cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DDIC

Go to solution
former_member230463
Explorer

on ‎04-22-2016 5:20 AM

0 Kudos

According to SAP, for security purpose, it is okay to lock the user SAP* and DDIC.

I locked them in production area and after a few minutes, I had been receiving errors in Syslog like,

Logon of Jobstep User failed

So I unlocked the users again and the errors has stopped occurring.

what seems to be the problem?

We want to exercise the security options for standard users SAP* and DDIC by locking them but doing so
can affect performance in production area.

any suggestions, thanks

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎04-22-2016 5:49 PM
0 Kudos

SAP certainly did not recommend to you to lock DDIC... they only recommend changing the user type to prevent SAPGui logins. Possibly some urban legend or bad advise in the internet reached you..

You should research something properly before making changes and the thought of testing it in a sandbox or test system would have immediately shown you where your errors are (in jobs and import events).

Cheers,

Julius

Show replies
Show replies
former_member204080
Active Contributor
‎04-22-2016 9:56 PM
0 Kudos

Hi,

Generally most of the batch jobs step user will be set to Non-Personal user so that jobs wont get impacted when some individual user id goes out of validity

Seems in your case DDIC is maintained as step user , so thta is the reason why the errors might be coming when you lock the users . Did you also observe any batch jobs getting impacted during that time

If you really want to lock then you need to check all the jobs change the user to someother non-personal user

Regards,

Murali

Answers (1)

Answers (1)

former_member230463
Explorer
‎04-25-2016 4:01 AM
0 Kudos

Hi Murali,

Thanks for commenting.

Actually our first move was expiring the users then we got such errors.

After that, I saw this recommendation from SAP

http://scn.sap.com/message/16669993

I thought it will be as smooth as how they stated so I suggested to lock DDIC instead of putting expiration. now we end up unlocking SAP* and DDIC

I am new to SAP, 6 months to be exact.

So I am entirely puzzled about what to do.

I would consider your suggestion.

thank you.

more power,

MJ

Show replies
Show replies
alwina_enns
Employee
Employee
‎04-25-2016 11:23 AM
0 Kudos

Dear Maria,

where exactly you did find the recommendation from SAP to lock the DDIC user? If I follow the link http://scn.sap.com/message/16669993 the same discussion appears there like this one. This is not a good idea to lock DDIC.

Regards, Alwina

former_member230463
Explorer
‎04-26-2016 1:33 AM
0 Kudos

Ms. Alwina,

GOOD DAY!

https://help.sap.com/saphelp_nw70/helpdata/EN/3e/cdaccbedc411d3a6510000e835363f/frameset.htm

here's the link.

Thank you.

Maria

alwina_enns
Employee
Employee
‎04-26-2016 8:36 AM
0 Kudos

Dear Maria,

thank you. Really, this recommendation is in the SAP documentation. If you are really going to lock DDIC, you need to clarify first, which tasks this user is executing in your system and if you can do so. During the upgrade the DDIC user is only the one, who is allowed to connect to the system, some tasks in the ABAP dictionary will not work, some standard batch jobs are running with the DDIC user.

Regards,
Alwina

former_member230463
Explorer
‎05-10-2016 1:54 AM
0 Kudos

Dear Alwina,

Hi there again. Thank you for the recommendations.

My consuktant decided not to lock DDIC because the user is using in background jobs.

We decided not to exercise the SAP documents supporting the protection.

Thanks again.

Ask a Question