Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DDIC and SAP* changing into usertype system

Go to solution
Former Member

‎12-15-2009 3:20 PM

0 Kudos

In order to secure the Standard Users DDIC and SAP* against misuse i

planned to change them into SYSTEM accounts instead of DIALOG.

Is there, in case of a standard SAP implementation, any indications that

we shouldn´t do this?

In the guidelines and forums i couldn't find any arguments against

such a situation.

The SAP* accounts is further secured by setting the system profile

parameter 'logon/no_automatic_user_sapstar' to 1.

Thanks in advance for your reactions.

With kind regards,

Edwin Stam

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-15-2009 3:46 PM

0 Kudos

Hi Edwin,

I can't see why this would be an issue in the majority of "everyday" situations you will get.

Personally I find the usual restrictions to be adequate - lock, delete access, set SAP* param etc. Changing the user type is an additional level of "belt & braces".

6 REPLIES 6

Go to solution
Former Member

‎12-15-2009 3:46 PM

0 Kudos

Hi Edwin,

I can't see why this would be an issue in the majority of "everyday" situations you will get.

Personally I find the usual restrictions to be adequate - lock, delete access, set SAP* param etc. Changing the user type is an additional level of "belt & braces".

Go to solution
Former Member
In response to Former Member

‎12-16-2009 8:06 AM

0 Kudos

Alex, thanks for your reponse.

Let me make it more specific: are there any regular processes in a standard SAP system that are directly connected to or linked to or dependent from to the SAP standard accounts DDIC and SAP*? And if so, will these processes be influenced if i change the 2 accounts from dialog into system accounts?

Go to solution
Former Member
In response to Former Member

‎12-16-2009 1:34 PM

0 Kudos

Not as standard.

Go to solution
Former Member

‎12-16-2009 2:23 PM

0 Kudos

As of release 7.00 EhP1 there is a new procedure for this.

See --> and the link to the help.sap.com documentation.

The users are already blocked from authenticating via trusted RFC. Changing the user type to system will also prevent them from being used on the issuing system for SAP Logon Tickets as well as attaching a SAPGui to a logon session in the backend systems. You can also disable the password in SU01 (which will delete the password hash).

Alcatraz for standard users...

Cheers,

Julius

Edited by: Julius Bussche on Dec 16, 2009 3:28 PM

Go to solution
WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎12-22-2009 10:52 PM

0 Kudos

The better approach is to lock both accounts (SAP, DDIC) and to unlock them only on demand, e.g. when planing to perform an upgrade. Instead of SAP (known username) you should create individual administrative accounts (one per administrative user) with reduced authorizations (keyword: segregation of duty). SAP* is required for the initial setup of a system (boot straping), only. And the so-called emergency user account (SAP* with hardcoded password) should only be activated in cases of emergency (i.e. when you have locked out yourself: no other user with administrative authorizations is able to logon to the system).

Go to solution
Former Member
In response to WolfgangJanzen

‎12-25-2009 1:55 PM

0 Kudos

This message was moderated.