Raghu Boddu,February 26, 2026 310

Password Policies in SAP Identity Access Governance

SAP Cloud Identity Access Governance (IAG), supported by SAP Cloud Identity Services (IAS) as its authentication backbone, comes equipped with solid password policy features that form one of the most important lines of defense for any organization. Think of a strong password policy as the first lock on your door, the more complex it is, the harder it becomes for the wrong people to get in. This is why administrators need to take the time to align password policy settings with the way their organization's users actually log in, making sure that security genuinely effective in day-to-day use.


Let’s discuss on the Implementing Password Policies in SAP CIS with the IAG tenant.

To implement and manage password policies in SAP IAG, administrators need to follow these steps:

1. Configure Password Policy for the Application

In SAP Cloud Identity Services (CIS), the total number of password policies is five. There are two predefined password policies, i.e. Enterprise and standard, which can’t be changed, and three custom password policies can be configured according to the requirement. The user is authenticated for a IAG tenant after the Identity Authentication checks the application's requirement for password policy then user will apply with the stronger (Strength) policy as mentioned in the below image.  

2. Configure/Create Custom Password Policy

The custom password policy has to be stronger than predefined password policies. It is not possible to have the same strength policies. The image below shows how to create the custom policy as per requirement with predefined fields like Policy Name, Policy Strength, Password Length, Password Lifetime, etc. Once the custom policy is created and saved, can change the priority of the strength as per the requirement mentioned in the above image.

3. Configure Password Exclude List

The image below shows the exclude list including the first name, last name, login name, and the passwords entered as free text. 

4. Once the password policy is configured in the Cloud Identity services, the password policy is assigned to the IAG tenant. 

Flow of the Password Policy to configured for SAP IAG tenant:

Key Components of SAP Password Policies

An administrator can enforce strong password policies that adhere to organizational security needs. These policies are mainly:

  • Password Complexity Requirements: The passwords must have at least a mixture of upper and lower-case letters, at least one digit, and at least one special character.
  • Minimum and Maximum Length: Set a minimum and maximum number of characters before allowing a user to register, to find the right balance of security and usability.
  • Password Expiration: Ensuring password change frequency decreases the chance that any login credentials have been breached.
  • Password History: Changing and selecting a new password over a while reduces the risk of security breaches.
  • Account Lockout Mechanisms: Implementing account lockout after a certain number of failed login attempts to prevent further attacks on the system.

Conclusion

Password policies in SAP IAG are critical to an organization's overall security strategy. Policies are the best safeguard for companies because they allow to drastically reduce the chance of unauthorized access issues and assure compliance. So, by well-defined policies and continuous user education, an organization can safeguard against exposed SAP settings.

Key Takeaway: Implementing password policy for SAP IAG, combined with regular user education and audits, creates a strong defense against unauthorized access and ensures organizational compliance.

Frequently Asked Questions

What is the role of SAP Cloud Identity Services (IAS) in SAP IAG password policies?

SAP Cloud Identity Services (IAS) acts as the authentication layer for SAP IAG. It enforces password policies defined at the IAS level and applies them to the IAG tenant during user authentication. The stronger password policy configured in IAS is automatically enforced when users log in.

How many password policies can be configured in SAP Cloud Identity Services?

SAP CIS supports a total of five password policies: two predefined policies (Enterprise and Standard, which cannot be modified) and three customizable policies. Custom policies must be configured with a higher strength level than the predefined ones and cannot have equal strength settings.

Can organizations create custom password policies in SAP IAG?

Custom password policies are created and managed in SAP Cloud Identity Services, not directly in the IAG application. Administrators can define parameters such as password length, lifetime, complexity requirements, and strength priority, then assign the policy to the IAG tenant.

What security controls are typically included in SAP IAG password policies?

Key controls include password complexity rules (uppercase, lowercase, digits, special characters), minimum and maximum length settings, password expiration periods, password history restrictions, exclude lists (e.g., first name, last name), and account lockout thresholds after failed login attempts. These collectively reduce unauthorized access risk and support compliance requirements.

Raghu Boddu

Raghu Boddu

SAP Security Architect & ERP Cybersecurity Authority

Raghu Boddu is a technology leader and cybersecurity professional specializing in SAP Security, GRC, data protection, and enterprise risk management. He is the author of SAP Press books on SAP Access Control, SAP Process Control, and SAP Identity Access Governance (IAG). Raghu focuses on building practical, automation-driven solutions that help organizations achieve secure, compliant, and audit-ready operations across SAP and cloud landscapes. He regularly shares independent insights and hands-on experience for practitioners and leaders navigating evolving cybersecurity and regulatory challenges.

SAP IAG Identity Access Governance | SAP Security Expert