on 09-06-2009 9:15 AM
There are several settings that are installed by default by SAP Netweaver and granted to <sapsid>adm. Can someone advise why does this account need the below settings to work/function:
- Access this computer from network
- Act as part of the operating system
- Replace a process-level token
I will like to remove the <sapsid>adm away from these settings as there may be security vulnerabilities when these settings are given. Is it possible to remove it and SAP can work as per normal?
You can try, but you won't get very far.
You can restrict the OS access of the <SID>ADM to some degree, but the application server integration with the OS is needed for various reasons - not least of which is the file system.
Users can then also access the OS from the application, but you can control this via admin type authorizations and the native controls in the ABAP language itself.
Cheers,
Julius
ps: Please don't cross-post...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Sorry for the cross post as i do not really know whether this post is relevant in this section.
Thank you for the reply.
Is there any way to obtain documentation/ SAP notes to hightlight the implications if these settings are removed from the <sid>adm?
I am trying to convince my system administrator to issue me the rights and any guidelines or documentation will really help my case.
I am also really interested in how the <sid>adm make use of these settings in its Netweaver operations, is there any source to explain how these settings are being used in?
So far, sources that i had found just mentioned giving the rights but do not explain why these rights are needed.
> I am trying to convince my system administrator to issue me the rights and any guidelines or documentation will really help my case.
Your system admin is doing his / her job very thoroughly...
OS admins are unlikely to be spending much time in the (application) security forum... so thread moved to NW Admin forum...
Cheers,
Julius
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.