SAP Knowledge Base Article - Public

2932190 - Changes to Default Password Generation in BizX Users

Symptom

To improve security in BizX, there will be changes with how user password generation for newly created users in both Employee Central and Non-Employee Central enabled instances. This change will take effect starting on June 19th, 2020.

Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental.

Environment

SAP SuccessFactors HXM Suite

Resolution

Starting June 19, 2020, a universal update will remove the following options in BizX User Imports. These settings allow the system administrators to select the default password on newly created users, which will then be used as their initial password to login to the system.

  • User Name 

  • User ID 

  • Email Address (for scheduled Employee Import Job)

Who will be impacted by this change?

Any user created by one of the methods listed below, as well as any customer instance that is not using SAP Identity Authentication Service (IAS) will be impacted by this change.

  1. Admin Center > Employee Import (For Non-Employee Central Instances Only)
  2. Provisioning > Manage Scheduled Jobs
    • Employee Import 
    • Bulk Employees Import 
    • Delta Employees Import

  3. OData API and SFAPI with these password options configured in Manage API profile tool
  4. Admin Center > Manage User UI (For Non-Employee Central Instances Only)

Please note that users who have Single Sign On (SSO) authentication, integrated external learners, and onboardees are not impacted.



What actions are required from the customers?

  1. Stop using “User Name / User ID / Email Address” as default password in above mentioned methods.
  2. Update settings of import jobs and integration programs.
  3. Read the following migration guidance before the change takes effect on June 19th.


Migration Guidance:

  1. Importing Users in BizX
    • After June 19th, a warning message will be sent via email of admin monitoring any scheduled imports if the change has not been made.
    • If you are using “User Name / User ID / Email Address” as default password for Employee Import / Bulk Employee Import / Delta Employees Import, you need to perform any of the following options provided below for you to migrate to "System Generated" option. This is to ensure that the newly created users can securely login to the system.
      • Option #1           :  Send new users the welcome notification with a set password link
        Pre-Requisite      :  New users must have a valid email address and can receive email notifications.
        Expected Result  :  New users will receive a welcome email containing the Set Password link after the import job completes.

        1. Navigate to Admin Center > Company Settings > E-mail Notification Template Settings. Ensure that "Welcome Message Notification with Reset Password Support" template is enabled by checking the  box as shown on the screenshot below.


          You also have an option to modify the body of the email notification by following the steps on the admin guide.

          Note: Please do not use “Welcome Message Notification” template because this is deprecated.


        2. After this you may now proceed with the User Import. If you are importing new users directly from Admin Center, select the following options below.
          • Use a system generated random password
          • Send welcome email to new users






      • Option #2           :  Set initial password for new users in import file 
        Notes                  :  This is NOT RECOMMENDED. This is a workaround that you can use, if the new user/s you are importing in the system does not have a valid email address or is not configured to receive email notifications.
        Expected Result :  Administrator will need to send the initial passwords directly to the newly imported users in BizX.

        To do this, you may follow KBA 2088643 - Passwords: Using the Employee Import to manage Passwords.




    • How can you identify and rectify settings in Employee Import/Bulk Employees Import/Delta Employees Import?

      - There is no need to contact support or partner to make changes to the job settings from provisioning. Customers can navigate directly to Admin Center > Platform Feature settings and look for the following options (after June 19th update):






  2. Manage Users  UI
    • Starting June 19th, default password will not be automatically set to username any longer.
    • Instead, newly created users will receive a Welcome Email Notification which has a direct link to reset password.
    • During user creation, a warning message will be shown in UI as reminder to define and enable "Welcome Message Notification with Reset Password Support" template. (refer to steps on how to configure welcome email as mentioned above)


      From Admin Center > Manage Users > Quick Add page






      From Admin Center > Manage Users > Detailed Add Users






  3. APIs
  • If you use APIs to import users you will need to change the password option as well. Detailed information on how to manage user API options can be found in the admin guide.
  • After June 19th, customers are not able to create a new API Option Profile with the default insecure password in Admin Center -> Add API Option Profile page, as the following options will be removed.
    • Use the Username
    • Use the UserID
    • Use the email address
  • There is an alert message showed in the page to tell customers the three default password options will be deprecated. After June 19th, API will give a warning message in header when customers create user with using "USERNAME, externalId, EMAIL, FIRSTNAME, LASTNAME," in SFAPI and " the "Username, UserID, email address” as the default password format in OData V2 user API.

    Solution for new users without any valid email address/or not set "send welcome email to new users"- existing function

    Solution through API:

    1. In OData API, for this case, customer admin can change the password with plain text password.


      For Odata API, users also can update password field by request.

      {
      "__metadata":

      { "uri": "https://qacand-api.lab-rot.ondemand.com/odata/v2/User('cgrant1')" }

      ,
      "password":"pwd123"

      }


    2. In SFAPI API, for this case, customer admin can change the password with plaintext password.


      For SFAPI, users can send request to update password with providing password field in request body.

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sfobject.sfapi.successfactors.com">
      <soapenv:Header/>
      <soapenv:Body>
      <urn:update>
      <urn:type>User</urn:type>
      <!-1 or more repetitions:->
      <urn:sfobject>
      <urn:type>User</urn:type>
      <urn:id>USR-2</urn:id>
      <urn:password>pwd123!!!</urn:password>
      </urn:sfobject>
      </urn:update>
      </soapenv:Body>
      </soapenv:Envelope

           

=====================================================================

FREQUENTLY ASKED QUESTIONS:

  1. Is there a customer facing communication sent regarding the change? 

    ANSWER: An email notification was sent to the identified company administrators regarding this change. Communications were sent last June 12th, 2020.


  2. What’s the impact if you haven’t finished the migration after the patch is delivered on June 19th?

    ANSWER
    :
    Only “System generated” option for default password is supported in Admin Center > Employee Import. The options to set username / userid / email as default password will be deprecated. Aside from this, all submitted Employee Import/Bulk Employees Import/Delta Employees Import jobs in Provisioning, that specify username/userid/email as default password, will continue to run but with a warning message shown in Monitor job > job details.  Please select the two opt-in in Admin Tool Platform Feature Settings to change your provisioning jobs to use system generated password.


  3.  I use SSO to login in BizX, will I be impacted of this change?

    ANSWER
    :
    NO


  4. Will the change impact external learning users and onboardees?

    ANSWER: NO


  5. My BizX instance is integrated with third-party applications that is set to use User Name/ UseriID / Email as default password. What should we do?

    ANSWER: We recommend you to change this kind of integration because of security risk. You may use pre-defined password in the import file for integration.


  6. We already have a couple of users were created with User Name/ UseriID / Email as default password for login. Is there anything that we can do from our side to ensure that their logins are secured?

    ANSWER: Please encourage the users to reset their passwords ASAP using one of the following three methods.

    • These users can reset passwords themselves by using the set password link (valid in 1~30 days, according to your company-level password policy setting) in the welcome notification.
    • These users can reset passwords themselves by navigating to Options > Password in the system
    • Admin can reset password for these users by navigating to Admin Center > Reset User Passwords and deliver new passwords to users offline. Password Changed email notifications with a set password link will be sent to users when the Password Changed Notification with the [[SET_PASSWORD_URL]] token has been enabled in E-mail Notification Template Settings and the user notification option is on in Admin Center -> Options -> Change User Notification

      For details on resetting user passwords, please refer to the admin guide for the detailed steps.

See Also

User Management Admin Guide

Keywords

User passwords, Manage User, Import, Employee Import, Delta Import, Bulk Employees Import, APIs, INT, Platform, Security , KBA , LOD-SF-PLT-UIM , Employee Import Issues , How To

Product

SAP SuccessFactors HXM Suite 2005

Attachments

Pasted image.png