In recent years, There have been a lot of cyber attacks on SAP systems. Such attacks tend to disrupt the production activities of your customers totally. Hackers try to exploit the SAP systems using some commonly known and used passwords. For eg. Suppose any of the users set their passwords as “123456” or “PASS123”, then it’s going to be very easy for the hackers to predict such weak passwords. This is a huge security risk. So in order to restrict users from setting such weak passwords, SAP provides us with table USR40.
What is table USR40 used for?
USR40 is an SAP standard transparent table. It is used for storing all the possible combinations of easy/weak passwords. This way the users won’t be able to set passwords containing these combinations and the system will throw an error “Password is in exception table”.
How to maintain the USR40 table?
Execute transaction SM30 and enter the table name as USR40. Then click on “Maintain”.
To add an entry, click on “New Entries” and maintain the password pattern which you want to restrict. Keep the column “Case-Sens?” untick. SAP uses this indicator to determine whether passwords are to be case-sensitive.
Keep in mind that the USR40 table is cross-client. So if you make any changes in any one client, then it will become active for other clients as well. Also, if the client is not open to make the changes, then change the settings using the SCC4 transaction.
Now there are 2 ways, you can maintain the entries in the USR40 table:
1. Make use of ? to represent a single wildcard character.
For eg. If you maintain an entry as PASS00? then the SAP will restrict all the password combinations like PASS001, PASS002, PASS003, and so on.
2. Use * as a wildcard character
For eg. If you maintain an entry as *ABC*, then the SAP will restrict all the passwords having *ABC*.
You may also check the below video tutorial for more information:
FAQs
What does a password in the exception table (USR40) mean?
It means that the users cannot use any of the password patterns in their passwords.
Which table controls the list of impermissible passwords?
USR40 controls the list of impermissible passwords.
Password is in exception table
If any user provides a password containing the pattern maintained in the table USR40, they will get the above-mentioned error message. To resolve this, please ask the user to make the password unique.