Scenario: The DDIC account is locked in a SAP system.
You don’t know the password to DDIC, and to get access as SAP* you would need to bounce the system, which is not acceptable during this period of business usage.
You’ve got the password to an existing account with profile SAP_ALL, but the account is a non-dialog user (system user or communication user).
You’ve got access to a development system where you can create SM59 RFC connections,
You would like to gain access to unlock and reset the DDIC account, without bouncing the system.
What we are doing in the below process, is changing the non-dialog user account, to become a dialog user account. We can then use the dialog account to logon to the SAP system and then unlock and reset the DDIC user account.
1, Log into the development SAP system as a user account that has SM59 access.
Create a new RFC connection to the destination SAP system (where DDIC is locked) set the authentication to use the non-dialog user account that has SAP_ALL.
2, In transaction SE37, from the menu select “Function Module -> Test -> Test Sequences“.
3, Set two function modules to execute, BAPI_USER_CHANGE followed by BAPI_TRANSACTION_COMMIT.
4, Execute function module BAPI_USER_CHANGE for the non-dialog user account, with “LOGONDATA” field “U” changed to value “A” (dialog user).
Set LOGONDATAX to “X”.
Set the destination to be the RFC destination you created.
5, Then execute function module BAPI_TRANSACTION_COMMIT.
Set the destination to be the RFC destination you created.
6, You can now log onto the target SAP system as the non-dialog user account (which is now a normal dialog user account).
7, You can now unlock the DDIC user and change the password.
Once completed, reset the non-dialog account back to be a non-dialog account.
As you can see, this is very easy to do.
To mitigate against this security threat:
– You should also look to prevent giving SAP_ALL to any SAP user accounts, even if they are non-dialog.
– Finally, you can also configure the RFC Access Control Lists (ACLs) to permit calls to specific function modules only.