Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

User lock

Former Member
0 Kudos

Hi,

We are experiencing the problem with one of the user configured as service type.

But the problem is if some body tried to login without knowing the password , it locks the user account.

for ex: CA_AUTOSYS or DDIC

We have many batch jobs running under this user id.

How can we make users like this never locked.

I know the profile parameter which locks for that day and releases it. Is there anyother way where we can make the user id unlocked all the time. Please advise.

3 REPLIES 3

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

Sorry, but that would be a stupid idea.

If you do not restrict the number of permitted failed password logon attempts you enable dictionary and brute-force attacks - it's just a matter of time when an attacker will succeed.

BTW: Please choose the proper user type: SYSTEM (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=622464">SAP Note 622464</a>)

SYSTEM users which are only used to perform system-internal tasks (such as background processing) do not require passwords (you might deactivate their password) - on the other hand: the password lock (due to failed password logon attempts) will not prevent the execution of background jobs (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=498889">SAP Note 498889</a>). Please notice that there is a difference between <b>password lock</b> and <b>account lock</b>.

Regards, Wolfgang

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
0 Kudos

"000/DDIC" is required for upgrades and Support Package imports (which makes this account special and vulnerable for denial-of-service attacks); the user type should be DIALOG (to enable SAPGUI logons).

Well, during normal operations you do not need "DDIC".

Therefore you should deactivate that account (e.g. by using the account lock) and activate it only on demand.

Same applies for user SAP*.

You should not use that account but create copies and use them instead (see <a href="http://service.sap.com/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=2383">SAP Note 2383</a>).

Regards, Wolfgang

Former Member
0 Kudos

Use the security audit log or application monitors (search for transaction "login_pw") to track down the "person" who is trying to logon with DDIC without being authorized to know the password, and fire them.

If you find that the "person" is actually an application trying to login, "fire" the application by removing the entry for that user from table RFCDES.