12-15-2009 3:20 PM
In order to secure the Standard Users DDIC and SAP* against misuse i
planned to change them into SYSTEM accounts instead of DIALOG.
Is there, in case of a standard SAP implementation, any indications that
we shouldn´t do this?
In the guidelines and forums i couldn't find any arguments against
such a situation.
The SAP* accounts is further secured by setting the system profile
parameter 'logon/no_automatic_user_sapstar' to 1.
Thanks in advance for your reactions.
With kind regards,
Edwin Stam
12-15-2009 3:46 PM
Hi Edwin,
I can't see why this would be an issue in the majority of "everyday" situations you will get.
Personally I find the usual restrictions to be adequate - lock, delete access, set SAP* param etc. Changing the user type is an additional level of "belt & braces".
12-15-2009 3:46 PM
Hi Edwin,
I can't see why this would be an issue in the majority of "everyday" situations you will get.
Personally I find the usual restrictions to be adequate - lock, delete access, set SAP* param etc. Changing the user type is an additional level of "belt & braces".
12-16-2009 8:06 AM
Alex, thanks for your reponse.
Let me make it more specific: are there any regular processes in a standard SAP system that are directly connected to or linked to or dependent from to the SAP standard accounts DDIC and SAP*? And if so, will these processes be influenced if i change the 2 accounts from dialog into system accounts?
12-16-2009 1:34 PM
12-16-2009 2:23 PM
As of release 7.00 EhP1 there is a new procedure for this.
See --> and the link to the help.sap.com documentation.
The users are already blocked from authenticating via trusted RFC. Changing the user type to system will also prevent them from being used on the issuing system for SAP Logon Tickets as well as attaching a SAPGui to a logon session in the backend systems. You can also disable the password in SU01 (which will delete the password hash).
Alcatraz for standard users...
Cheers,
Julius
Edited by: Julius Bussche on Dec 16, 2009 3:28 PM
12-22-2009 10:52 PM
The better approach is to lock both accounts (SAP, DDIC) and to unlock them only on demand, e.g. when planing to perform an upgrade. Instead of SAP (known username) you should create individual administrative accounts (one per administrative user) with reduced authorizations (keyword: segregation of duty). SAP* is required for the initial setup of a system (boot straping), only. And the so-called emergency user account (SAP* with hardcoded password) should only be activated in cases of emergency (i.e. when you have locked out yourself: no other user with administrative authorizations is able to logon to the system).
12-25-2009 1:55 PM