Never Knew This!!

So The following:

1.Create SAP* in ALL the Clients ( Or 000 Clients only) Using SU01

2. Then Lock it up.

My question --> We certainly need to assign the Authorizations to it, right. This I will accordingly.

You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity

My idea is the change the password and lock the user. once created in SU01 ..then like any other user or is there any other way ?

Thanks Julu!!

Edited by: george G on May 27, 2008 10:56 PM

> We certainly need to assign the Authorizations to it, right. This I will accordingly.

If you don't use it, then which authorizations does it need?

> You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity

George?? Did you give your password to someone else?

Everyone knows that answer... it has a default installation password = 'PASS', if the user has never logged on in that client (see also infos on system param login/no_automatic_user_sapstar).

Report RSUSR003 is usefull for checking this type of thing!

Cheers,

Julius

The problem is ht efollowing ;

1. Since everybody knows this pasword, iwant to change it. This ID is being used by folks who should not.

Now Juluis, I want to restrict the password which is PASS.

1. I want to change the password

2. Lock in the ID

3. Use it only when needed..hence new password !

How do i do it...

OK..

RZ11 allows me to Dispaly the parametes....just deactivate the profile by giving the value 1.

so Whats the TCD to Change these profiles ?

I am not a consultant, but a consultant would probably tell you:

> 1. I want to change the password

Then change it at logon.

> 2. Lock in the ID

In SU01.

> 3. Use it only when needed..hence new password !

Assign it to a protected user group (S_USER_GRP) and restrict access to it.

Yes, in all clients.

That should work.

> How do i do it...

For a qualified "how to" answer, the NW Admin forum ("basis") is probably the best place to ask.

If you wish, I can move this thread there (or create a thread referencing this one, and lock it?).

Personally, there is one aspect about the user group which I find a bit of a bother: 'SUPER' is not as close to the end of the alphabet as for example 'ZAMBIA', 'Z9999', etc. Sometimes it makes sense to protect specific standard users, and not specific expected user groups.

There have also been some changes in defaults a few releases ago. The "automatic" feature for SAP* in a client is now '1' for example (disabled). When you remove the default access and save, then you don't need to logon again to experience the new authority-check results when you try to click somewhere else. etc.

Much like DDIC, it depends on what you use it for...

Cheers,

Julius

Here are the answers :

1. SAP* Doesnot have a User master record. hence it will have all the Special properties. One cannot change the password PASS if SAP* is absent in the UMR.Therefore we need to create VIA SU01 ( As Juluis had suggested !) this will make the SAP* Behave like a normal user subject to authorization checks.

Ideally we -meaning- the Sec Admins ought to deactivate the SAP* , and create our own super User. This is the best practice.

Thanks

Now, If you check table USR01 then the SAP* is present but when you go to SU01 and display the user SAP* the answer is its not present. !! Any explanations ??

Thanks