Symptom
Documentation problem: description for user entry SAP* is unclear
Additional key words
SAP*, super user, special user
Cause and prerequisites
Documentation error
Solution
Extensive inforamtion for special user SAP*:
Significant information:
- SAP* is a "hard-coded" user that does not have a user master record in the delivery system, is not subject to any authorization checks (and therefore has all authorizations), and has an unchangable password. Note 68048 contains more information.
- SAP* is not treated like a "normal" user until a user master record is created for it. As long as the user master record exists, SAP* is subject to authorization checks and can be assigned a different password.
Because SAP* is a known user with a known password, you should create a user master record for SAP* before your system goes live, and replace that user by another, secret "super user".
We recommend:
- SAP* should not have any authorizations (empty profile list)
- SAP* should be assigned a new password
- SAP* should be assigned to user group SUPER.
- that then deactivation of the "automatic SAP*", described in Note 68048, is executed
The group assignment prevents the SAP* user master record from being deleted so easily, provided the other SAP recommendations regarding user maintenance and authorization maintenance and the pre-defined S_USER* profiles are used for user and authorization maintenance.
As an additional security measure you can lock user SAP* by the administrator.
Important information:
Note that user SAP*, just like any other R/3 user, is client dependent.
This means that you have to perform the specified security measures in every client.
No comments:
Post a Comment