- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Suggested DDIC setting when not in use
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Suggested DDIC setting when not in use
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:01 PM
Hi,
What would be the ideal setting for DDIC user when not in use ? Apparently DDIC cannot be locked unlike SAP*
Thanks
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:35 PM
Hi Prashanth,
This is what I think you need to do regarding user id DDIC when not in use:
User DDIC is a SAP supplied identifier that comes standard with every SAP system. Unlike SAP*, this user has a defined user master record. DDIC has special privileges relating to the data dictionary in SAP and itu2019s the only user allowed to log in during a system upgrade. Therefore, this user must be secured against misuse or unauthorized access. This user may be needed for running jobs via UNIX (i.e. unsuccessful transports will require this user ID). The following steps must be performed by the Basis team to mitigate the risk of user DDIC:
Change the password for DDIC because the original password is highly publicized
Remove all Roles and Profiles
Regards,
Kiran Kandepalli
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:33 PM
Hi Prashant,
User DDIC is a user with special privileges in installation, software logistics, and the ABAP Dictionary. The user master record is created in clients 000 and 001 when you install your R/3 System.
You should secure the DDIC user against misuse by changing DDICu2019s initial password 19920706 in clients 000 and 001.
User DDIC is required for certain installation and setup tasks in the system, and is also used by some background jobs to execute so you should not delete it or lock it.
The user DDIC should also be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record.
Thanks,
Saby..
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 5:15 PM
>
> User DDIC is a user with special privileges in installation, software logistics, and the ABAP Dictionary. The user master record is created in clients 000 and 001 when you install your R/3 System.
>
> You should secure the DDIC user against misuse by changing DDICu2019s initial password 19920706 in clients 000 and 001.
>
> User DDIC is required for certain installation and setup tasks in the system, and is also used by some background jobs to execute so you should not delete it or lock it.
>
> The user DDIC should also be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record.
For a moment it felt as if I had seen that exact same text somewhere else before... (it is expected that the source of copy&pasted information is [referenced|http://help.sap.com/saphelp_nw70/helpdata/EN/52/67179f439b11d1896f0000e8322d00/frameset.htm] )...
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:35 PM
Hi Prashanth,
This is what I think you need to do regarding user id DDIC when not in use:
User DDIC is a SAP supplied identifier that comes standard with every SAP system. Unlike SAP*, this user has a defined user master record. DDIC has special privileges relating to the data dictionary in SAP and itu2019s the only user allowed to log in during a system upgrade. Therefore, this user must be secured against misuse or unauthorized access. This user may be needed for running jobs via UNIX (i.e. unsuccessful transports will require this user ID). The following steps must be performed by the Basis team to mitigate the risk of user DDIC:
Change the password for DDIC because the original password is highly publicized
Remove all Roles and Profiles
Regards,
Kiran Kandepalli
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:49 PM
How about in a scenario where DDIC needs the roles/profiles assigned and left unlocked ?
What if security auto-generates the password and leaves it unlocked.
Whenever DDIC is needed (BASIS/Upgrade, etc) based on a approved request, security sets the password and communicates the same.
Once done security auto-generates the password so no one is able to login.
Per audit, security is still aware of the password ... however is low risk when compared to maintaining a password for the same.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2008 4:58 PM
Hi Prasanth,
It is a best practice to secure the password of DDIC in a safe respository. Usually Basis team or IT Manager will have the keys to the repsository when the password is required for logging with DDIC.
It is always a good practice to remove all Roles and Profiles so that even if in the slightest chance of the password leakage, anybodyelse who may login with DDIC can do no harm to the SAP system.
Regards,
Kiran Kandepalli.
- SAP Managed Tags:
- Security
