Resolution:
Turn on Security Audit Logging using SM19, and review the audit logs using SM20. Use a filter to log everything available for a particular user id. Analyze the logs in SM20 for that user ID.
Pay attention to the terminal being used. If you see more than one terminal, it could be someone else trying to use the id. Also depending on what the application is for, it might be necessary to change the user ID to type System to resolve locks or expired passwords for a non-dialog user in some cases.
Specifically when a non SAP application is able to change the pw of a non dialog id. There is documentation on setting up SAP Security audit logs. It is not difficult. You can even have a CCMS log agent email you in real time if log entries are showing up in the audit logs for that ID and catch the person in the act or identify the underlying cause.
You should also consider reviewing RFC logs. Turn up the
verbosity of the trace and you can see alot of details when the id is being
used in RFC scenarios.
SAP Security Audit Logs
SAP R/3 supports an internal auditing system, called the Security Audit Log. Each SAP application server maintains a daily audit file. You can specify the name and location of the Security Audit Log using the rsau/local/file profile parameter.
To activate the internal audit system, set the audit log parameters as described in the following table :
Audit Log parameter settings Audit Log Parameter Set value to...
rsau/enable 1
rsau/local/file path to audit log file
rsau/max_diskspace/local maximum space to allocate for
the audit files
rsau/selection_slots 3
rec/client ALL
Note:
The rsau/local/file parameter contains the entire path
name to the audit logs, as well as the file name. The file name must include
+ symbols to contain a variable datepart. Do not include a file extension
in the file name. See the following examples for clarification.
This example shows a valid path and filename:
/usr/sap/machine1/log/audit_++++++++
This example shows an invalid path and filename; the filename
does not include a datepart:
/usr/sap/machine1/log/audit
This example shows an invalid path and filename; the filename
includes a file extension:
/usr/sap/machine1/log/audit_++++++++.aud
After you set the audit log profile parameters, start transaction SM19 to specify which events to log in the Audit Security Log.
