Is it wise to lock SAP* and DDIC? Out internal auditors have recommended that we lock these users. It appears to me that this may be dangerous since these accounts are our "life preservers" in case the system is in trouble.
I can tell you from experience that you probably won't have the option for that much longer. Impending Sarbanes hell, new audit requirements, and the possibility of misuse of SAP_ALL type access will likely make the decision for you.
My opinion is that you should lock the access, create "fire-call" ids if you need to... But make sure you have a good process in place that documents when and how they are used. On locking SAP* & DDIC make sure there are no batch or RFC programs that are using the accounts for performing typical duties. You will probably find that DDIC is used by other accounts so you may want to change the id type from Dialog to System.