on 04-22-2016 5:20 AM
According to SAP, for security purpose, it is okay to lock the user SAP* and DDIC.
I locked them in production area and after a few minutes, I had been receiving errors in Syslog like,
Logon of Jobstep User failed
So I unlocked the users again and the errors has stopped occurring.
what seems to be the problem?
We want to exercise the security options for standard users SAP* and DDIC by locking them but doing so
can affect performance in production area.
any suggestions, thanks
SAP certainly did not recommend to you to lock DDIC... they only recommend changing the user type to prevent SAPGui logins. Possibly some urban legend or bad advise in the internet reached you..
You should research something properly before making changes and the thought of testing it in a sandbox or test system would have immediately shown you where your errors are (in jobs and import events).
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Generally most of the batch jobs step user will be set to Non-Personal user so that jobs wont get impacted when some individual user id goes out of validity
Seems in your case DDIC is maintained as step user , so thta is the reason why the errors might be coming when you lock the users . Did you also observe any batch jobs getting impacted during that time
If you really want to lock then you need to check all the jobs change the user to someother non-personal user
Regards,
Murali
Hi Murali,
Thanks for commenting.
Actually our first move was expiring the users then we got such errors.
After that, I saw this recommendation from SAP
http://scn.sap.com/message/16669993
I thought it will be as smooth as how they stated so I suggested to lock DDIC instead of putting expiration. now we end up unlocking SAP* and DDIC
I am new to SAP, 6 months to be exact.
So I am entirely puzzled about what to do.
I would consider your suggestion.
thank you.
more power,
MJ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Maria,
where exactly you did find the recommendation from SAP to lock the DDIC user? If I follow the link http://scn.sap.com/message/16669993 the same discussion appears there like this one. This is not a good idea to lock DDIC.
Regards, Alwina
Ms. Alwina,
GOOD DAY!
https://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm
here's the link.
Thank you.
Maria
Dear Maria,
thank you. Really, this recommendation is in the SAP documentation. If you are really going to lock DDIC, you need to clarify first, which tasks this user is executing in your system and if you can do so. During the upgrade the DDIC user is only the one, who is allowed to connect to the system, some tasks in the ABAP dictionary will not work, some standard batch jobs are running with the DDIC user.
Regards,
Alwina
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.