SAP Knowledge Base Article - Public

2992433 - Changes to user password pre-defined via SFAPI and Import options in Bizx

Symptom

Since August 14th, there has been changes on how user passwords set by administrators via import options are validated in BizX. Please refer to KBA 2932190 - Changes to Default Password Generation in BizX Users for the details of the security updates made for user passwords in BizX.

Environment

SAP SuccessFactors HXM Suite

Cause

Issues to be addressed:

  1. Security issues might occur if the system doesn’t validate password with password policy configured through one or more of these methods: 
    • Admin Center 
    • Employee Import in Admin Center in instances that do not have Employee Central enabled, 
    • Provisioning (in the Manage Scheduled Job page in Provisioning): 
    • Employee Import / Bulk Employees Import /Delta Employees Import   

  2. Security issues might occur if the system doesn’t force end users to reset their password after their first successful logon, when they login to the system with the password provided through one or more of these methods: 
    • Admin Center
    • Employee Import in Admin Center in instances that do not have Employee Central enabled,
    • Provisioning (in the Manage Scheduled Job page in Provisioning):
      • Employee Import / Bulk Employees Import / Delta Employees Import  
    • User SFAPI calls
 

Resolution

To better protect your account security, we now provide a set of best practices of password policy settings as documented in KBA 2957793 - Changes to password and login policy settings in BizX. Note that this change has been effective August 14th 2020 onward.


Who will be impacted by this change?

  • As an admin user, if you pre-define passwords for users in the import user file using Employee Import, Bulk Employees Import, and Delta Employees Import, ensure that the passwords comply with password policy settings. If not, you receive warnings in the import status email.


  • As an end user, if your password is predefined by your system admin using Employee Import, Bulk Employees Import, and Delta Employees Import, you must reset your password when you log in the system for the first time. You can follow the steps in the reset password popup to reset your password. Note that this does not include users authenticated by SAP IAS or 3rd party IDP services.

  • Please note that users using SSO authentication, integrated external learners, and onboardees are not impacted. 

  • Any user passwords set and reset via SFAPI will also be required to comply with the password policy defined in Admin Center -> Password & Login Policy Settings. You can follow this section of the admin guide on how to reset and set user passwords using SFAPI method.

 

Actions for customers?

  • Administrators to review configuration in Admin Center > Company Settings > Password & Login policy settings, and ensure password in the import file follows the policy. Please refer to KBA 2957793 - Changes to password and login policy settings in BizX for updates on password and login policy settings for BizX users.

Communicate with your end users and ask them to reset password after first successful logon from login page. 

1. Login UI page 

After first successful logon, a pop-up dialog “Password Change” will require the end user to reset their password.



2. SFAPIs  

For new tenants provisioned after Aug 14’s release, please ensure that you have changed the initial password for your SFAPI integration account set by admin: 

  1. Login to your tenant with username and password provided by admin. 

  2. Change the password on the “Password Change” pop-up dialog following the company password policy. 

  3. Use new password in the integration program. 

Existing tenants will not be impacted by this change.


3. OData APIs  

No change has been made to OData APIs. 



Is it possible to set user's password without them needing to reset it on UI?

There are business cases that customer might require to update the SF password to be in sync with passwords from other systems and on those cases the user should not receive the reset password UI pop up.

We have 2 ways to accomplish this:

  • Update the password via OData APIs (Recommended)

                 This is the recommended solution if you require to keep SF passwords in sync with another system passwords.

                 OData API can be used to update the passwords on SF and if password is updated through the API, it will not be triggered the reset password on the first access.

                 You can refer to this Help Guide documentation on how to use the OData API to update the passwords.

  • Keep current process and remove reset password pop up UI (NOT RECOMMENDED)

                   Some customers still prefer to keep the old process to use the import and not have the reset password that is still possible, though strongly not recommended.                

                   This will hide password setting UI from end users, including reset password dialog while login (no matter password is expired or not) and change password in options.           

                   This is new workaround that only make sense for customers that do not manage passwords on SuccessFactors and will always be syncing password from another system.

                   In case you have a business case that you prefer to follow old process, do the changes below: 

                   1. Go to Admin Center;

                   2. Go to Company Settings --> Company System and Logo Settings;

                   3. Enable Hide the Personal Password Tab from users

                       

UPDATES:

1. SuccessFactors released a new security patch on the weekend of October 9, 2020.

Before the October 9th Patch: If the pre-defined password in the import file doesn't meet the password policy requirements, then system will send a warning message in the notification email, user still can be imported successfully.

After the October 9th Patch: If the pre-defined password in the import file doesn't meet the password policy requirements, then system will send an error message in the notification email and abort this user, so the user won't be imported into system. The error is “Error: Failed to import user as user password does not conform to the password policy”. 

  • Resolution: (1) Change your password policy to meet your password requirements or (2) set a pre-defined password that meets the password policy requirements.


2. New security restriction introduced for Password setting via API, November 27, 2020 onward

Starting Nov 27, 2020, customers can contact SAP Cloud Support to enable a security restriction that forces users to reset passwords upon login if a user is newly created or if a user’s password is updated by others through OData API and SFAPI.

This feature will force users to reset their password in the following scenarios:

  • When a new user is created through OData API or SFAPI.
  • When a user’s password is updated by another user through OData API or SFAPI.

If you wish to enable this restriction in your instance, please contact SAP Cloud Support.

NOTE:
- If a user updates his or her own password through OData API or SFAPI, they are NOT required to reset the password.
- This is an optional security feature, only to be enabled upon customer request.

Instructions for SAP Cloud Support- SAP INTERNAL Link

 

See Also

User Management Admin Guide
SAP SuccessFactors HXM Suite SFAPI: Developer Guide

Keywords

User passwords, Manage User, Import, Employee Import, Delta Import, Bulk Employees Import, APIs, INT, Platform, Security, AO-2889 , KBA , LOD-SF-PLT-PWD , Password Policy Settings & Reset Password , How To

Product

SAP SuccessFactors HXM Suite all versions