Protecting the Database Standard Logins

The table below shows the standard logins that are necessary for the SAP system to connect to the database.

SQL Server Standard Logins

Logins

Type

sa

DB administrator

SAP<SAPSID>DB

DB user

<sapsid>

Login for MCOD systems

<sapsid>adm

Operating system account

SAPService<SAPSID>

Operating system account

To prevent unauthorized use of the associated privileges of these logins, you should change their passwords.

Be aware that <sapsid>, <sapsid>adm, and SAPService<SAPSID> have system administrator rights.  If, for example, you run two SAP systems on one instance, you can have access to both systems  with these users.

Protecting sa and <sapsid> logins

The login sa is not needed for standard operations.

The user logins sa and <sapsid> have system administration privileges for MS SQL Server. Anyone who logs on as sa and <sapsid> can perform all the tasks available on the server without any restrictions. Initially, no password is assigned to sa . It is therefore important to assign a password to this user directly after the installation of the SAP system. For more information, see Changing Passwords for SQL Server Logins.

Protecting <sapsid>adm and SAPService<SAPSID> Logins

The <sapsid>adm and SAPService<SAPSID> logins can connect to the database using the Windows authentication mode. You should therefore, change their passwords, if necessary. For more information, see Changing Passwords of Windows Accounts.

Be aware that after changing the password for <sapsid>adm and SAPService<SAPSID>, you also need to specify the new password in the services used for the SAP system.