SAP Knowledge Base Article - Public

2931642 - SAP SuccessFactors Employee Central: Default Password Generation

Symptom

As a part of our commitment to security, during the weekend of June 19, 2020, a universal update will modify how default passwords are generated within SAP SuccessFactors HXM Suite Employee Central. Specifically, we will remove default password generation options ‘Same as User Name’ and ‘Same as User ID’.

Images/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

  • SAP SuccessFactors HXM Suite
  • SAP SuccessFactors Employee Central

Resolution

We are modifying how default passwords are generated during the following Employee Central processes:

  • Hire via the UI using:
    • Add New Employee
    • Add New Employee for Fixed Term
    • Add Contingent Worker
    • Add Onboardee (Onboarding 2.0)
    • Manage Pending Hires
    • Rehire with New Employee
  • Hire via Imports (Employee Data Imports)

Prior to the patch on June 19th, administrators could select between the following options within Company System and Logo Settings:

3-Options.png

After the patch, the "Same as User Name" or "Same as User ID" options will no longer be selectable (options are greyed out as shown below):

NewOptions.png

Important Note: While it will not be possible after June 19th to select options "Same as User Name" or "Same as User ID" as the default password, IF these options were set prior to June 19th, customers will have 3 months before these insecure options will be fully deprecated. During this time, we highly suggest customers update their default password generation method to 'Random Password'. If no action is taken, the system will be defaulted to the 'Random Password' option after 3 months. SuccessFactors will provide at least a 30 day notice prior to this automated change.

For customers who have already selected the "Random Password" option, there will be no impact. Customers which have already selected options "Same as User Name" or "Same as User ID" as the preferred method to generate passwords for new users, please refer to the following sections below to upcoming review changes:

Please Note: For migration and API guidance, please refer to the Platform KBA: 2932190 - Changes to Default Password Generation in BizX Users

 

Hire via the UI

As a part of our commitment to improving security, we are modifying how default passwords are generated during the following processes via the Hire UI:

  • Add New Employee
  • Add New Employee for Fixed Term
  • Add Contingent Worker
  • Add Onboardee (Onboarding 2.0)
  • Manage Pending Hires
  • Rehire with New Employee

As stated above, the Employee Central settings in Admin Center -> Company System and Logo Settings will be impacted. Customers will no longer have the option to select the two options "Same as User Name" or "Same as User ID" to generate passwords for new users in Employee Central. We suggest customers currently using these options to adjust this setting to the 'Random Password' option.

Important Note: To ensure that the random created password is communicated via email to the new hire, we recommend to maintain an email during the hire process. Then the system will be able to inform new hire of the login details.

Also be sure to validate the email configuration for the welcome message - Configuration of the email template remains the same – Admin Center -> Send User Welcome Email:

EmailNotificationTemplate.png


The Welcome Email template can alternatively be configured in Admin Center > E-Mail Notification Templates:

emailnotification.png

Note:

  • The option "Welcome Message Notification with Reset Password Support" should be selected as highlight above.
  • The option "Welcome Message Notification" has been depreciated and will not work if selected.

Important: If no email is maintained for the user, and the password needs to be reset manually, this can be achieved via import or in Admin Center > 'Reset User Passwords'. Please use the following KBAs:

  • 2088643 - Passwords: Using the Employee Import to Manage Passwords (mass update) 
  • 2088527 - How to reset user's passwords in SuccessFactors

 

Hire via Imports

Prior to this change, 'Employee Data Import (for Employee Central only)' jobs could use either of the three options configured in Company System and Logo Settings: Same as User Name, Same as User ID, Random Password. As of June 19th, all existing import jobs that were configured to use the insecure password options ("Same as User Name" or "Same as User ID"), will continue to use same password. After second patch (date to be determined), All new and existing import jobs will use a random system generated password.

New Import jobs in Provisioning:

For all new Import jobs, users will only be able to select ‘Random Password’ as the default option under ‘Company System and Logo Settings’ in the admin center. The other two options Same as User Name, Same as User ID, will not be selectable as shown in the screenshot below:

NewOptions.png

Existing Import jobs in Provisioning:

As of June 19th, all existing import jobs that were configured to use the insecure password options ("Same as User Name" or "Same as User ID"), will continue to use same password option. Please review the following two scenarios regarding the 'Sending Welcome Email' option:

  • Customers who wish to change to ‘Random Password’ option and have already configured ‘Sending Welcome Email’ option or don’t need ‘Sending Welcome Email’ option, can safely enabled ‘Random Password’ option under ‘Customer System and Logo Settings’ in the admin center.
  • Customers who wish to change to ‘Random Password’ option and also want to configure the option of ‘Sending Welcome Email’, would have to contact either your implementation partner or SAP support to cancel the existing jobs in provisioning and create a new job with ‘Send Welcome Email’ option enabled in provisioning.

Important Note: Selecting ‘Random Password’ option under Company System and Logo Settings for existing job will not enable the option of ‘Sending Welcome Email’ in provisioning. If you want to start sending emails for existing jobs, then please contact your Implementation partner or SAP support to enable the option in provisioning

ImportJob.png

 

Enforce Password Reset after First Successful Logon

Security issues might occur if the system doesn’t force end users to reset their password after their first successful logon, when they login to the system with the password provided through one or more of these methods:

  • Admin Center - Employee Import in Admin Center in instances that do not have Employee Central enabled,
  • Provisioning (in the Manage Scheduled Job page in Provisioning) - Employee Import / Bulk Employees Import / Delta Employees Import 
  • User SFAPI calls

** Users Impacted

End user’s password is filled in by customer admin and by one of the above-mentioned methods in instances that use SAP SuccessFactors password authentication (excluding users authenticated by SAP IAS or 3rd party IDP services).

Please Note: Users using SSO authentication, integrated external learners, and onboardees are not impacted.

** What do customers need to do?

  • Communicate with your end users and ask them to reset password after first successful logon from login page.
  • For new tenants provisioned after Aug 14’s release, ensure that you have changed the initial passwords set by admin for SFAPI and update the password in your integration programs.

** Migration Guidance

After first successful logon, a pop-up dialog "Password Change" will require the end user to reset the password:

 reset.PNG

SFAPIs:

For new tenants provisioned after Aug 14’s release, please ensure that you have changed the initial password for your SFAPI integration account set by admin:

  1. Login to your tenant with username and password provided by admin.
  2. Change the password on the “Password Change” pop-up dialog following the company password policy.
  3. Use new password in the integration program.

Note: For existing tenants, there is no impact.

OData APIs:

No change has been made to OData APIs

 

Import Password Validation

 Security issues might occur if the system does not validate the password with the password policy configured through one or more of these methods:

  • Admin Center - Employee Import in Admin Center in instances that do not have Employee Central enabled
  • Provisioning (in the Manage Scheduled Job page in Provisioning) - Employee Import / Bulk Employees Import / Delta Employees Import

** Users Impacted

End user's password is filled in by a customer admin and by one of the above mentioned methods in instances that use SAP SuccessFactors password authentication (excluding users authenticated by SAP IAS or 3rd party IDP services).

Please Note: Users using SSO authentication, integrated external learners, and onboardees are not impacted.

** What do customers need to do?

  • Make migration plan to ensure password policy compliance in Import tools mentioned above

** Migration Guidance

  • Review password policy settings in Admin Center > Company Settings > System Logo and Password and ensure password in the import file follows the policy.

 

Frequently Asked Questions

  1. Is there a customer facing communication sent regarding the change? 

    ANSWER: An email notification was sent to the identified company administrators regarding this change. Communications were sent <DATE>.


  2. What’s the impact if you haven’t finished the migration after the patch is delivered on June 19th?

    ANSWER:
    Only “System generated” option for default password is supported in Admin Center > Employee Import. The options to set username / userid / email as default password will be deprecated. Aside from this, All submitted Employee Import/Bulk Employees Import/Delta Employees Import jobs in Provisioning, that specify username/userid/email as default password, will continue to run but with a warning message shown in Monitor job > job details.  Please select the two opt-in in Admin Tool Platform Feature Settings to change your provisioning jobs to use system generated password.


  3.  I use SSO to login in BizX, will I be impacted of this change?

    ANSWER
    NO


  4. Will the change impact external learning users and onboardees?

    ANSWER: NO


  5. My BizX instance is integrated with third-party applications that is set to use User Name/ UserID as default password. What should we do?

    ANSWER: We recommend you to change this kind of integration because of security risk. You may use pre-defined password in the import file for integration.


  6. We already have a couple of users were created with User Name / UserID as default password for login. Is there anything that we can do from our side to ensure that their logins are secured?

    ANSWER: Please encourage the users to reset their passwords ASAP using one of the following three methods.

    • These users can reset passwords themselves by using the set password link (valid in 1~30 days, according to your company-level password policy setting) in the welcome notification.
    • These users can reset passwords themselves by navigating to Options > Password in the system
    • Admin can reset password for these users by navigating to Admin Center > Reset User Passwords and deliver new passwords to users offline. Password Changed email notifications with a set password link will be sent to users when the Password Changed Notification with the [[SET_PASSWORD_URL]] token has been enabled in E-mail Notification Template Settings and the user notification option is on in Admin Center -> Options -> Change User Notification

      For details on resetting user passwords, please refer to the admin guide for the detailed steps.

 

Important: For customers experiencing any issues or have additional questions/concerns related to the Employee Central default password generation changes, please create a support ticket using component LOD-SF-EC-ADM. For general Platform related password generation changes, please refer to KBA 2932190 - Changes to Default Password Generation in BizX Users.

See Also

Keywords

EC, passwords, password, Import, Employee Import, security, welcome email, hire, employee data import , KBA , LOD-SF-EC , Employee Central , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-EC-ADM , Admin Tools (EC Core only) , How To

Product

SAP SuccessFactors HXM Suite all versions