6\VWHP $GPLQLVWUDWLRQ 0DGH (DV\

Chapter 11: Security AdministrationOperational Security1. Log on using SAP* and DDIC to determine if someone has changed the password.2. Periodically change the password for these users in all: Systems Clients in those systemsThis step prevents a person who knows the password from accessing the system.3. Update the secured password list.4. Verify that the system profile parameter login/no_automatic_user_sapstar has beenconfigured, to prevent the use of the automatic user sap*.If the user ID has been deleted, this step prevents the “backdoor” usage of user sap*.Change management is the process of controlling what changes are made to the system. Inthis context, “system” refers to the entire system environment, not just R/3.One aspect of security is to control and know what changes are made to the system.Item of concern: Is there a change management procedure for changes being made to the R/3 System? Is a QA testing process in place? Are reviews and approvals required to move changes into the production system?This process occurs when more than one person uses a single user ID.This issue is a security concern because: There is no way to tell who is doing the activity. If there is a training problem, you do not know who needs training. If there is a deliberate security breach, there is no way to track the responsible party.Despite the cautionary statements above, there are a few situations where it is not practicalto have individual user IDs. These situations must be treated individually and withmanagement and internal audits review and approval.System Administration Made Easy11–27