Solved: login/no_automatic_user_sap* set to 0: What is the...

Former Member · ‎08-27-2010

Hello All,

I reviewed the RSPARAM report of an SAP instance and observed that the login/no_automatic_user_sap* is set to 0. The risk associated with this setting states that, "...access can be granted to SAP* at the system level. SAP* is a username defined in the system code for which no user master record is necessary. In order to prevent unauthorized access, the recommended value is 1. By default SAP is installed with a user master record SAP. This user has the profile SAP_ALL with access to all transactions and programs in SAP. By default if this user master record is deleted then SAP allows logon using SAP and a password of u2018PASSu2019. Although the user master record does not exist, SAP grants unrestricted system access privileges to SAP. By setting this parameter value to u20180u2019 this u2018backdooru2019 access is not blocked in the event the SAP user master record is deleted."

OK - An RSUSR003 report of the system indicates that SAP* exists; Password not trivial - Locked by Administrator.

The question is, does that mean since SAP* exists & not trivial and locked at the same time, the above risk of setting the login/no_automatic_user_sap* to 0 is mitigated?

I apologize for the long and winding question.

Thank you

Former Member · ‎08-27-2010

If you are setting the value to 0 its not mitigated , it gets activated.

Please read this documentation I pulled from RZ11 tcode:

" Parameter description :

If the user master record belonging to user SAP* is dele

it is possible to re-log on with SAP* and initial passwo

SAP* then has the following attributes:

- The user has all authorization, as authorization check

cannot be executed.

- You cannot change the standard password PASS.

Using profile parameter login/no_automatic_user_sapstar,

you can deactivate the special attributes of SAP*"

Former Member · ‎08-27-2010

If you are setting the value to 0 its not mitigated , it gets activated.

Please read this documentation I pulled from RZ11 tcode:

" Parameter description :

If the user master record belonging to user SAP* is dele

it is possible to re-log on with SAP* and initial passwo

SAP* then has the following attributes:

- The user has all authorization, as authorization check

cannot be executed.

- You cannot change the standard password PASS.

Using profile parameter login/no_automatic_user_sapstar,

you can deactivate the special attributes of SAP*"

Former Member · ‎08-27-2010

Hi,

SAP* is an emergeny user with administrative privileges. This user should be enabled in case of emergency situations like forgotten the passwords of admin ID's, expiration of SAP License and so on.

once the parameter login/no_automatic_user_sap* is set to 0, the user SAP* will automatically be enabled with the default password after restarting the SAP instance (provided SAP* is deleetd from the table USR02) and thus allowing people to login to the system during the situations listed above.

In ur case, as the user SAP* is locked already, the risk is mitigated but it is always good to keep this user disabled to avoid unauthorised administrative access to the SAP instance(and the underlying DB).

Hope this clarifies.

Regards,

Varadharajan M

Former Member · ‎08-28-2010

This clarifies my issue. Thanks to everyone.

Former Member · ‎08-30-2010

>


> In ur case, as the user SAP* is locked already, the risk is mitigated but it is always good to keep this user disabled to avoid          > unauthorised administrative access to the SAP instance(and the underlying DB).

I disagree, the risk of misuse of SAP* is not mitigated. There is no requirement to keep SAP* available. It only takes someone at to delete the user (via various ways) for the user to be available again. If the param = 1 then there is still the requirement to edit the parameter file and bounce the box for the ID to be available once the ID was deleted.

login/no_automatic_user_sap* set to 0: What is the risk?