SAP S/4HANA Create Account Failure – Password Cannot Start with “?” or “!”

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Hello team!

We are facing an issue during SAP S/4HANA account creation via SailPoint IdentityIQ provisioning. we have configured the password policy at application level.

The create account operation is failing with the following error from SAP BAPI:

“New password cannot begin with ‘?’ or ‘!’”

Observation:

  • The issue occurs when the generated password includes a special character in the first position

  • SAP S/4HANA does not accept ? or ! as the initial character of the password.

Need help on the below

  1. Whether there is a recommended configuration in IdentityIQ password policy to prevent specific characters (?, !) from being used in the first position
  2. Or if we need to enforce a custom password generation rule to handle SAP-specific constraints

regards

Nitin

2

I think the easiest solution would be to create a SAP_PasswordGeneration_Rule. use something line below which ensures the the first character is never ‘?’ or ‘!’ as SAP BAPI rejects such passwords.

You will have a password attribute in the create Provisioning Policy at the password attribute level using a Generation Rule on that field itself. Use the below rule:

import java.util.Random;

    String firstCharPool    = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
    String remainingCharPool = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@#$%^&*()-_=+[]{}|;:,.<>";

    int passwordLength = 12;
    Random random = new Random();
    StringBuilder password = new StringBuilder();

    // First char — never '?' or '!'
    password.append(firstCharPool.charAt(random.nextInt(firstCharPool.length())));

    // Remaining chars
    for (int i = 1; i < passwordLength; i++) {
        password.append(remainingCharPool.charAt(random.nextInt(remainingCharPool.length())));
    }

    return password.toString();

this should fix your issue, as It fires precisely when the password field is being populated before the BAPI call

3

@nbidwai1987 Where are you generating this password? Is this in a field value rule or in Change Password page or somewhere else?

4

Hi , Please Implement a custom Password Generation Rule and associate it with the SAP application’s password policy.

import sailpoint.object.PasswordPolicy;
import sailpoint.tools.Util;
import java.util.Random;

Random random = new Random();

// Get password policy
PasswordPolicy policy = passwordPolicy;

// Read configured password length
int length = policy.getPasswordMinLength();

// Allowed character sets
String upper = “ABCDEFGHIJKLMNOPQRSTUVWXYZ”;
String lower = “abcdefghijklmnopqrstuvwxyz”;
String numeric = “0123456789”;
String special = “@#$%^&*()-_=+{}”;

// First character cannot be ? or !
String firstCharSet = upper + lower + numeric;

// Build password
StringBuilder pwd = new StringBuilder();

// First character
pwd.append(firstCharSet.charAt(random.nextInt(firstCharSet.length())));

// Remaining characters
String allChars = upper + lower + numeric + special;

while (pwd.length() < length) {
pwd.append(allChars.charAt(random.nextInt(allChars.length())));
}

return pwd.toString();

or

sudo code

String password = generatePasswordFromPolicy();

while (password.startsWith(“?”) ||
password.startsWith(“!”)) {

password = generatePasswordFromPolicy();

}

return password;

5

@nbidwai1987

You can use a custom password generation rule.

After introducing it, add some loggers, as it may fail in other cases. Adjust all the logic within it.

Even if the password policy changes in the future, you can easily adjust your rule.