Windows Operating System User Settings in an SAP System

This section informs about users that exist or are needed in an SAP system on Windows. It also describes some security settings to take for them.

Overview of SAP System-Related Users

User type	User	Function and Rights
Windows built-in users	Administrator	The local user who has unlimited access to all local resources.
	Guest	A local guest account who has guest access to all local resources. The guest account is disabled on a standard Windows Server 2008 (R2) installation.
	SYSTEM (local system account)	The user SYSTEM is a built-in account without password. You cannot log on as user SYSTEM. However, this account has complete access to the local Windows system.
SAP system users	<sapsid>adm	The SAP system administrator who has unlimited access to all local resources related to SAP systems.
SAP system users	SAPService<SAPSID>	A special user who runs the Windows services related to SAP systems.
Database users	<database-specific users>	One or more special users who run database-specific Windows services or access the database resources with utility programs. Some databases also need certain users at the operating system level. Their name and availability depend on the database you use. For more information, see the database-specific security guide on Windows

Note Note

Note the following:

Windows automatically creates the users Administrator and Guest during the installation. You do not need them for SAP system operations.
Windows Server 2008 (R2) introduces a new security concept called User Account Control (UAC). When User Account Control is enabled (default setting), a process running on a Windows Server 2008 (R2) does not automatically have the membership in the Local Administrators group even if the account is a member of this group. The user has to elevate a process to use the Administrators Group membership, by right-clicking on a program entry in the Windows explorer ( Start Programs <Program Entry> ) and start it with Run as Administrator:
You must enable the guest account to grant non-authenticated users (that have not specified a valid user name or password) access to resources on a computer. The Windows built-in group Everyone includes authenticated users and guests. However, non-authenticated guest users only have access to resources that are secured with Everyone if the guest account is enabled. SAP strongly recommends to disable the guest account.

End of the note.

Security Settings for Administrator

The Windows built-in user Administrator has unlimited access to all Windows resources. However, the built-in user Administrator cannot access resources that are located on other computers, except when this user already exists and has the same password on these computers.

The user Administrator can do the following:

Create, manage, and become the owner of all data files, hard disks, and file shares.
Create and manage local users and their rights.
Create and manage peripherals, kernel services, and user services.

Change the user name and hide its password. Create other users for administrative tasks and limit their rights to those tasks for which they are used (for example, user administrators, backup operators, or server operators).

Security Settings for <sapsid>adm

The <sapsid>adm user is the Windows user for SAP system administration. This user is created during the SAP system installation process, normally as a domain user for the SAP system. This user can therefore log on to all Windows machines in the domain. The <sapsid>adm user also needs full access to all instance-specific resources for the SAP system such as files, shares, peripheral devices (for example, tape drives or printers), and network resources (for example, the SAProuter service).

<sapsid>adm has an SAP instance-specific environment (variables, registry settings, group membership) that allows this user to administer the SAP system in a proper manner. The user is a member of the local Administrators group and has sufficient privileges during special tasks such as upgrading and administrating an SAP instance.

Customer-specific created users might not have this complete environment and are therefore not supported for SAP system administration tasks.

To protect this user from unauthorized access, take the following precautions:

Change the password regularly.
Restrict the access rights to instance-specific resources for the SAP system only.

Although <sapsid>adm can access SAP system files, a different user runs the SAP system itself, namely SAPService<SAPSID>.

Security Settings for SAPService<SAPSID>

SAPService<SAPSID> is also created during the SAP system installation. It is usually created as a domain user to run the SAP system and to manage database resources.

Since the SAP system must run even if no user is logged on to the local Windows machine, the SAP system runs as a Windows service. Therefore, during the installation, the user SAPService<SAPSID> receives the right to Log on as a service on the local machine.

SAPService<SAPSID> also administers the SAP system and database resources within the Computing Center Management System (CCMS). Therefore, it needs full access to all instance-specific and database-specific resources such as files, shares, peripheral devices, and network resources.

Note Note

It is rather difficult to change the password of this user. To change the password for a Windows service user, you must stop the service, change the password for the service user, edit the start-up properties of the service, and restart it. Therefore, to change the password of this user, you need to stop the SAP system.

End of the note.

In addition, prevent this special service user from logging on to the system interactively. This prevents misuse by users who try to access the system from the presentation servers. You then do not have to set an expiration date for the password and you can disable the setting change passwd at logon.

Do not include the SAPService<SAPSID> user in the local Administrator group of the Windows operating system.