12-24-2010 6:52 AM
If I know the password of SAP* in client 000, what is the impact to other clients in the same SAP system? Are there any shared parameters/programs/reports/data that uses by all the clients? May I change the settings of other clients by logging in client 000 with SAP*?
Thanks,
Fred
12-24-2010 7:01 AM
Hi Fred,
Client 000 holds the cross client information. Best example is T000, E070, USR40, SSM_CUST tables (there are many). If you have access to SAP*, you may make some changes in these cross client tables, which will affect the other clients too. The other area is SAP system parameters, which are set system wide.
Hence, it is recommended to keep the SAP* & DDIC user IDs securely. The login/no_automatic_user_sapstar profile parameter controls the emergency user SAP* (Refer SAP Notes 2383 and 68048) and if the SAP* password is trivial too, it will not allow any one to login using it.
Hope this helps!!
Regards,
Raghu
12-24-2010 9:21 AM
Hi Raghu,
Thanks for your answer. One more question, if I know the password of SAP* on client 000 in QAS environment, is it possible to have impact on clients in Production environment? Is it possible that I change common parameters or cross client tables in QAS environment, and these changes be transported to Production environment?
Thanks for your help!
Fred
12-24-2010 9:29 AM
Hi Fred,
Yes. There are lot of RFCs that can be used to connect to the other systems, which include the production systems too. The SAP* will have SAP_ALL and SAP_NEW profiles which gives access to lots of critical authorization objects, that includes S_RFC, S_TABU* etc.
As highlighted in the earlier replies by me and Julius, its highly recommend to secure it.
Regards,
Raghu
12-24-2010 9:19 AM
With SAP* in any client you can take full control of the system, any client in it and 9 times out of 10 all other systems in the same network and even beyond, in about 2 minutes flat!
Better to secure that one...
Julius