cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Production system compliance-SOX

Go to solution
Former Member

on ‎10-09-2015 12:35 PM

0 Kudos

Hi Experts,

Am raising this question for a SOX compliance issue in our ECC production system.

As per SOX compliance guideline we should not use DDIC user except transport and we are not using DDIC anywhere in our production environment.

Recently in transaction ST03N we have found that report/program sapstartsrv has been called out with user DDIC via RFC calls which includes function modules RFCPING & TH_GET_PARAMETER

Kindly give your suggestions on the below

1. Why program sapstartsrv has been called out with DDIC user with internal RFC destination?

2. How do we prevent this?

Thanks,

Preetha Balan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

matej_koudelka
Explorer
‎02-09-2016 12:15 PM
0 Kudos

Hi Preetha,

have you found answer to this DDIC log entry ?

We are currently investigating the same thing on our system.

Thanks,

Matěj

Show replies
Show replies
Former Member
‎02-10-2016 2:08 PM
0 Kudos

Hi Matej,

We have raised a OSS message to SAP and below is the response, hope this will help you

==========================================================

There are few web methods in sapstartsrv that

connect to the local ABAP instance

via RFC to call certain function modules.

Corresponding webmethods calling these function modules are:

GetProcessParameter, SetProcessParameter,

SetProcessParameter2, ABAPAcknowledgeAlerts, ABAPGetComponentList,

ABAPCheckRFCDestinations.

These webmethods are used for certain User actions in SAP MMC / MC and

sapcontrol.  In recent releases

a MYSAPSSO2 ticket for the user defined by profile parameter

#rdisp/start_service_user# (default 000/DDIC)

is used, or the caller of the webmethod needs to provide a different

ABAP user and password.

This is why you have seen DDIC in the ST03 statistics and SM20 logs.

===========================================================

Thanks,

Preetha Balan

matej_koudelka
Explorer
‎02-10-2016 2:19 PM
0 Kudos

Thank you very much Preetha.

matej_koudelka
Explorer
‎02-11-2016 8:41 AM
0 Kudos

Hello experts,

I would like to set parameter rdisp/start_service_user to different value than the default value DDIC.

Does anybody know what kind of permissions in ABAP would the user need to function properly?

Thank you,

Matěj

Answers (2)

Answers (2)

Former Member
‎10-13-2015 10:44 AM
0 Kudos

Adding to the above post, we are getting the below trace details in the audit log

Regards,

Preetha Balan

Show replies
Show replies
manumohandas82
Active Contributor
‎10-13-2015 11:44 AM
0 Kudos

Hi Preetha ,

SAPMSSY1 is an event controlled program

Have you configured the solution manager system to communicate with the current system  ?.

If yes , Check the RFC connections ( in SM59 ) with the solution manager and check whether  using DDIC user  is used for the communication .

Thanks ,

Manu

Former Member
‎10-13-2015 12:03 PM
0 Kudos

Hi Manu,

Yes the system is configured with solution manager, but there are no RFC connection with DDIC user.

Thanks,

Preetha Balan

manumohandas82
Active Contributor
‎10-09-2015 4:47 PM
0 Kudos

Hi Preetha ,

Have you scheduled any Background  Jobs  ( Basis Standard Jobs ) using the user DDIC  .  [ You might need to go through each  job -> step to find out this ]

Have you recently done any upgrade / Patching operations using the SUM tool

?

Thanks ,

Manu

Show replies
Show replies
Former Member
‎10-13-2015 10:40 AM
0 Kudos

Yes Manu, we did upgrade from ehp4 to ehp7. But there are only import jobs that are running using DDIC.

Thanks,

Preetha Balan

Ask a Question