Protecting Special Users in SAP

 Protecting Special Users in SAP

Standard Users in SAP:

SAP system comes with SAP* and DDIC. These are the super users and they are created during the SAP installation process. Password is set during the installation process. The SAP* user is created in 000, 001 and all new clients while DDIC is created in 000 and 001 clients only. Apart from these users, there are other users like EARLYWATCH, SAPCPIC and TMSADM.

SAP* and DDIC users should be monitored regularly and should be protected from unauthorized access.

Protecting the SAP Special Users:

a. SAP* user should exists in all clients and should be deactivated in all clients. The default password for SAP* and DDIC should be changed. Report RSUSR003 displays special users that are exists in all the client and changes made to these users.

b. Set the user group to "SUPER" for all these users in all clients. All these users should be locked in all clients.

c. There is a transport background job called RDDIMPDP which executes with DDIC user. This needs to changed and set the different user with the same authorizations as DDIC, so that DDIC can be locked.

d. SAP* user id should not be deleted, instead new super user is created and SAP* should be deactivated in all clients.

e. There is a profile parameter called login/no_automatic_user_sapstar which gives provision for automatic creation of SAP* user. This parameter value should be set to 1, so that it prevents from creating user automatically. If the parameter value is set to 0, this allows you to login to system with SAP* and password PASS with system administration access.

f. Create a master record for SAP* in clients where there is no user master record for SAP*. SUPER user group should be assigned and set a strong password. Remove all the authorizations for SAP* in all clients.

g. DDIC users id should not be deleted, set the strong password and lock this id from unauthorized access.


Location: Chicago, IL, USA

Comments

Post a Comment

Popular posts from this blog

SAP Security: Critical Authorization Objects

SAP Security: Critical Authorization Objects 1. S_TABU_DIS: This authorization object enables authorization check for displaying or modifying the table content. For accessing the table data, users use SE16, SM30 or SM31 transaction codes. This object contains two fields, DICBERCLS (authorization group) and ACTCT. 2. S_RFC: This authorization object enables authorization check for remote function call to access program modules (function modules). This authorization object contains three fields, RFC_TYPE, RFC_NAME and ACTCT. 3. S_DATASET: This authorization object enable file access at operating system level. This gives permission to access files from ABAP programs. This object contains three fields, File name, Program and Activity. 4. S_ADMI_FCD: This authorization objects enable access to various administrator activities like system monitoring, spool administration, client creations, update administration etc. This object contains one field, system administration functions. 5. S_DE...
Read more

SAP Security: How to set auto Logoff for Inactive users in SAP

Image
How to set auto Logoff for Inactive users in SAP SAP provides an options for logging of inactive users in SAP automatically. Inactive means if there is no activity for a specific period of time. By setting the auto logoff improves the security in the SAP system. The auto logoff options is not active in the system by default. This needs to be activated using the profile parameter called rdisp/gui_auto_logout. The value for this parameter should be set in the form of seconds. The inactive users are logout of the system after the specific time period that is set in the parameter. The SAP system doesn't save the data before auto logoff and it does not popup any prompt before auto logoff. Procedure to set the value in the Profile parameter: Execute transaction code RZ10 Select the DEFAULT profile from the selection menu. Select the Extended maintenance and click on change icon. Click on the create parameter icon as shown below. Enter the new parameter name as rdisp/gui_auto_logout and c...
Read more

SAP GRC Security Consultant Roles and Responsibilities

SAP GRC Security Consultant Roles and Responsibilities 1. SAP GRC Consultant should have a knowledge on Governance, Risk and Compliance products. 2. Should have a thorough knowledge as well as experience in relation between ERP and GRC systems. 3. Should have an experience in configuring and supporting of GRC components like ARA, ARM, BRM and EAM. 4. GRC consultant should be having good understanding of GRC architecture. 5. Should be having hands on experience in user provisioning, role management, risk analysis, emergency access management and monitoring. 6. Should have experience in pre installation, post installation, connector settings, rule building and MSMP workflows and BRF+ in the ARM and BRM components. 7. Should have experience in end to end implementation of GRC Access Controls. 8. Should have experience in designing and developing the SAP business process. 9. Should be able to gather business requirements and implement the same in the GRC AC modules like ARA, ARM, BRM and E...
Read more