05-27-2008 9:24 PM
Just a very simple question. If I need to LOCK the user ID SAP* how can I do it ? I tried SU01 --.But tells me the user itself is not exsistent. Do I need to do it at the OS level?
Thanks
05-27-2008 9:31 PM
If you want to lock SAP* in SU01, you need to create it first in SU01. Normally, it makes sense to create SAP* otherwise it could possibly create itself, unless it exists in SU01.
05-27-2008 9:55 PM
Never Knew This!!
So The following:
1.Create SAP* in ALL the Clients ( Or 000 Clients only) Using SU01
2. Then Lock it up.
My question --> We certainly need to assign the Authorizations to it, right. This I will accordingly.
You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity
My idea is the change the password and lock the user. once created in SU01 ..then like any other user or is there any other way ?
Thanks Julu!!
Edited by: george G on May 27, 2008 10:56 PM
05-27-2008 10:07 PM
> We certainly need to assign the Authorizations to it, right. This I will accordingly.
If you don't use it, then which authorizations does it need?
> You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity
George?? Did you give your password to someone else?
Everyone knows that answer... it has a default installation password = 'PASS', if the user has never logged on in that client (see also infos on system param login/no_automatic_user_sapstar).
Report RSUSR003 is usefull for checking this type of thing!
Cheers,
Julius
05-27-2008 10:22 PM
The problem is ht efollowing ;
1. Since everybody knows this pasword, iwant to change it. This ID is being used by folks who should not.
Now Juluis, I want to restrict the password which is PASS.
1. I want to change the password
2. Lock in the ID
3. Use it only when needed..hence new password !
How do i do it...
05-27-2008 10:29 PM
OK..
RZ11 allows me to Dispaly the parametes....just deactivate the profile by giving the value 1.
so Whats the TCD to Change these profiles ?
05-27-2008 11:29 PM
I am not a consultant, but a consultant would probably tell you:
> 1. I want to change the password
Then change it at logon.
> 2. Lock in the ID
In SU01.
> 3. Use it only when needed..hence new password !
Assign it to a protected user group (S_USER_GRP) and restrict access to it.
Yes, in all clients.
That should work.
> How do i do it...
For a qualified "how to" answer, the NW Admin forum ("basis") is probably the best place to ask.
If you wish, I can move this thread there (or create a thread referencing this one, and lock it?).
Personally, there is one aspect about the user group which I find a bit of a bother: 'SUPER' is not as close to the end of the alphabet as for example 'ZAMBIA', 'Z9999', etc. Sometimes it makes sense to protect specific standard users, and not specific expected user groups.
There have also been some changes in defaults a few releases ago. The "automatic" feature for SAP* in a client is now '1' for example (disabled). When you remove the default access and save, then you don't need to logon again to experience the new authority-check results when you try to click somewhere else. etc.
Much like DDIC, it depends on what you use it for...
Cheers,
Julius
05-28-2008 4:15 AM
Here are the answers :
1. SAP* Doesnot have a User master record. hence it will have all the Special properties. One cannot change the password PASS if SAP* is absent in the UMR.Therefore we need to create VIA SU01 ( As Juluis had suggested !) this will make the SAP* Behave like a normal user subject to authorization checks.
Ideally we -meaning- the Sec Admins ought to deactivate the SAP* , and create our own super User. This is the best practice.
Thanks
05-28-2008 7:18 AM
> 1. SAP* Doesnot have a User master record. hence it will have all the Special properties. One cannot change the password PASS if SAP* is absent in the UMR.Therefore we need to create VIA SU01 ( As Juluis had suggested !) this will make the SAP* Behave like a normal user subject to authorization checks.
Nope. In SAP authorizations never substract. Creating a UMR for SAP* does not take away any abilities.
05-28-2008 7:34 AM
Hi,
pls compare also point with one of [SAP Note 2383|https://service.sap.com/sap/support/notes/2383]
b.rgds, Bernhard
05-28-2008 7:56 AM
05-28-2008 2:04 PM
Now, If you check table USR01 then the SAP* is present but when you go to SU01 and display the user SAP* the answer is its not present. !! Any explanations ??
Thanks
05-28-2008 3:03 PM
Hi George,
maybe somwone has deleted the USR02-entry with DB-tools to be able to login with sap*/PASS sometime in the past.....
Then no changelogs exist for that deletion and all other tables still contain the SAP*-entry.....
b.rgds, Bernhard