Skip to Content
avatar image
Former Member

Concern about adm/SAPService premission on Windows Environment

Hi,

This is a real situation that customer's security team raise issue. We have AS ABAP install on Windows with MS SQL Server and the <sapsid>adm created by sapinst is a member of local administrator (group Administrators, in fact). They see this is a issue and don't want any account except Administrator in the group. We have search for some official document but customer still don't think this is necessary to have local administrator permission. My first quesiton is, if we remove "Administrators" membership from <sapsid>adm, what will happen ? Does it break SAP support ? Or something else will stop working ?

Not just OS Level issue, with MSSQL Server, both <sapsid>adm & SAPService<SID> accounts are created in MS SQL Server (for windows integrated authentication), they are granted "sysadmin" role in MSSQL, customer see this is a big issue. Anyone know why they must be sysadmin ? What kind of tasks require sysadmin right ? Can we change the membership to a less powerful role ?

Thanks

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • May 21 at 03:38 PM

    Hi,

    The SAP system administrator <sid>adm has unlimited access to all local resources related to SAP systems

    The <sapsid>adm user also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).

    <sapsid>adm has an SAP instance-specific environment (variables, registry settings, group membership) that allows this user to administer the SAP system in a proper manner. The user is a member of the local Administrators group and has sufficient privileges during special tasks such as upgrading and administrating an SAP instance.

    Customer-specific created users might not have this complete environment and are therefore not supported for SAP system administration tasks.

    See more information in the security guide in help library:

    https://help.sap.com/viewer/621bb4e3951b4a8ca633ca7ed1c0aba2/7.5.9/en-US/4d6bfe2cc59f2307e10000000a15822b.html

    Regarding sysadmin role the reason is the following:

    1. The work process uses Windows authentication to connect to the MS SQL Server instance. As the work process itself runs under the SAPService<SID> operating system user, the Windows authentication attempt will use the SAPService<SID> Windows authentication login on SQL Server side.
    2. As soon as the connection could be established successfully, the work process issues a setuser '<sid>' command in order to switch the connection from the SAPService<SID> Windows authentication login to the SQL Server login called <sid>. As the Windows authentication login SAPService<SID> has the sysadmin server role assigned it can execute this command without providing the password of the <sid> login.

    Best regards,

    Manuel

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 22 at 03:24 AM

    Manuel,

    Thanks for your explanation. I'd like to tell customer the logic behind this design.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    May 22 at 03:24 AM

    Manuel,

    Thanks for your explanation. I'd like to tell customer the logic behind this design.

    Add comment
    10|10000 characters needed characters exceeded