Protecting SAP Standard Users: How to Efficiently Protect and Lock Critical User Master Records

Hardening measures for handling SAP standard users are an integral part of the SAP security and audit guides. However, our consulting practice has shown that implementing these protective measures is a major challenge for businesses of all types and sizes.

To protect the standard users, SAP recommends reviewing certain criteria regularly. The official SAP Security Guide contains the following information:

• Maintain an overview of the clients that you have and make sure that no unknown clients exist.
• Make sure that SAP* exists and has been deactivated in all clients.
• Ensure that default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
• Guarantee that these users belong to the group SUPER in all clients.
• Lock the users’ SAP*, DDIC, and EARLYWATCH. Unlock them only when necessary.
• By default, the user DDIC is set up for the transport background job (RDDIMPDP). We recommend you set up a different user for this job so that you can lock DDIC.
  • The user needs SAP_ALL and S_A.SYSTEM authorizations because the job calls function modules for various applications that cannot be determined for all cases ahead of time.
  • Set up the user as a system user so no one can use it as a dialog user.
  • Set up the user in all clients that are used for import.
  • Adjust the job RDDIMPDP so that the new user is the owner (in transaction SM37).
• Delete SAPCPIC if you do not need it. At least make sure that you have changed the default password for SAPCPIC.
• For more information, see Authorizations in Version Management.
• Change the default password of TMSADM.

Companies with complex SAP system landscapes face unique challenges because no one wants to risk production downtimes.

The following difficulties arise regularly when the DDIC user needs to be locked:

• The DDIC user has been used as the batch step user for background processing since the initial implementation of the system.
• No overview of how many RFC interfaces use the DDIC user is available.

• The customer program still runs with hard-coded DDIC login data.
• The IT service provider uses the DDIC user to administer the Basis client.

Do any of these problems and concerns sound familiar?

Here is a quick and efficient way to identify the use of user master records in batch job steps and correct the step users automatically.

Protecting SAP Standard Users in The Background Processing (Batch Job) Scenario

Let’s assume you have been tasked with implementing the security recommendations for SAP standard users as described in the SAP Security Guide and want to lock these users. Due to the long operating history of the system, you’re not sure if the standard user DDIC might still be used in periodic batch jobs in application clients, for example. A hasty deactivation of the user in the application client could result in unwarranted interruptions to operations. This is why it’s important to identify critical batch jobs and correct the step users ahead of time – using automation where possible.

The Implementation Method

1. Take stock of all affected batch jobs.
2. Create alternative background users with suitable authorizations to take over background operations.
3. Test the batch jobs with the new background users.
4. Replace the DDIC step user in the affected batch jobs.

The Method in Detail

Step 1: Take stock of all affected batch jobs.

One lesser-known but useful function in recent SAP releases is the “Extended Job Selection” in transaction SM37. Previously, if you wanted to identify the step users, you either had to evaluate the tables TBTCO/TBTCP via query or use a custom ABAP program.

To identify the batch jobs, select transaction SM37, switch to “Extended Job Selection,” and then set the following filter settings:

Start the report:

Step 2: Create the new background users for the functions (such as BTCUSER200).

Step 3: Test the background functions to be rescheduled.

Step 4: Replace the DDIC step user in the affected batch jobs. Another little-known, yet efficient tool for mass change of batch jobs is the report BTC_MASS_JOB_CHANGE. It supports flexible changes to the following job properties:

• Report/variant to be executed.
• User name of the job user.
• User name of the step user.
• Execution target (server/group).

To do so, set the selection parameters. [Tip: The report can also be run in test mode.]

Then run the report:

Test the success of the changes in transaction SM37:

The step user for the next run has been changed successfully from DDIC to BTCUSER200; the step user of job runs that are already complete remains unchanged by the conversion.

Other Aspects for Protecting SAP Standard Users

To ensure that the use of SAP standard users does not result in interruptions in operations, you should check where they are used in at least the following areas:

• Inbound RFC interfaces
• Hard-coded log-on data in customer programs
• Use in batch input sessions (SM35)
• Processing with LWMW (ERP), LTMC (S/4HANA), or eCATT

Accelerate Your SAP Analysis with Pathlock

Pathlock can help you identify the use of SAP standard users in all important areas of your system landscape quickly and effectively, enabling you to implement hardening measures safely without risking your SAP operations.

Get in touch with us to talk to our SAP experts.