on 11-08-2010 10:53 AM
Hi, can anyone help me understand the risks with System Users having SAP_ALL please?
Yes Systems user can't login directly into system. And it has license attached & password can't be changed.......
however Auditors don't buy it..........
per auditors SAP_ALL itself is Risk........
Regards,
Surpreet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Also, from GRC prospective SAP provide SAP note........ required authorization for users used in JCO connection or AE connectors.....
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm wondering if we are confusing the conversation with assigning a system user ID with the profiles SAP_ALL, SAP_NEW and usage of SAP*?
Some systems ID's used for data loads etc. may need SAP_ALL to ensure successful completion. The idea that a user can't log on directly using a system ID is the reason why adding SAP_ALL is OK.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
As mentioned in the earlier post, System users are meant for Background processing and communication within a system (such as RFC users for ALE, Workflow, TMS, and CUA). However, if the password is trivial, users may use the system user which has SAP_ALL for the RFC connections which opens risks.
Infact, this is one of the reasons why auditors are very keen in looking at these IDs. Further, it is always recommended to clone SAP_ALL profile in to a role, and remove/limit certain critical authorizations such as Basis, CA etc., and assign it to the system users. Also, if you can find out the exact requirement on what access is required for the system user, it is better to create a role and assign the same.. Even though it is time consuming, it helps you to close most of the risks.
Hope this clarifies.
Warm Regards,
Raghu
Edited by: Raghu Boddu on Nov 8, 2010 9:17 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.