06-06-2008 9:58 AM
Dear Guys,
I'm new in SAP...need you advice..I have been queried by my audit people about these 4 ids which are
a. DDIC
b. SAP*
c. WF_BATCH
d. SAPCPIC
My question is..can I change the password or delete the IDs above.
2. How can I configure if the users that are not using the SAP for 2
weeks and the system will disable it from using the SAP.
06-06-2008 10:24 AM
Hi,
1) You can change their passwords indeed, don't delete them tho.
2)You can use following parameters to define the validity of new and reset passwords..
login/password_max_new_valid
login/password_max_reset_valid
Read,
http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm
Regards
Juan
06-06-2008 5:21 PM
> 2)You can use following parameters to define the validity of new and reset passwords..
>
> login/password_max_new_valid
> login/password_max_reset_valid
Hi Juan,
Depending on the release and possibly still patch level, SAP recommends not using those two parameters and has replaced them.
Check SAP notes on those two (e.g. SAP Note 862989).
Cheers,
Julius
06-06-2008 5:44 PM
>
> > login/password_max_new_valid
> > login/password_max_reset_valid
Hi Julius, Ain't these bypassed in SSO scenario?
Thanks
06-06-2008 6:01 PM
> > > login/password_max_new_valid
> > > login/password_max_reset_valid
>
> Hi Julius, Ain't these bypassed in SSO scenario?
> Thanks
AFAIK: Passwords and Single-Sign-On are only mutually inclusive for the initial authentication and for deactivating the password based authentication.
If you can enter a password again, then it's not Single-Sign-On, is it?
Besides that, some standard users are blocked from being used in certain types of password-less authentication.
Cheers and have a nice weekend,
Julius
06-06-2008 7:30 PM
06-06-2008 10:31 AM
There are many documents explain about these users...But precisely...
SAP* and DDIC: You always have to lock these.
SAPCPIC is communication user used by SAP itself. May create problems when locked or deleted.
WF_BATCH is used for background processes run by SAP. May create problems when locked or deleted.
For the 2nd ques....
There is not any standard thing to do that.
06-06-2008 10:36 AM
Dear Sir,
For DDIC and WF_BATCH, when i go to SM37, user DDIC and WF_BATCH, there are batch processing running. Will it affect if I change the password.
For SAPCPIC, can I lock the password instead of changing the password.
06-06-2008 10:38 AM
Changing the password won't affect the background jobs...
For SAPCPIC you're better off resetting the password than locking the user.
Regards
Juan
06-06-2008 4:08 PM
Hi
Indeed both options are available for SAPCPIC. Refer SAP note 29276, it will clarify your doubt.
Regards
Rahul
06-06-2008 5:08 PM
06-06-2008 5:32 PM
First, there are more standard users in the system than those 4 your auditors have asked about. I recommend running report RSUSR003 to check your settings and the status (existence) of the important ones.
> a. DDIC
Change the standard password in the client's where it exists, and only use it for upgrades. If you use it, also in jobs in the system, then you will have a tough time restricting it's access during non-upgrade times.
> b. SAP*
Check this thread: https://forums.sdn.sap.com/click.jspa?searchID=12621618&messageID=5468340
> c. WF_BATCH
I assume that you have created your own user called "WF_BATCH" for the workflow engine, and not the standard "WF-BATCH". You should for a start ensure that the user type is SYSTEM and that the password is not known (set) by human admins, preferably. You should not need to change it's password, as it is also required for the RFC calls within the system. You can further compensate for this by restricting it's access.
> d. SAPCPIC
Already answered.
> My question is..can I change the password or delete the IDs above.
It depends. For Dialog and Communication type users, yes, change the password but do not delete them. For System and Service type users, typically no (the password should be known only to the system or the owner of the connection).
I addition to restricting these user's access, restricting access to them is also good idea: Move them into a secure user group (S_USER_GRP) and lock the standard users when not used, particularly SAP*.
Cheers,
Julius
Edited by: Julius Bussche on Jun 6, 2008 4:39 PM
06-13-2008 8:06 AM