cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Concern about adm/SAPService premission on Windows Environment

wei-shang_ku
Participant

on ‎05-14-2018 4:22 AM

0 Kudos

Hi,

This is a real situation that customer's security team raise issue. We have AS ABAP install on Windows with MS SQL Server and the <sapsid>adm created by sapinst is a member of local administrator (group Administrators, in fact). They see this is a issue and don't want any account except Administrator in the group. We have search for some official document but customer still don't think this is necessary to have local administrator permission. My first quesiton is, if we remove "Administrators" membership from <sapsid>adm, what will happen ? Does it break SAP support ? Or something else will stop working ?

Not just OS Level issue, with MSSQL Server, both <sapsid>adm & SAPService<SID> accounts are created in MS SQL Server (for windows integrated authentication), they are granted "sysadmin" role in MSSQL, customer see this is a big issue. Anyone know why they must be sysadmin ? What kind of tasks require sysadmin right ? Can we change the membership to a less powerful role ?

Thanks

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

wei-shang_ku
Participant
‎05-22-2018 4:24 AM
0 Kudos

Manuel,

Thanks for your explanation. I'd like to tell customer the logic behind this design.

Show replies
Show replies
wei-shang_ku
Participant
‎05-22-2018 4:24 AM
0 Kudos

Manuel,

Thanks for your explanation. I'd like to tell customer the logic behind this design.

Show replies
Show replies
manuel_garcia
Advisor
Advisor
‎05-21-2018 4:38 PM
0 Kudos

Hi,

The SAP system administrator <sid>adm has unlimited access to all local resources related to SAP systems

The <sapsid>adm user also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).

<sapsid>adm has an SAP instance-specific environment (variables, registry settings, group membership) that allows this user to administer the SAP system in a proper manner. The user is a member of the local Administrators group and has sufficient privileges during special tasks such as upgrading and administrating an SAP instance.

Customer-specific created users might not have this complete environment and are therefore not supported for SAP system administration tasks.

See more information in the security guide in help library:

https://help.sap.com/viewer/621bb4e3951b4a8ca633ca7ed1c0aba2/7.5.9/en-US/4d6bfe2cc59f2307e10000000a1...

Regarding sysadmin role the reason is the following:

  1. The work process uses Windows authentication to connect to the MS SQL Server instance. As the work process itself runs under the SAPService<SID> operating system user, the Windows authentication attempt will use the SAPService<SID> Windows authentication login on SQL Server side.
  2. As soon as the connection could be established successfully, the work process issues a setuser '<sid>' command in order to switch the connection from the SAPService<SID> Windows authentication login to the SQL Server login called <sid>. As the Windows authentication login SAPService<SID> has the sysadmin server role assigned it can execute this command without providing the password of the <sid> login.

Best regards,

Manuel

Show replies
Show replies
Ask a Question