Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP R/3 security problem

Former Member

‎05-12-2007 10:49 AM

0 Kudos

It is clear that the security will happen when you dropped the normal “SAP” & “DDIC” account because the reserved SUPER account with password "PASS" will activate. So, while you lost the normal “SAP” & “DDIC” account, you should notice others people and re-create that as soon as possible.

How to fix the security problem?

4 REPLIES 4

Former Member

‎05-13-2007 8:09 PM

0 Kudos

If you delete DDIC user then it will stay deleted. It will not recreate itself.

As SAP* is a hardcoded user, if you delete it, it will recreate itself with a commonly known password. To prevent this, you need to set profile parameter (via RZ10) login/no_automatic_user_sap* = 1

This will stop SAP* automatically creating itself.

There are a number of other things you should do to restrict SAP*

Change default password

Lock the ID

Remove all profiles (SAP_ALL, SAP_NEW)

Assign to group SUPER

DDIC should also have the password changed from default and be locked when it's not being used.

antonio_steinhuser
Participant

‎05-14-2007 10:29 AM

0 Kudos

Additional you should activate the Security Audit Log for these Super-User with Transaction SM18-SM19.

Gruß

Toni

Former Member

‎05-14-2007 11:21 AM

0 Kudos

Hi,

If the user master record belonging to user SAP* is deleted, it is possible to re-log on with SAP* and initial password PASS. SAP* then has the following attributes:

- The user has all authorization, as authorization check

cannot be executed.

- You cannot change the standard password PASS.

Using profile parameter <b>login/no_automatic_user_sapstar</b>,

you can deactivate the special attributes of SAP*.

So login to RZ11--->open the parameter(login/no_automatic_user_sapstar) and change the default Value to 1.

Valid entries, formats, areas : 0, 1

0: Automatic user SAP* is permitted

1: Automatic user SAP* is deactivated

Hope it helps.

Please award points if it is useful.

Thanks & Regards,

Santosh

Former Member

‎05-14-2007 1:40 PM

0 Kudos

Hi,

<b>Restricting SAP* and DDIC user</b>

1) First we change the password of <b>SAP*</b> and <b>DDIC</b> user in <b>SU01</b> (T-code)

2) As <b>SAP</b> is a hard coded user whenever SAP user deleted, it is possible to re-log on with SAP* and initial password <b>PASS</b>.

Using profile parameter <b>login/no_automatic_user_sapstar</b>, you can deactivate the special attributes of SAP*.

3) To avoid automatic generation SAP* password we set a profile parameter <b>login/no_automatic_user_sapstar=1(Automatic user SAP* is deactivated)</b> in <b>RZ10</b> (t-code).

4) Profile parameter will be effected only after restarting the sap system , so we restart sap system.

regards,

kanthi