User Management

User Management Tools

SAP NetWeaver AS for ABAP provides several transactions for user management, see the following table.

Tool	Description	Prerequisites
User Maintenance (transaction SU01) for SAP NetWeaver AS for ABAP	Use this transaction to maintain users locally in ABAP-based systems. For more information, see Administration of Users and Roles.	First Installation Procedure
Role Maintenance (transaction PFCG)	Use the profile generator to create roles and assign authorizations to users locally in ABAP-based systems. For more information, see Role Administration.	First Installation Procedure
Central User Administration (CUA)	Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported. For more information, see Operating Central User Administration.	Central User Administration

Tool

Description

Prerequisites

User Maintenance (transaction SU01) for SAP NetWeaver AS for ABAP

Use this transaction to maintain users locally in ABAP-based systems.

For more information, see Administration of Users and Roles.

First Installation Procedure

Role Maintenance (transaction PFCG)

Use the profile generator to create roles and assign authorizations to users locally in ABAP-based systems.

For more information, see Role Administration.

First Installation Procedure

Central User Administration (CUA)

Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.

For more information, see Operating Central User Administration.

Central User Administration

For more information, see User and Role Administration of Application Server ABAP in the Administration Manual.

User Types

SAP NetWeaver AS for ABAP categorizes users into several types for different purposes as shown in the table below.

Type	Description
Dialog	Individual, interactive system access
System	Background processing and communication within a system
Communication	Dialog-free communication for external RFC calls
Service	Dialog user available to a larger, anonymous group of users
Reference	General, non-person related users that allows the assignment of additional identical authorizations. No logon is possible.

Recommendation

We recommend assigning the appropriate user type when creating users. For example, if the user does not need dialog access to SAP NetWeaver AS for ABAP, then define it as a system user. If the user is an anonymous, public user that many different individuals can use, then define it as a service user and keep its authorizations to a minimum.

For more information, see Logon Data Tab.

Standard Users

SAP NetWeaver AS for ABAP creates the standard users SAP*, DDIC, EARLYWATCH, TMSADM, and SAPCPIC during the installation process in the clients as shown in the following table.

User	Description	Client	Default Password
SAP*	SAP NetWeaver AS system super user	000, 001, all new clients	Master password set during installation. Hard-coded password if SAP* does not exist in the client: `PASS`.
DDIC	ABAP dictionary and software logistics super user	000, 001	Master password set during installation.
EARLYWATCH	Dialog user for the Early Watch service in client 066	066	Master password set during installation.
SAPCPIC	User for remote connections to legacy SAP systems (4.5)	000, 001, all new clients	`ADMIN`
TMSADM	User for transport management system (TMS)	000	Master password set during installation.

Protecting Special Users

We recommend that you regularly review the following criteria for protecting standard users:

Maintain an overview of the clients that you have and make sure that no unknown clients exist.
Make sure that SAP* exists and has been deactivated in all clients.
Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
Make sure that these users belong to the group SUPER in all clients.
Lock the users SAP*, DDIC, and EARLYWATCH. Unlock them only when necessary. It should never be necessary to use SAP*!
Delete SAPCPIC if you do not need it. At least make sure that you have changed the default password for SAPCPIC.

For more information, see Authorizations in Version Management.
Change the default password of TMSADM.

for more information, see Changing the Password of User TMSADM.

For more information, see Protecting Special Users.

Remote Support Users

When using the SAP support services, you may need to allow remote access to your system using a user defined at your site. Because you are allowing system access to someone outside of your system, you should take extra precautions to protect this user. We recommend the following:

Define a special user for remote access. Do not use any of the standard users.
Define a procedure for activating and deactivating the user. Activate it only when necessary and deactivate it once the remote session is completed.
Do not disclose the password of this user over the remote session. Send it over a separate channel such as an e-mail or a return telephone call. Change the password once the session is completed.

There are additional precautions to take when using the SAP Support Portal support services.

For more information, see the information on SAP Service Marketplace at https://service.sap.com/access-support Information published on SAP site

.