Protecting the Operating System Users Used in an SAP System

This chapter shows the users that exist or are needed in an SAP system on Windows, and the appropriate precautions that you should take for them.

Overview of SAP System-Related Users

User type

User

Function and Rights

Windows users

Administrator

The local superuser who has unlimited access to all local resources.

Guest

A local guest account who has guest access to all local resources.

SAP system users

<sapsid>adm

The SAP system administrator who has unlimited access to all local resources related to SAP systems.

SAPService<SAPSID>

A special user who runs the Windows services related to SAP systems.

For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>.

Database users

<DBservice>

One or more special users who run database-specific Windows services or access the database resources with utility programs.

<DBuser>

Some databases also need certain users at the operating system level.

·         Windows automatically creates the users Administrator and Guest during installation. They are not needed for SAP system operations.

·         The database users <DBservice and <DBuser> are typical users. However, the exact users that you need depend on the database you use.

Protecting Administrator

The Windows built-in super user Administrator has unlimited access to all Windows resources. For example, Administrator can:

·        Create, manage, and become the owner of all data files, hard disks, and file shares.

·        Create and manage local users and their rights.

·        Create and manage peripherals, kernel services, and user services.

Change the user name and hide its password. Create other users for administrative tasks and limit their rights to those tasks for which they are used (for example, user administrators, backup operators or server operators).

Protecting <sapsid>adm

<sapsid>adm is the Windows superuser for SAP system administration. This user is created during the SAP system installation process, normally as a domain user for the SAP system. This user can therefore log on to all Windows machines in the domain. <sapsid>adm also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).

To protect this user from unauthorized access, take the following precautions:

·        Change its password regularly.

·        Restrict its access rights to instance-specific resources for the SAP system only.

Although <sapsid>adm may access SAP system files, a different user runs the SAP system itself, namely SAPService<SAPSID>.

Protecting SAPService<SAPSID>

For IBM DB2 Universal Database for UNIX and Windows this user is called sapse<sapsid>.

SAPService<SID> is also created during the SAP system installation. It is usually created as a domain user to run the SAP system and to manage database resources. This user may log on locally on all Windows machines in the domain.

Since the SAP system must run even if no user is logged onto the local Windows machine, the SAP system runs as a Windows service. Therefore, during installation, the user SAPService<SAPSID> receives the right to Log on as a service on the local machine.

SAPService<SAPSID> also administers the SAP system and database resources within the Computing Center Management System (CCMS). Therefore, it needs full access to all instance-specific and database-specific resources such as files, shares, peripheral devices, and network resources.

It is rather difficult to change this user's password. To change the password for a Windows service user , you need to stop the service, edit it's start-up properties, and restart it. Therefore, to change this user's password, you need to stop the SAP system.

To protect SAPService<SAPSID>, take the following precautions:

·        Cancel the user’s right to Log on locally.

·        Restrict its access rights to instance-specific and database-specific resources only.

In addition, prevent this special service user from logging on to the system interactively. This prevents misuse by users who try to access it from the presentation servers. You then do not have to set an expiration date for the password and you can disable the setting change passwd at logon.

Protecting <DBservice> and <DBuser>

As with the SAP system itself, the database must also run even if no user is logged on to the Windows machine. Therefore, the database must run as a service. During the database installation process, the user <DBservice> receives the right to Log on as a service on the local machine.

Overview of Database-Related Users

In addition, the various databases use various operating system users for their administration. To protect these users, we recommend to change their passwords. For more information, see the corresponding topics under Database Access Protection.

Database

Operating System User

Function

Oracle

Local System Account

Runs all Oracle services

sapsid<adm>

User for SAP system and database administration

SAPService<SAPSID>

Runs the SAP system

MS SQL Server

Local System Account

Runs all MS SQL Server services

sapsid<adm>

User for SAP system and database administration

SAPService<SAPSID>

User for database administration

SAPMssXPUser

User for Job System

Informix

<sapsid>adm

Runs the SAP system

informix

Database administrator

MaxDB

Local System Account

Runs all MaxDB services

<sapsid>adm

User for SAP system and database administration

SAPService<SAPSID>

Runs the SAP system

IBM DB2 Universal Database for UNIX and Windows

<sapsid>adm

SAP system administrator

sapse<sapsid>

SAP service account

db2<dbsid>

Database administrator

Connect user:

·         sapr3

·         sap<sapsid>

User for SAP system database objects

You should be aware that the user SYSTEM is a virtual user with no password. (You cannot logon as user SYSTEM.) However, this user has complete access to the local Windows system.