on 05-14-2018 4:22 AM
Hi,
This is a real situation that customer's security team raise issue. We have AS ABAP install on Windows with MS SQL Server and the <sapsid>adm created by sapinst is a member of local administrator (group Administrators, in fact). They see this is a issue and don't want any account except Administrator in the group. We have search for some official document but customer still don't think this is necessary to have local administrator permission. My first quesiton is, if we remove "Administrators" membership from <sapsid>adm, what will happen ? Does it break SAP support ? Or something else will stop working ?
Not just OS Level issue, with MSSQL Server, both <sapsid>adm & SAPService<SID> accounts are created in MS SQL Server (for windows integrated authentication), they are granted "sysadmin" role in MSSQL, customer see this is a big issue. Anyone know why they must be sysadmin ? What kind of tasks require sysadmin right ? Can we change the membership to a less powerful role ?
Thanks
Manuel,
Thanks for your explanation. I'd like to tell customer the logic behind this design.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Manuel,
Thanks for your explanation. I'd like to tell customer the logic behind this design.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
The SAP system administrator <sid>adm has unlimited access to all local resources related to SAP systems
The <sapsid>adm user also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).
<sapsid>adm has an SAP instance-specific environment (variables, registry settings, group membership) that allows this user to administer the SAP system in a proper manner. The user is a member of the local Administrators group and has sufficient privileges during special tasks such as upgrading and administrating an SAP instance.
Customer-specific created users might not have this complete environment and are therefore not supported for SAP system administration tasks.
See more information in the security guide in help library:
Regarding sysadmin role the reason is the following:
Best regards,
Manuel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.