cancel
Showing results for 
Search instead for 
Did you mean: 

Systems user type

Former Member
0 Kudos

Hi, can anyone help me understand the risks with System Users having SAP_ALL please?

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Yes Systems user can't login directly into system. And it has license attached & password can't be changed.......

however Auditors don't buy it..........

per auditors SAP_ALL itself is Risk........

Regards,

Surpreet

Answers (3)

Answers (3)

Former Member
0 Kudos

Also, from GRC prospective SAP provide SAP note........ required authorization for users used in JCO connection or AE connectors.....

Former Member
0 Kudos

I'm wondering if we are confusing the conversation with assigning a system user ID with the profiles SAP_ALL, SAP_NEW and usage of SAP*?

Some systems ID's used for data loads etc. may need SAP_ALL to ensure successful completion. The idea that a user can't log on directly using a system ID is the reason why adding SAP_ALL is OK.

Former Member
0 Kudos

Hi,

As mentioned in the earlier post, System users are meant for Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA). However, if the password is trivial, users may use the system user which has SAP_ALL for the RFC connections which opens risks.

Infact, this is one of the reasons why auditors are very keen in looking at these IDs. Further, it is always recommended to clone SAP_ALL profile in to a role, and remove/limit certain critical authorizations such as Basis, CA etc., and assign it to the system users. Also, if you can find out the exact requirement on what access is required for the system user, it is better to create a role and assign the same.. Even though it is time consuming, it helps you to close most of the risks.

Hope this clarifies.

Warm Regards,

Raghu

Edited by: Raghu Boddu on Nov 8, 2010 9:17 PM