Securing User SAP* Against Misuse

Use

To make sure that nobody can misuse the standard user SAP*, define a new super user and deactivate SAP* in all clients that exist in table T000.

Caution

Do not delete the user SAP*! SAP* is hard-coded in AS ABAP systems and does not require a user master record! If a user master record for SAP* does not exist in a client, then anybody can log on to the AS ABAP as the user SAP* using the well-known password PASS. In this case, SAP* is not susceptible to authority checks and has all authorizations. Therefore, do not delete SAP* from any client.

The automatic creation of SAP* is mitigated by the profile parameter login/no_automatic_user_sapstar. The parameter is activated by default. As long as this profile parameter is set, deleting SAP* user master record does not automatically activate the hard-coded SAP* user. Resetting the parameter to the value 0 would once again allow you to log on with SAP* and the password PASS and provide unrestricted system authorizations.

For more information, see SAP Note 68048 Information published on SAP site .

Prerequisites

You know all clients in your system (table T000). To find out which clients you have in your system, use report RSAUDIT_SYSTEM_STATUS using transaction SA38 or start Display View "Clients": Overview (transaction SCC4).

Procedure

Create a user master record of type service for the new super user.
Assign to this super user an emergency role with user management authorizations.

For example, assign the user authorizations to access Maintain Users (transaction SU01) and Role Maintenance (transaction PFCG). Your emergency user can unlock users or create new users and assign authorizations. We provide an example emergency role.

For more information, see SAP Note 76829
Change the initial password of the user.

Recommendation

Make sure that only a limited number of persons have access to the password of this user. Generate a 40-character password, write it down, lock it in a safe, and use it only in emergencies! If you do have to use this super user, then enter your own user as the reference user on the Roles tab and change its password again after use. Entering a reference user helps establish an audit trail for the emergency user.

Note

To avoid problems with the authorization buffer, a different administrator user must execute function module SUSR_ USER_ BUFFER_ AFTER_ CHANGE in transaction SE37 after every use of the emergency user. For your emergency user enter 3 in the Profile field.
If no user master record for SAP* exists in a client, then create a user master record for SAP*.
Assign the SUPER user group to SAP* (in all clients) to make sure that only authorized administrators can change its user master record.
Deactivate all authorizations for SAP* in all clients except for those required by SAP License Administration (transaction SLICENSE). Delete all of the profiles in the profile list and then create and assign a role with just SAP License Administration.