Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User lock

Former Member

‎2006 Jul 12 10:13 PM

0 Kudos
296

Hi,

We are experiencing the problem with one of the user configured as service type.

But the problem is if some body tried to login without knowing the password , it locks the user account.

for ex: CA_AUTOSYS or DDIC

We have many batch jobs running under this user id.

How can we make users like this never locked.

I know the profile parameter which locks for that day and releases it. Is there anyother way where we can make the user id unlocked all the time. Please advise.

3 REPLIES 3

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎2006 Jul 13 8:06 AM

0 Kudos
225

Sorry, but that would be a stupid idea.

If you do not restrict the number of permitted failed password logon attempts you enable dictionary and brute-force attacks - it's just a matter of time when an attacker will succeed.

BTW: Please choose the proper user type: SYSTEM (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=622464">SAP Note 622464</a>)

SYSTEM users which are only used to perform system-internal tasks (such as background processing) do not require passwords (you might deactivate their password) - on the other hand: the password lock (due to failed password logon attempts) will not prevent the execution of background jobs (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=498889">SAP Note 498889</a>). Please notice that there is a difference between <b>password lock</b> and <b>account lock</b>.

Regards, Wolfgang

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎2006 Jul 13 8:22 AM

0 Kudos
225

"000/DDIC" is required for upgrades and Support Package imports (which makes this account special and vulnerable for denial-of-service attacks); the user type should be DIALOG (to enable SAPGUI logons).

Well, during normal operations you do not need "DDIC".

Therefore you should deactivate that account (e.g. by using the account lock) and activate it only on demand.

Same applies for user SAP*.

You should not use that account but create copies and use them instead (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=2383">SAP Note 2383</a>).

Regards, Wolfgang

Former Member

‎2006 Jul 13 8:56 AM

0 Kudos
225

Use the security audit log or application monitors (search for transaction "login_pw") to track down the "person" who is trying to logon with DDIC without being authorized to know the password, and fire them.

If you find that the "person" is actually an application trying to login, "fire" the application by removing the entry for that user from table RFCDES.