Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
Showing results for 
Search instead for 
Did you mean: 

User id's have beenm created by a Basis Batch User id

Former Member
0 Kudos


In our company we have provided User creation access to a Basis Batch user id, But no one in the basis team have used the id to create users.

Unfortunately few months back this id has created some end users with critical access & deleted the user id's after some time.

Now no one know who actually did this.

I checked the change documents for those users & it onyly shows Batch Basis user id.

I checked that Batch Basis user id was always set to system type.

I also checked for that particular day if any background job was run for creating the id's & didn't find anything.

Can you plz let me know how to go about solving this major security breach.




Former Member
0 Kudos

Hi Navin,

Do you have AIS cofigured..if yes then you can check the audit trail.

OR have you looked in TBTCP for the programs ran with the System ID as Step user ID (Background user).

Check for STAT/STAD for this user (System user) for the activities done during the time when those IDs were created.

Cheers !!


0 Kudos

simple solution: remove acces to create/maintain users from all except Security admin users!

possible way they misused this: by remote access from one of the other systems:

look in sm59 (of all other sytems) if there is a access set up with this userid and a password given in the access setup>

If so that users id should ONLY be allowed very small and specific access in PRODUCTIUON as it opens up the sytem for all taht can use the rfc connection!

also make sure that access to SM59 in all systems/clients is limted to some basis users ONLY!

THE ABOVE is one of the most important reasons that NO ONE uid should have SAP_ALL in ANY CLIENT in ANY SYSTEM!

Former Member
0 Kudos

Check who created the Batch User or last reset it's password (report RSUSR100N) and contact them for an explanation. Verify whether the user ID is used in any connection data.



0 Kudos

Run sm20 and you can isolated the userid and transaction code. Using sm20 you will be able to identify the terminal number as well. This might help locate the offender.