: Password Reset Recovery Action
Figure 5 is an example of a triggered Process Definition for the User Password Reset Automation scenario.
Figure 5: User Password Reset Automation Process Definition
Figure 6 is an example of an e-mail notifying users of their new temporary password.
Figure 6: Email Notifying the User of the New Temporary Password
Figure 7: SAP Screen to Enter New Password
Figure 8: SAP Login Password Successfully Changed
A customized dashboard can be deployed to provide an overview of the unlocked users per system within a particular time interval. It also includes some administrative tools, such as the restart activity button and the activity log, which shows whether the activity was successful or not. Last but not least, these password reset activities can be a source for security audit reports generated by IT-Conductor for compliance and audit purposes.
Figure 9: SAP Automated User Unlock Dashboard in IT-Conductor