Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP* user security

Go to solution
Uppdeep_Mann
Product and Topic Expert
Product and Topic Expert

on ‎2020 May 01 11:04 AM

0 Likes
1,028

Hi,

To secure SAP * user , parameter login/no_automatic_user_sapstar is set to 1.

Additionally,do i still need to delete its authorizations or delete user SAP* in all clients including client 000?

What can be consequence if I remove this user?

Thanks & Regards,

Uppdeep

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

pau_torregrosa
Participant
‎2020 May 01 11:41 AM

Hi Uppdeep,

SAP recommendation is to set parameter login/no_automatic_user_sapstar to a value greater than 0, and create a user master record (SU01) for SAP* in all clients, with no authorizations. That is more secure than not having a user master record for SAP*, because as soon as you don't have a user master record, the only thing securing SAP* from missue is the parameter you mentioned. Having also a user master record with no authorizations adds extra security.

Regards,

Pau.

Show replies
Show replies
Uppdeep_Mann
Product and Topic Expert
Product and Topic Expert
‎2020 May 01 1:02 PM
0 Likes

Thanks Pau for your answer.

There is one point mentioned in link at sap help : https://help.sap.com/doc/saphelp_nw70/7.0.31/en-US/4f/3eb3f249aa2eb5e10000000a42189c/content.htm?no_...

6. Deactivate all authorizations for SAP* in all clients except for those required by SAP License Administration (transaction SLICENSE)

Trying to understand that why one client in system should be exception.!!?

pau_torregrosa
Participant
‎2020 May 01 2:09 PM

Hi Uppdeep,

Not sure, looks like there might be a scenario where you might need to delete or install a License Key, and using SAP* would be the only option to perform that action, so leaving SAP* with just SLICENSE authorizations would allow you to administer license keys in case it's needed.
Check SAP Note 917936, and the bellow link:

https://help.sap.com/saphelp_nwpi711/helpdata/en/db/4a8338d22aa947e10000009b38f8cf/content.htm?no_ca...

Hope that helps.

Regards,

-Pau

Answers (1)

Answers (1)

Peter
Participant
‎2020 May 26 9:33 AM
0 Likes

Hi Uppdeep

I recommend you do the following to protect SAP*:

  • Create SAP*
  • Lock SAP*
  • Add SAP* to User Group SUPER
  • Set valid-to-date to the past
  • Remove authorization (no roles or profiles)

The above steps has to be done in all clients (including 000).

To verify the protection you should run Tcode RSUSR003 to check the protection of SAP* and other standard users across all clients in the system.

Best regards,

Peter

Show replies
Show replies
Ask a Question