SAP* id deletion

Question: Can a user , who is having access to delete user master records , also delete SAP* id with the same authorization?.

Regards,
Shammi

Answer:
yes
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified

Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759

Answer:
Please don´t lock this topic, it has potential!

Answer:
Which means that if SAP* ID is not locked, then the person having access to delete user ID can pose a security threat?...

Answer:
If the system parameter setting for login/no_automatic_user_sapstar
option is set to '0', and the SAP* user record is deleted, then a user can log on the SAP system with SAP* ID with the password 'PASS' with full access rights to the system. Access through the SAP* ID is then not subject to authorisation checks and accordingly allows the user unrestricted access.

Answer:
the best practise is to secure the SAP* userid by changing the parameter login/no_automatic_user_sapstar . Then create a userid by the name of SAP*, don't assign any roles to it, put it to a secure usergroup, put it as background type and lastly lock it.

by doing this, nobody can use it anymore.

Answer:
You can limit what user groups can the admin modify.

Put the SAP* into the SUPER group and exclude the SUPER group from auth. object S_USER_GRP.