2007 May 12 10:49 AM
It is clear that the security will happen when you dropped the normal SAP & DDIC account because the reserved SUPER account with password "PASS" will activate. So, while you lost the normal SAP & DDIC account, you should notice others people and re-create that as soon as possible.
How to fix the security problem?
2007 May 13 8:09 PM
If you delete DDIC user then it will stay deleted. It will not recreate itself.
As SAP* is a hardcoded user, if you delete it, it will recreate itself with a commonly known password. To prevent this, you need to set profile parameter (via RZ10) login/no_automatic_user_sap* = 1
This will stop SAP* automatically creating itself.
There are a number of other things you should do to restrict SAP*
Change default password
Lock the ID
Remove all profiles (SAP_ALL, SAP_NEW)
Assign to group SUPER
DDIC should also have the password changed from default and be locked when it's not being used.
2007 May 14 10:29 AM
Additional you should activate the Security Audit Log for these Super-User with Transaction SM18-SM19.
Gruß
Toni
2007 May 14 11:21 AM
Hi,
If the user master record belonging to user SAP* is deleted, it is possible to re-log on with SAP* and initial password PASS. SAP* then has the following attributes:
- The user has all authorization, as authorization check
cannot be executed.
- You cannot change the standard password PASS.
Using profile parameter <b>login/no_automatic_user_sapstar</b>,
you can deactivate the special attributes of SAP*.
So login to RZ11--->open the parameter(login/no_automatic_user_sapstar) and change the default Value to 1.
Valid entries, formats, areas : 0, 1
0: Automatic user SAP* is permitted
1: Automatic user SAP* is deactivated
Hope it helps.
Please award points if it is useful.
Thanks & Regards,
Santosh
2007 May 14 1:40 PM
Hi,
<b>Restricting SAP* and DDIC user</b>
1) First we change the password of <b>SAP*</b> and <b>DDIC</b> user in <b>SU01</b> (T-code)
2) As <b>SAP</b> is a hard coded user whenever SAP user deleted, it is possible to re-log on with SAP* and initial password <b>PASS</b>.
Using profile parameter <b>login/no_automatic_user_sapstar</b>, you can deactivate the special attributes of SAP*.
3) To avoid automatic generation SAP* password we set a profile parameter <b>login/no_automatic_user_sapstar=1(Automatic user SAP* is deactivated)</b> in <b>RZ10</b> (t-code).
4) Profile parameter will be effected only after restarting the sap system , so we restart sap system.
regards,
kanthi