For reasons out of my ability to influence, our usernames and passwords are the same on every source ECC system (for dev/qual/prod).
As an example, for system FI, we have a user DSFIALE with password ABCDEFGH. This user/pass is the same on CFI, QFI, and PFI (dev/qual/prod). It is the same password as all other DS user IDs as well for other landscapes.
This does not strike me as a best practice at all but I cannot change this.
We have three Data Services instances (CDS, QDS, PDS - a system for dev/qual/prod - each is on its own server). I am trying to make it more difficult for users who now know that passwords in datastores are the same regardless of which system from simply modifying the connection details in a datastore and connecting to the other systems.
For example, our central repository for CDS contains our CFI connection. The QDS one contains the QFI connection. But because all passwords are the same, if I am working on CDS, I can just change the application server for a datastore configuration and since the password is the same the .
The problem is this trivially allows users to connect dev to qual to prod data. I want to someone stop this, but because passwords/user IDs are basically public to all our developers, I am not sure what I can do.
My question is:
- Is there any way I can make the DS user/role on a target ECC system, say CFI, only accept incoming data service requests from the CDS server (or job servers)?