Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP*, DDIC, SAPCPIC and WF_BATCH

Former Member

‎06-06-2008 9:58 AM

0 Kudos

Dear Guys,

I'm new in SAP...need you advice..I have been queried by my audit people about these 4 ids which are

a. DDIC

b. SAP*

c. WF_BATCH

d. SAPCPIC

My question is..can I change the password or delete the IDs above.

2. How can I configure if the users that are not using the SAP for 2

weeks and the system will disable it from using the SAP.

12 REPLIES 12

JPReyes
Active Contributor

‎06-06-2008 10:24 AM

0 Kudos

Hi,

1) You can change their passwords indeed, don't delete them tho.

2)You can use following parameters to define the validity of new and reset passwords..

login/password_max_new_valid

login/password_max_reset_valid

Read,

http://help.sap.com/saphelp_nw04/helpdata/en/22/41c43ac23cef2fe10000000a114084/content.htm

Regards

Juan

Former Member
In response to JPReyes

‎06-06-2008 5:21 PM

0 Kudos

> 2)You can use following parameters to define the validity of new and reset passwords..

>

> login/password_max_new_valid

> login/password_max_reset_valid

Hi Juan,

Depending on the release and possibly still patch level, SAP recommends not using those two parameters and has replaced them.

Check SAP notes on those two (e.g. SAP Note 862989).

Cheers,

Julius

Former Member
In response to JPReyes

‎06-06-2008 5:44 PM

0 Kudos

>

> > login/password_max_new_valid

> > login/password_max_reset_valid

Hi Julius, Ain't these bypassed in SSO scenario?

Thanks

Former Member
In response to JPReyes

‎06-06-2008 6:01 PM

0 Kudos

> > > login/password_max_new_valid

> > > login/password_max_reset_valid

>

> Hi Julius, Ain't these bypassed in SSO scenario?

> Thanks

AFAIK: Passwords and Single-Sign-On are only mutually inclusive for the initial authentication and for deactivating the password based authentication.

If you can enter a password again, then it's not Single-Sign-On, is it?

Besides that, some standard users are blocked from being used in certain types of password-less authentication.

Cheers and have a nice weekend,

Julius

Former Member
In response to JPReyes

‎06-06-2008 7:30 PM

0 Kudos

TGIF! Thank you Julius and you also have a great weekend ahead

former_member340094
Explorer

‎06-06-2008 10:31 AM

0 Kudos

There are many documents explain about these users...But precisely...

SAP* and DDIC: You always have to lock these.

SAPCPIC is communication user used by SAP itself. May create problems when locked or deleted.

WF_BATCH is used for background processes run by SAP. May create problems when locked or deleted.

For the 2nd ques....

There is not any standard thing to do that.

Former Member

‎06-06-2008 10:36 AM

0 Kudos

Dear Sir,

For DDIC and WF_BATCH, when i go to SM37, user DDIC and WF_BATCH, there are batch processing running. Will it affect if I change the password.

For SAPCPIC, can I lock the password instead of changing the password.

JPReyes
Active Contributor
In response to Former Member

‎06-06-2008 10:38 AM

0 Kudos

Changing the password won't affect the background jobs...

For SAPCPIC you're better off resetting the password than locking the user.

Regards

Juan

Former Member
In response to Former Member

‎06-06-2008 4:08 PM

0 Kudos

Hi

Indeed both options are available for SAPCPIC. Refer SAP note 29276, it will clarify your doubt.

Regards

Rahul

Former Member

‎06-06-2008 5:08 PM

0 Kudos

Moved to security forum.

Former Member

‎06-06-2008 5:32 PM

0 Kudos

First, there are more standard users in the system than those 4 your auditors have asked about. I recommend running report RSUSR003 to check your settings and the status (existence) of the important ones.

> a. DDIC

Change the standard password in the client's where it exists, and only use it for upgrades. If you use it, also in jobs in the system, then you will have a tough time restricting it's access during non-upgrade times.

> b. SAP*

Check this thread: https://forums.sdn.sap.com/click.jspa?searchID=12621618&messageID=5468340

> c. WF_BATCH

I assume that you have created your own user called "WF_BATCH" for the workflow engine, and not the standard "WF-BATCH". You should for a start ensure that the user type is SYSTEM and that the password is not known (set) by human admins, preferably. You should not need to change it's password, as it is also required for the RFC calls within the system. You can further compensate for this by restricting it's access.

> d. SAPCPIC

Already answered.

> My question is..can I change the password or delete the IDs above.

It depends. For Dialog and Communication type users, yes, change the password but do not delete them. For System and Service type users, typically no (the password should be known only to the system or the owner of the connection).

I addition to restricting these user's access, restricting access to them is also good idea: Move them into a secure user group (S_USER_GRP) and lock the standard users when not used, particularly SAP*.

Cheers,

Julius

Edited by: Julius Bussche on Jun 6, 2008 4:39 PM

Former Member

‎06-13-2008 8:06 AM

0 Kudos

Thnks guys!!