Show TOC

Protecting Special UsersLocate this document in the navigation structure

SAP NetWeaver Application Server ABAP creates the standard users SAP*, DDIC, EARLYWATCH, TMSADM, and SAPCPIC during the installation process in the clients as shown in the following table.

User Descriptio Client Default Password
SAP* SAP NetWeaver AS system super user 000, 001, all new clients

Master password set during installation.

Hard-coded password if SAP* does not exist in the client: PASS.

DDIC ABAP dictionary and software logistics super user 000, 001 Master password set during installation.
EARLYWATCH Dialog user for the Early Watch service in client 066 066 Master password set during installation.
SAPCPIC User for remote connections to legacy SAP systems (4.5) 000, 001, all new clients ADMIN
TMSADM User for transport management system (TMS) 000 Master password set during installation.

We recommend that you regularly review the following criteria for protecting standard users:

  • Maintain an overview of the clients that you have and make sure that no unknown clients exist.

  • Make sure that SAP* exists and has been deactivated in all clients.

  • Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.

  • Make sure that these users belong to the group SUPER in all clients.

  • Lock the users SAP*, DDIC, and EARLYWATCH. Unlock them only when necessary.

  • By default, the user DDIC is set up to be used for the transport background job (RDDIMPDP). We recommend you set up a different user for this job so that you can lock DDIC.

    • The user needs SAP_ALL and S_A.SYSTEM authorizations because the job calls function modules for various applications that cannot be determined for all cases ahead of time.

    • Set up the user as a system user so that no one can use it as a dialog user.

    • Set up the user in all clients that are used for import.

    • Adjust the job RDDIMPDP so that the new user is the owner (in transaction SM37).

  • Delete SAPCPIC if you do not need it. At least make sure that you have changed the default password for SAPCPIC.

    For more information, see Authorizations in Version Management.

  • Change the default password of TMSADM.

    for more information, see Changing the Password of User TMSADM.

To find out which clients you have in your system, use report RSAUDIT_SYSTEM_STATUS using transaction SA38 or start Display View "Clients": Overview (transaction SCC4).

To make sure that the user SAP* has been created in all clients and that the standard passwords have been changed for SAP*, DDIC, SAPCPIC, TMSADM, and EARLYWATCH, use the report RSUSR003.