cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Question on DDIC user

Go to solution
Former Member

on ‎04-30-2010 7:21 AM

0 Kudos

Our Security team has disabled the DDIC user in all clients in our development landscape causing the TMS job RDDIMPDP to fail.

I need some guidance on what is SAP's best practices for the user DDIC and whether or not it should be disabled in client 000. I would also like to know if I can substute DDIC for another user and what roles or profiles the user would need.

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-11-2010 1:58 PM
0 Kudos

Thanks to everyone for their comments.

unfortunately what I'm really looking for is a document that states that the SAP best practices recommends not disabling the DDIC account. This is so I will have justification to keep the account inabled.

I will leave this thread open for another week then close it.

Thanks

Show replies
Show replies
Former Member
‎05-12-2010 4:51 AM
0 Kudos

Hi,

unfortunately what I'm really looking for is a document that states that the SAP best practices recommends not disabling the DDIC account.

Just visit the below link. It will answer your all questions regarding SAP Best Practice...

[http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm|http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm]

Regards

Rajesh Narkhede

90070279
Participant
‎04-14-2011 7:34 PM
0 Kudos

The DDIC user maintains the ABAP dictionary and software logistics. The system automatically creates a user master record for user SAP* and DDIC in client 000 when the SAP System is installed. This is the only user who can log on to the SAP System

during a release upgrade.

Do not delete or lock user DDIC because it is required for certain installation and set-up tasks. User DDIC needs extensive authorization. As a result, the profile SAP_ALL is allocated to it. The users, SAP* and DDIC, should be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record.

Answers (5)

Answers (5)

Former Member
‎05-05-2010 7:00 PM
0 Kudos

Clients 000, 001 and 066 should be administered by basis folks. Security should only work on working clients. Ask security to get out of client 000. DDIC user should never be removed from these SAP clients.

Show replies
Show replies
Former Member
‎05-01-2010 5:05 AM
0 Kudos

Hi Ed Bullard,

Just bring back DDIC user, remember functionality over security is often applied. For security in DDIC account, you may also try to change its USER TYPE as system at SU01 so that no one can log this user in SAP even if they know the password. Never tried it though but it should work theoritically.

Thank you.

Joel

Show replies
Show replies
former_member126060
Employee
Employee
‎04-30-2010 9:16 PM
0 Kudos

Its mandatory requirement that job RDDIMPDP should only be scheduled using DDIC. So if you lock your DDIC user you will face problem with your SP and transport import. Ask you administrator to keep this user open. They can imply strict password restrictions if desired.

Show replies
Show replies
former_member227283
Active Contributor
‎04-30-2010 8:23 AM
0 Kudos

Hi,

If there is a requirement then you can lock DDIC user in all clients except 000.

Because all the background job require reference of DDIC user which is present in 000 client.

If DDIC is locked in 000 client , then most of the background job will get failed as well as you will get error while transporting the request from one system to another system. Tranport request mechanism work with DDIC user reference.

Thanks

Anil

Show replies
Show replies
Former Member
‎04-30-2010 8:11 AM
0 Kudos

Hi,

If the user doesn't have SAP_ALL authorization, You will need to provide authorizations for object S_TRANSPRT to the concern user.

Above authorization required for TARNSPORT REQUEST operation (Create, Import, Delete, Release etc.)

Regards.

Rajesh Narkhede

Show replies
Show replies
Ask a Question