This section informs about users that exist or are needed in an SAP system on Windows. It also describes some security settings to take for them.
User type |
User |
Function and Rights |
---|---|---|
Windows built-in users |
|
The local user who has unlimited access to all local resources. |
|
A local guest account who has guest access to all local resources. The guest account is disabled on a standard Windows Server 2008 (R2) installation. |
|
(local system account) |
The user |
|
SAP system users |
|
The SAP system administrator who has unlimited access to all local resources related to SAP systems. |
|
A special user who runs the Windows services related to SAP systems. |
|
Database users |
|
One or more special users who run database-specific Windows services or access the database resources with utility programs. Some databases also need certain users at the operating system level. Their name and availability depend on the database you use. For more information, see the database-specific security guide on Windows |
Note
Note the following:
Windows automatically creates the users Administrator
and Guest
during the installation. You do not need them for SAP system operations.
Windows Server 2008 (R2) introduces a new security concept called User Account Control (UAC)
. When User Account Control
is enabled (default setting), a process running on a Windows Server 2008 (R2) does not automatically
have the membership in the Local Administrators
group even if the account is a member of this group. The user has to elevate a process to use the Administrators Group
membership, by right-clicking on a program entry in the Windows explorer
( ) and start it with Run as Administrator
:
You must enable the guest account to grant non-authenticated users (that have not specified a valid user name or password) access to resources on a computer. The Windows built-in group Everyone
includes authenticated users and guests. However, non-authenticated
guest users only have access to resources that are secured with Everyone
if the guest account is enabled. SAP strongly recommends to disable the guest account.
The Windows built-in user Administrator
has unlimited access to all Windows resources. However, the built-in user Administrator
cannot access resources that are located on other computers, except when this user already exists and
has the same password on these computers.
The user Administrator
can do the following:
Create, manage, and become the owner of all data files, hard disks, and file shares.
Create and manage local users and their rights.
Create and manage peripherals, kernel services, and user services.
Change the user name and hide its password. Create other users for administrative tasks and limit their rights to those tasks for which they are used (for example, user administrators, backup operators, or server operators).
The <sapsid>adm
user is the Windows user for SAP system administration. This user is created during the SAP system installation process, normally as a domain user for the SAP system. This user can therefore log on to all Windows machines in the domain. The <sapsid>adm
user
also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).
<sapsid>adm
has an SAP instance-specific environment (variables, registry settings, group membership) that allows this user to administer the SAP system in a proper manner. The user is a member of the local Administrators group and has sufficient privileges
during special tasks such as upgrading and administrating an SAP instance.
Customer-specific created users might not have this complete environment and are therefore not supported for SAP system administration tasks.
To protect this user from unauthorized access, take the following precautions:
Change the password regularly.
Restrict the access rights to instance-specific resources for the SAP system only.
Although <sapsid>adm
can access SAP system files, a different user runs the SAP system itself, namely SAPService<SAPSID>
.
SAPService<SAPSID>
is also created during the SAP system installation. It is usually created as a domain user to run the SAP system and to manage database resources.
Since the SAP system must run even if no user is logged on to the local Windows machine, the SAP system runs as a Windows service. Therefore, during the installation, the user SAPService<SAPSID>
receives the right to Log on as a service
on
the local machine.
SAPService<SAPSID>
also administers the SAP system and database resources within the Computing Center Management System (CCMS). Therefore, it needs full access to all instance-specific and database-specific resources such as files, shares, peripheral devices,
and network resources.
Note
It is rather difficult to change the password of this user. To change the password for a Windows service user, you must stop the service, change the password for the service user, edit the start-up properties of the service, and restart it. Therefore, to change the password of this user, you need to stop the SAP system.
In addition, prevent this special service user from logging on to the system interactively. This prevents misuse by users who try to access the system from the presentation servers. You then do not have to set an expiration date for the password and you can disable the setting change
passwd at logon
.
Do not include the SAPService<SAPSID>
user in the local Administrator
group of the Windows operating system.