topic Re: SAP* in Application Development and Automation Discussions

SAP*

Former Member — Tue, 27 May 2008 20:24:12 GMT

Just a very simple question. If I need to LOCK the user ID SAP* how can I do it ? I tried SU01 --.But tells me the user itself is not exsistent. Do I need to do it at the OS level?

Thanks

Re: SAP*

Former Member — Tue, 27 May 2008 20:31:48 GMT

If you want to lock SAP* in SU01, you need to create it first in SU01. Normally, it makes sense to create SAP* otherwise it could possibly create itself, unless it exists in SU01.

Re: SAP*

Former Member — Tue, 27 May 2008 20:55:59 GMT

Never Knew This!!

So The following:

1.Create SAP* in ALL the Clients ( Or 000 Clients only) Using SU01

2. Then Lock it up.

My question --> We certainly need to assign the Authorizations to it, right. This I will accordingly.

You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity

My idea is the change the password and lock the user. once created in SU01 ..then like any other user or is there any other way ?

Thanks Julu!!

Edited by: george G on May 27, 2008 10:56 PM

Re: SAP*

Former Member — Tue, 27 May 2008 21:07:29 GMT

> We certainly need to assign the Authorizations to it, right. This I will accordingly.

If you don't use it, then which authorizations does it need?

> You mentioned SAP* CAn create itself--how is this done ? Just out of curiousity

George?? Did you give your password to someone else?

Everyone knows that answer... it has a default installation password = 'PASS', if the user has never logged on in that client (see also infos on system param login/no_automatic_user_sapstar).

Report RSUSR003 is usefull for checking this type of thing!

Cheers,

Julius

Re: SAP*

Former Member — Tue, 27 May 2008 21:22:12 GMT

The problem is ht efollowing ;

1. Since everybody knows this pasword, iwant to change it. This ID is being used by folks who should not.

Now Juluis, I want to restrict the password which is PASS.

1. I want to change the password

2. Lock in the ID

3. Use it only when needed..hence new password !

How do i do it...

Re: SAP*

Former Member — Tue, 27 May 2008 21:29:39 GMT

OK..

RZ11 allows me to Dispaly the parametes....just deactivate the profile by giving the value 1.

so Whats the TCD to Change these profiles ?

Re: SAP*

Former Member — Tue, 27 May 2008 22:29:07 GMT

I am not a consultant, but a consultant would probably tell you:

> 1. I want to change the password

Then change it at logon.

> 2. Lock in the ID

In SU01.

> 3. Use it only when needed..hence new password !

Assign it to a protected user group (S_USER_GRP) and restrict access to it.

Yes, in all clients.

That should work.

> How do i do it...

For a qualified "how to" answer, the NW Admin forum ("basis") is probably the best place to ask.

If you wish, I can move this thread there (or create a thread referencing this one, and lock it?).

Personally, there is one aspect about the user group which I find a bit of a bother: 'SUPER' is not as close to the end of the alphabet as for example 'ZAMBIA', 'Z9999', etc. Sometimes it makes sense to protect specific standard users, and not specific expected user groups.

There have also been some changes in defaults a few releases ago. The "automatic" feature for SAP* in a client is now '1' for example (disabled). When you remove the default access and save, then you don't need to logon again to experience the new authority-check results when you try to click somewhere else. etc.

Much like DDIC, it depends on what you use it for...

Cheers,

Julius

Re: SAP*

Former Member — Wed, 28 May 2008 03:15:24 GMT

Here are the answers :

1. SAP* Doesnot have a User master record. hence it will have all the Special properties. One cannot change the password PASS if SAP* is absent in the UMR.Therefore we need to create VIA SU01 ( As Juluis had suggested !) this will make the SAP* Behave like a normal user subject to authorization checks.

Ideally we -meaning- the Sec Admins ought to deactivate the SAP* , and create our own super User. This is the best practice.

Thanks

Re: SAP*

jurjen_heeck — Wed, 28 May 2008 06:18:46 GMT

> 1. SAP* Doesnot have a User master record. hence it will have all the Special properties. One cannot change the password PASS if SAP* is absent in the UMR.Therefore we need to create VIA SU01 ( As Juluis had suggested !) this will make the SAP* Behave like a normal user subject to authorization checks.

Nope. In SAP authorizations never substract. Creating a UMR for SAP* does not take away any abilities.

Re: SAP*

Bernhard_SAP — Wed, 28 May 2008 06:34:47 GMT

Hi,

pls compare also point with one of [SAP Note 2383|https://service.sap.com/sap/support/notes/2383]

b.rgds, Bernhard

Re: SAP*

jurjen_heeck — Wed, 28 May 2008 06:56:42 GMT

All right. I stand corrected. Thanks for the note!

Re: SAP*

Former Member — Wed, 28 May 2008 13:04:33 GMT

Now, If you check table USR01 then the SAP* is present but when you go to SU01 and display the user SAP* the answer is its not present. !! Any explanations ??

Thanks

Re: SAP*

Bernhard_SAP — Wed, 28 May 2008 14:03:45 GMT

Hi George,

maybe somwone has deleted the USR02-entry with DB-tools to be able to login with sap*/PASS sometime in the past.....

Then no changelogs exist for that deletion and all other tables still contain the SAP*-entry.....

b.rgds, Bernhard