Using Google Chrome?

Download my
free Chrome Extension, Power Notes Searcher, to make searching for and evaluating SAP notes, much easier.

Thursday, November 24, 2016

SAP Change Non-Dialog User to Dialog User Using Function Module

Print Friendly and PDF
Scenario: The DDIC account is locked in a SAP system.
You don’t know the password to DDIC, and to get access as SAP* you would need to bounce the system, which is not acceptable during this period of business usage.
You’ve got the password to an existing account with profile SAP_ALL, but the account is a non-dialog user (system user or communication user).
You’ve got access to a development system where you can create SM59 RFC connections,
You would like to gain access to unlock and reset the DDIC account, without bouncing the system.

What we are doing in the below process, is changing the non-dialog user account, to become a dialog user account.  We can then use the dialog account to logon to the SAP system and then unlock and reset the DDIC user account.

1, Log into the development SAP system as a user account that has SM59 access.
Create a new RFC connection to the destination SAP system (where DDIC is locked) set the authentication to use the non-dialog user account that has SAP_ALL.

2, In transaction SE37, from the menu select "Function Module -> Test -> Test Sequences".

3, Set two function modules to execute, BAPI_USER_CHANGE followed by BAPI_TRANSACTION_COMMIT.

4, Execute function module BAPI_USER_CHANGE for the non-dialog user account, with "LOGONDATA" field "U" changed to value "A" (dialog user).
Set the destination to be the RFC destination you created.

5, Then execute function module BAPI_TRANSACTION_COMMIT.
Set the destination to be the RFC destination you created.

6, You can now log onto the target SAP system as the non-dialog user account (which is now a normal dialog user account).

7, You can now unlock the DDIC user and change the password.
Once completed, reset the non-dialog account back to be a non-dialog account.

As you can see, this is very easy to do.

To mitigate against this security threat:
- You should also look to prevent giving SAP_ALL to any SAP user accounts, even if they are non-dialog.
- Finally, you can also configure the RFC Access Control Lists (ACLs) to permit calls to specific function modules only.


Vijay Chandra said...

Very nice. Is this considered an exploit or a normal way SAP operates?

Darryl Griffiths said...

Hi Vijay,

I wouldn't say this was an exploit, since the software is doing what is considered to be the function that it was written for.
In this instance, the security of the system is only as good as the controls that have been imposed around the user accounts.
Segregation of duties would be the ideal solution to this specific problem, instead of leaving user accounts with SAP_ALL. They should really only have the required RFC authorisations (a level of least privilege).