Skip to Content
0
May 14, 2018 at 03:22 AM

Concern about adm/SAPService premission on Windows Environment

811 Views Last edit May 21, 2018 at 03:28 PM 2 rev

Hi,

This is a real situation that customer's security team raise issue. We have AS ABAP install on Windows with MS SQL Server and the <sapsid>adm created by sapinst is a member of local administrator (group Administrators, in fact). They see this is a issue and don't want any account except Administrator in the group. We have search for some official document but customer still don't think this is necessary to have local administrator permission. My first quesiton is, if we remove "Administrators" membership from <sapsid>adm, what will happen ? Does it break SAP support ? Or something else will stop working ?

Not just OS Level issue, with MSSQL Server, both <sapsid>adm & SAPService<SID> accounts are created in MS SQL Server (for windows integrated authentication), they are granted "sysadmin" role in MSSQL, customer see this is a big issue. Anyone know why they must be sysadmin ? What kind of tasks require sysadmin right ? Can we change the membership to a less powerful role ?

Thanks