Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Limited Time Activation of virtual Super-User - SAP*

Agrawal_Himanshu
Explorer
‎2025 May 20 3:26 PM
0 Likes
1,280

SAP Note 3303172

Time-limited client-specific activation of the virtual super-user SAP*, available as of kernel release 790:

  1. Logon to the operating system of an application server using <sid>adm user.
  2. Start the interactive tool dpmon with menu option u to activate the virtual client-specific super-user SAP* in a chosen client. Define a period of between 10 and 30 minutes as validity. You will obtain a one-time password after successful activation.
  3. Logon using user SAP* and the one-time password you have obtained on any currently running application server.

image-2024-10-7_14-59-48.png

Point to be noted :

  • Any password based logon attempt for user SAP*, regardless if successful or not, invalidates the one-time password immediately.
  • You can (re-)activate the user using dpmon any time and will obtain a new one-time password. This is needed for example if you had a typo in your attempt to use the one-time password and could not logon.
  • Within dpmon you have further the possibility to see in which clients a virtual super-user does currently exist, which one still has a one-time password, their remaining existence and you are able to delete them prematurely.
  • An existing user SAP* (and an emergency super-user SAP* activated by the second option) is superimposed by an existing virtual super-user SAP* in a client.
  • A maximum of 20 virtual super-user SAP* can exist in parallel in different clients.
  • There is no need for an application server restart as no static profile parameter needs to be changed.
  • The user has no hardcoded known password but gets a new random one-time password after each activation.
  • The user is activated client-specific.
  • The user existence is limited in time, its validity is chosen during its activation within dpmon(the allowed period is between 10 and 30 minutes), and the user can also be deleted within dpmon already before its expiration. Bear in mind: a user deletion has no influence on an already established session. A session does continue to run.
  • Both activation and usage of the virtual super-user are logged in the security audit log event EUP (purpose 2).

 

Security Audit Log for virtual user SAP*

image-2024-10-7_14-56-36.png