SAP User Must known
1. Remote
Support Users : When using the SAP support services,
you often need to allow remote access to your system using a user defined at
your site. Because you are allowing system access to someone outside of your
system, you should take extra precautions to protect this user. We recommend
the following:
·
Define a special user for remote
access. Do not use any of the standard users.
· Define a procedure for activating and
deactivating the user. Activate it only when necessary and deactivate it once
the remote session is completed.
·
Do not disclose this user’s password
over the remote session. Send it over a separate channel such as an e-mail or a
return telephone call. Change the password once the session is done
2.
EARLYWATCH : EARLYWATCH
is created in the client 066 during installation and is used for remote control
by SAP and is only set up with some standard authorizations S_TOOLS_EX_A for
performance monitoring. The user is to be locked in general, and can be
unlocked upon request. Initial password for EARLYWATCH is support.
3.
TMSADM : This
ID is automatically created at the set up the change and transport management
system in the client 000. The user type is “Communication”, and is utilized for
transports by the CTS. TMSADM is assigned to profile S_A.TMSADM assigned that
authorizes the use of RFC with display of the development environment as well
as access to write to the file system. The standard password for this user
directly after the installation is PASSWORD.
4.
SAPCPIC : SAPCPIC
is created as a “communication” user at the installation and is mostly used for
EDI. The standard profile S_A.CPIC restricts the access to the use of RFC. This
user is hard-coded into the function module INIT_START_OF_EXTERNAL_PROGRAM
together with a standard password. This needs to be considered in case of
password changes for this user.
5.
The standard password for this user
directly after the installation is ADMIN.
6.
SAP* in J2EE : The
user is established with full authorizations for the administration. With
regard to security, the user has no standard password assigned. To utilize this
user as emergency user the properties in the UME need to be maintained. Setting
the ume.superadmin.activated property to true will activate the use of this
user for emergency cases. Setting a password in ume.superadmin.password will
then activate the user finally after the restart of the engine. While the user
SAP* is in use, all other users will be inactivated during this time. When the
system is fixed, the deactivation can be achieved by setting the
ume.superadmin.activated property to false.
7.
J2EE_ADMIN : This
user is the Java standard user with full administration authorization in this
environment. The password is to be assigned during the set up. High complexity
is recommended for this password.
8.
J2EE_GUEST : This
user is a Java standard user who can be utilized for anonymous access. The user
is locked per default. The password is assigned during the installation.
9.
SAPJSF : This
user is a standard communication user for LDAP Lightweight Directory Access
Protocol data sources.
10.
ADSuser : This
standard user is utilized for the communication between Java and ADS Adobe
Document Service.
11.
caf_mp_scvuser : This
standard user is utilized in the context of the Composite Application Framework
(CAF) core transport system and communication with other Java services.
Summary
To summarize, we recommend that you regularly review the
following criteria for protecting the standard users:
· Maintain an overview of the clients
that you have and make sure that no unknown clients exist.
· Make sure that SAP* exists and has been
deactivated in all clients.
· Make sure that the default passwords
for SAP*, DDIC, and EARLYWATCH have been changed.
· Make sure that these users belong to
the group SUPER in all clients.
· Lock the users SAP*, DDIC, EARLYWATCH
and your remote support user. Unlock them only when necessary. (Note that it
should never be necessary to use SAP*!)
· Lock DDIC and EARLYWATCH and unlock
them only when necessary.
No comments:
Post a Comment