To make sure that nobody can misuse the standard user SAP*, you should define a new superuser and deactivate SAP* in all clients that exist in table T000.
Do not delete the user SAP*! SAP* is hard-coded in AS ABAP systems and does not require a user master record! If a user master record for SAP* does not exist in a client, then anybody can log on to the AS ABAP as the user SAP* using the well-known password PASS. In this case, SAP* is not susceptible to authority checks and has all authorizations. Therefore, do not delete SAP* from any client.
Procedure
1. Create a user master record for the new superuser.
2. Assign the profile SAP_ALL to this super user.
3. Change this user’s initial password.
Make sure only a limited number of persons have access to this user’s password. Write it down, lock it in a safe, and use it only in emergencies! If you do have to use this super user, then make sure you change its password again after use.
4. If no user master record for SAP* exists in the client, then create a user master record for SAP*.
5. Assign the SUPER user group to SAP* (in all clients) to make sure that only authorized administrators can change its user master record.
6. Deactivate all authorizations for SAP* (in all clients) by deleting all of the profiles in the profile list.
Deactivating the Hard-Coded SAP* User
You can also deactivate the hard-coded user SAP* by activating the profile parameter login/no_automatic_user_sapstar. If a user master record was created for SAP*, then the corresponding authorizations assigned will apply; they are not affected by this parameter's setting.
SAP Note 68048.
No comments:
Post a Comment