Establishing a Secure Default Login

When a user with a valid credential from LAN Manager logs in to SAP ASE, the server checks whether the name is listed as a user in master..syslogins. If it is, SAP ASE accepts that user name.

  1. To set up a secure login, use the following syntax:
    sp_configure "secure default login", 0, login_name

    where login_name is a user name. The default value for the secure default login parameter is “guest”.

  2. Use sp_addlogin to add the login as a valid user in SAP ASE:
    sp_addlogin gen_auth, pwgenau

    This procedure sets the initial password to “pwgenau”.

  3. Use sp_configure to designate the login as the security default:
    sp_configure "secure default login", 0, gen_auth

    SAP ASE then uses this login for a user who, although validated by LAN Manager, is unknown to SAP ASE.

    Note: gen_auth does not have a unique identity in SAP ASE. That is, more than one user can assume the suid (system user ID) associated with the secure default login. You might want to activate auditing for all activities of the default login. Instead of using the secure default login, consider using sp_addlogin to add all users to the server.

For example, a user logs in to LAN Manager as “ralph”, and “ralph” is listed in master..syslogins. SAP ASE uses all roles and authorizations as defined for “ralph” on that server.

As an alternative example, a user with a valid credential logs in to SAP ASE, but is unknown to the server. SAP ASE accepts the login only when a secure default login has been defined with sp_configure. SAP ASE uses the default login for any user who is not defined in master.syslogins, but who is validated by LAN Manager.