cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Locking of User DDIC in Production client

Adamrog00
Explorer

on ‎10-21-2009 1:29 PM

0 Kudos

Hi Guys

It was requested by our security team that DDIC should be locked in our production client, will I as a Basis Administrator have issues with certain jobs. I know when importing transports via STMS the background jobs get scheduled via DDIC in client 000 and only when I have an issue with transports whereby transports are locked I have to run RDDNEWPP using DDIC in client 000 and the production client to reschedule jobs. Will I have any other issues if DDIC is locked in production client?

Regards

Roger

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

anindya_bose
Active Contributor
‎10-22-2009 8:00 AM
0 Kudos

Roger, you can lock DDIC in all other clients except 000. If you lock in 000, your transports will fail.

Still you can lock DDIC in 000 client also without impacting transports. How?

Lock DDIC in 000 by "Incorrect logon"...but not by "Administrator" . If DDIC is locked by "Incorect logon" i.e by using wrong password many times, then transport will not be impacted

SAP is very intelligent we must say.!

Show replies
Show replies
Former Member
‎10-21-2009 3:28 PM
0 Kudos

Hi,

SAP recommends to lock the user sap* and change parameter for it. As far as DDIC goes, change the password and maintian its user master record and remove its profiles. Activate or add the profiles in the maintainance windows like upgrades or patching cycles.

Regards,

Gowrinadh

Show replies
Show replies
former_member227283
Active Contributor
‎10-21-2009 1:56 PM
0 Kudos

Hi Roger,

You can lock the user DDIC in all the client Except 000

Thanks

Anil

Show replies
Show replies
Former Member
‎10-21-2009 3:18 PM
0 Kudos

I don't think it is a good idea to lock DDIC permanently in your production client, especially NOT during maintenance tasks !

Example, when you upgrade, install an Enhancement Package, ... there is always the risk that you need to connect to the prod system/client to do some operations.

In case when a shadow instance is used only SAP* and DDIC are allowed to logon in the production client because the client is locked.

Also pay attention that some of the calls coming from your Solution Manager for example run with DDIC also in your production client because the Solman RFCs use trusted RFC and most of the time use DDIC as user !!

RDDIMPDP that runs when you import requests runs most of the time with DDIC in client 000 but NOT always, for specific transports the job with another name runs with DDIC in your production client !

Wim

Edited by: Wim Van den Wyngaert on Oct 21, 2009 4:18 PM

former_member185031
Active Contributor
‎10-21-2009 1:35 PM
0 Kudos

Nope. We have aleready using the same thing due to the Security purpose. You need to check the job scheduled by DDIC and have to change the job. There are not any other issue

Regards,

Subhash

Show replies
Show replies
Ask a Question