https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252851#M487316 <HTML><HEAD></HEAD><BODY><P>Additional you should activate the Security Audit Log for these Super-User with Transaction SM18-SM19.</P><P></P><P>Gruß</P><P>Toni</P><P></P></BODY></HTML> Mon, 14 May 2007 09:29:07 GMT antonio_steinhuser 2007-05-14T09:29:07Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252849#M487314 <HTML><HEAD></HEAD><BODY><P>It is clear that the security will happen when you dropped the normal &#147;SAP<STRONG>&#148; &amp; &#147;DDIC&#148; account because the reserved SUPER account with password "PASS" will activate. So, while you lost the normal &#147;SAP</STRONG>&#148; &amp; &#147;DDIC&#148; account, you should notice others people and re-create that as soon as possible.</P><P></P><P>How to fix the security problem?</P></BODY></HTML> Sat, 12 May 2007 09:49:57 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252849#M487314 Former Member 2007-05-12T09:49:57Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252850#M487315 <HTML><HEAD></HEAD><BODY><P>If you delete DDIC user then it will stay deleted. It will not recreate itself.</P><P></P><P>As SAP* is a hardcoded user, if you delete it, it will recreate itself with a commonly known password. To prevent this, you need to set profile parameter (via RZ10) login/no_automatic_user_sap* = 1</P><P></P><P>This will stop SAP* automatically creating itself.</P><P></P><P>There are a number of other things you should do to restrict SAP*</P><P></P><P>Change default password</P><P>Lock the ID</P><P>Remove all profiles (SAP_ALL, SAP_NEW)</P><P>Assign to group SUPER</P><P></P><P>DDIC should also have the password changed from default and be locked when it's not being used.</P></BODY></HTML> Sun, 13 May 2007 19:09:03 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252850#M487315 Former Member 2007-05-13T19:09:03Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252851#M487316 <HTML><HEAD></HEAD><BODY><P>Additional you should activate the Security Audit Log for these Super-User with Transaction SM18-SM19.</P><P></P><P>Gruß</P><P>Toni</P><P></P></BODY></HTML> Mon, 14 May 2007 09:29:07 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252851#M487316 antonio_steinhuser 2007-05-14T09:29:07Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252852#M487317 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P> If the user master record belonging to user SAP* is deleted, it is possible to re-log on with SAP* and initial password PASS. SAP* then has the following attributes:</P><P>- The user has all authorization, as authorization check</P><P> cannot be executed.</P><P>- You cannot change the standard password PASS.</P><P>Using profile parameter &lt;b&gt;login/no_automatic_user_sapstar&lt;/b&gt;,</P><P>you can deactivate the special attributes of SAP*.</P><P>So login to RZ11---&gt;open the parameter(login/no_automatic_user_sapstar) and change the default Value to 1.</P><P></P><P>Valid entries, formats, areas : 0, 1</P><P>0: Automatic user SAP* is permitted</P><P>1: Automatic user SAP* is deactivated</P><P></P><P>Hope it helps.</P><P>Please award points if it is useful.</P><P></P><P>Thanks &amp; Regards,</P><P>Santosh</P></BODY></HTML> Mon, 14 May 2007 10:21:20 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252852#M487317 Former Member 2007-05-14T10:21:20Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252853#M487318 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>&lt;b&gt;Restricting SAP* and DDIC user&lt;/b&gt; </P><P></P><P>1) First we change the password of &lt;b&gt;SAP*&lt;/b&gt; and &lt;b&gt;DDIC&lt;/b&gt; user in &lt;b&gt;SU01&lt;/b&gt; (T-code)</P><P>2) As &lt;b&gt;SAP<STRONG>&lt;/b&gt; is a hard coded user whenever SAP</STRONG> user deleted, it is possible to re-log on with SAP* and initial password &lt;b&gt;PASS&lt;/b&gt;.</P><P> Using profile parameter &lt;b&gt;login/no_automatic_user_sapstar&lt;/b&gt;, you can deactivate the special attributes of SAP*. </P><P>3) To avoid automatic generation SAP* password we set a profile parameter &lt;b&gt;login/no_automatic_user_sapstar=1(Automatic user SAP* is deactivated)&lt;/b&gt; in &lt;b&gt;RZ10&lt;/b&gt; (t-code).</P><P>4) Profile parameter will be effected only after restarting the sap system , so we restart sap system.</P><P></P><P>regards,</P><P>kanthi</P></BODY></HTML> Mon, 14 May 2007 12:40:11 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-r-3-security-problem/m-p/2252853#M487318 Former Member 2007-05-14T12:40:11Z