SAP_ALL Archives » Musings of an IT Implementor

SAP Change Non-Dialog User to Dialog User Using Function Module

Scenario: The DDIC account is locked in a SAP system.
You don’t know the password to DDIC, and to get access as SAP* you would need to bounce the system, which is not acceptable during this period of business usage.
You’ve got the password to an existing account with profile SAP_ALL, but the account is a non-dialog user (system user or communication user).
You’ve got access to a development system where you can create SM59 RFC connections,
You would like to gain access to unlock and reset the DDIC account, without bouncing the system.

What we are doing in the below process, is changing the non-dialog user account, to become a dialog user account. We can then use the dialog account to logon to the SAP system and then unlock and reset the DDIC user account.

1, Log into the development SAP system as a user account that has SM59 access.
Create a new RFC connection to the destination SAP system (where DDIC is locked) set the authentication to use the non-dialog user account that has SAP_ALL.

2, In transaction SE37, from the menu select “Function Module -> Test -> Test Sequences“.

3, Set two function modules to execute, BAPI_USER_CHANGE followed by BAPI_TRANSACTION_COMMIT.

4, Execute function module BAPI_USER_CHANGE for the non-dialog user account, with “LOGONDATA” field “U” changed to value “A” (dialog user).
Set LOGONDATAX to “X”.
Set the destination to be the RFC destination you created.

5, Then execute function module BAPI_TRANSACTION_COMMIT.
Set the destination to be the RFC destination you created.

6, You can now log onto the target SAP system as the non-dialog user account (which is now a normal dialog user account).

7, You can now unlock the DDIC user and change the password.
Once completed, reset the non-dialog account back to be a non-dialog account.

As you can see, this is very easy to do.

To mitigate against this security threat:
– You should also look to prevent giving SAP_ALL to any SAP user accounts, even if they are non-dialog.
– Finally, you can also configure the RFC Access Control Lists (ACLs) to permit calls to specific function modules only.

Controlling FUGR Access

If you have a super user role in your production system, it’s quite possible that use of the SUPRN_INS_OR_DEL_PROFILE or BAPI_USER_PROFILES_ASSIGN function modules could be used from SE37 to give SAP_ALL and then proceed to get around other restrictions.

Since SUIM relies upon S_DEVELOP and activity 16, you can’t just remove it unless you leave the admins to find their own way to the underlying transactions.

Instead, you could lock down the S_DEVELOP authorisation object by removing access to the specific function group (FUGR).

When editing the authorisations of a role, set one of the S_DEVELOP authorisation objects to exclude FUGR (and DEBUG):
Activity = 03 & 16 (Display & Execute)
Package = *

Object Type =
4 to DE

DEVC to FU

FUGS to Z

Z to $TM

Then add another S_DEVELOP authorisation object “MANUALLY”.

Set this to exclude the SUPR, SUPRN and SU_USER function groups:

Activity = 03 & 16 (Display & Execute)

Package = *

Object Name =
0 to SUNI

SURI to SURI-SU_UPGTOOLS
SU_USER_GRP_SURFACE to Z*

Z* to $*

Object Type = FUGR

SAP_ALL modified role

Have you got a SAP Development system where the developers insist they have SAP_ALL, but you know this is just wrong.

Well, here’s a neat solution that removes certain authorisations like user admin in SU01 and adjusting auditing (SM19), RFC admin (SM59) etc.

Using transaction PFCG, create a new single role.
Add a description and save the role.
On the Authorisations tab generate a new profile and then edit the authorisations “Change Authorization Data“.
Do not select any Templates.
From the “Authorizations” screen, select “Edit -> Insert Authorization(s) -> from profile…“.
On the popup, enter profile “SAP_ALL”.

Now adjust the profile as required.
I usually adjust the following authorisation objects:

S_ADMI_FCD – BTCH, FONT, SM21, SP01
S_OSS1_CTL – 16
S_USER_AGR – 03, 08
S_USER_AUT – 03, 08
S_USER_GRP – 03, 08
S_USER_OBJ – [NO AUTH]
S_USER_PRO – 03, 08
S_USER_SAS – [NO AUTH]
S_USER_SYS – 03
s_XMB_ACT – [DEPENDS ON USAGE OF XI/PI]
S_TRANSPRT – [CREATE TASKS, SEPARATE ROLE FOR CREATE TRANSPORTS]
S_IDOCPART – 03
S_IDOCPORT – 03
S_SCD0 – 08, 12

You can then save and assign the role to the developers.