on 09-07-2009 4:59 PM
Hello everyone,
I would like to clarify the impact of blocking a user. More particularly the impact on the background jobs.
I create a normal user, and i assign to it a standard job. The job runs OK. Now i block this user, and i relaunch this job --> the job fails with reason that the user is locked.
When i do the same for DDIC, this doesn't happen, say i trigger a background job using DDIC, even though DDIC is locked, the job still continues.
How come it works with DDIC and not with another user ?
Also, i thought that the result of blocking a user was only to unable it to LOG onto the system. Am i wrong ?
Thanks in advance for your help.
Kr,
a
Hi all,
Thanks for your answers, they helped me.
I've done some test cases. Actually DDIC behaves like any other user when locked --> the job fails.
Also, when DDIC is locked due to incorrect logons, then the job doesn't fail.
So it's strange then what SAP recommends from their security audit --> they recommend to block DDIC, SAP* and such. How are the jobs supposed to run then ?
Thanks,
a
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi all,
Jobs that are scheduled with the help of DDIC or SAP* would run even after the user is locked.
This happens because when a job runs, the shared user memory area occupied by this work process is utilized by the system for all the other users except for these two super users. So no matter whether DDIC is locked or not, the job would run.
hope this helps.
regards,
Sree.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
>>create a normal user, and i assign to it a standard job. The job runs OK. Now i block this user, and i relaunch this job --> the >>job fails with reason that the user is locked.
That's correct
>>When i do the same for DDIC, this doesn't happen, say i trigger a background job using DDIC, even though DDIC is locked, the >>job still continues.
In this point i agree with Anindya, either the job is only scheduled by DDIC and runs with another user which you can check in Step, or the job runs in some another client where user DDIC is not locked.
Regards,
Subhash
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Not sure for DDIC but if you lock an user under whose name a job is supposed to run, the job will definitely fail. But you should check whether its the user who created the job or the user under whose name the job is running.
Initial screen of SM37 shows you the name of the job creator, if that user is locked..no problem job will still run..provided job is running under different user id. You can check that from "STEP" of a job.
For DDIC, if it is 000 client, and DDIC is locked by "Incorrect Logon" I observed jobs to run with DDIC. But if it is "Administrator Lock", job fails. From SUIM try to finf how DDIC was locked.
You can try the same for other client as well.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.