on 04-30-2010 7:21 AM
Our Security team has disabled the DDIC user in all clients in our development landscape causing the TMS job RDDIMPDP to fail.
I need some guidance on what is SAP's best practices for the user DDIC and whether or not it should be disabled in client 000. I would also like to know if I can substute DDIC for another user and what roles or profiles the user would need.
Thanks in advance.
Thanks to everyone for their comments.
unfortunately what I'm really looking for is a document that states that the SAP best practices recommends not disabling the DDIC account. This is so I will have justification to keep the account inabled.
I will leave this thread open for another week then close it.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
unfortunately what I'm really looking for is a document that states that the SAP best practices recommends not disabling the DDIC account.
Just visit the below link. It will answer your all questions regarding SAP Best Practice...
[http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm|http://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm]
Regards
Rajesh Narkhede
The DDIC user maintains the ABAP dictionary and software logistics. The system automatically creates a user master record for user SAP* and DDIC in client 000 when the SAP System is installed. This is the only user who can log on to the SAP System
during a release upgrade.
Do not delete or lock user DDIC because it is required for certain installation and set-up tasks. User DDIC needs extensive authorization. As a result, the profile SAP_ALL is allocated to it. The users, SAP* and DDIC, should be assigned to user group SUPER to prevent unauthorized users from changing or deleting their user master record.
Clients 000, 001 and 066 should be administered by basis folks. Security should only work on working clients. Ask security to get out of client 000. DDIC user should never be removed from these SAP clients.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ed Bullard,
Just bring back DDIC user, remember functionality over security is often applied. For security in DDIC account, you may also try to change its USER TYPE as system at SU01 so that no one can log this user in SAP even if they know the password. Never tried it though but it should work theoritically.
Thank you.
Joel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Its mandatory requirement that job RDDIMPDP should only be scheduled using DDIC. So if you lock your DDIC user you will face problem with your SP and transport import. Ask you administrator to keep this user open. They can imply strict password restrictions if desired.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If there is a requirement then you can lock DDIC user in all clients except 000.
Because all the background job require reference of DDIC user which is present in 000 client.
If DDIC is locked in 000 client , then most of the background job will get failed as well as you will get error while transporting the request from one system to another system. Tranport request mechanism work with DDIC user reference.
Thanks
Anil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
If the user doesn't have SAP_ALL authorization, You will need to provide authorizations for object S_TRANSPRT to the concern user.
Above authorization required for TARNSPORT REQUEST operation (Create, Import, Delete, Release etc.)
Regards.
Rajesh Narkhede
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.