The SAP System has a default superuser, SAP*, in the clients 000 and 001. A user master record is defined for SAP* when the system is installed. However, SAP* is programmed in the system and does not require a user master record.

If you delete the SAP* user master record and log on again as SAP* with initial password PASS, then SAP* has the following attributes:

• The user is not subject to authorization checks and therefore has all authorizations.

• The user has the password "PASS", which cannot be changed.

If a user master record exists for SAP*, it behaves like a normal user. It is subject to authorization checks and its password can be changed.

As SAP* is a known superuser, SAP recommends that you deactivate it and replace it with your own superuser. In the SAP* user master record, you should proceed as follows:

• Create a user master record for SAP* in all new clients and in client 066.
• Assign a new password to SAP* in clients 000 and 001.
• Delete all profiles from the SAP* profile list so that it has no authorizations.
• Ensure that SAP* is assigned to the user group SUPER to prevent accidental deletion or modification of the user master record.

The SUPER user group has a special status in the predefined user profiles. (They are described later in this topic.)

The users that are assigned to group SUPER can be maintained or deleted only by the new superuser that you define, provided that:

• you use the predefined profiles, and
• you follow SAP's other user and authorization maintenance recommendations.

To define a superuser to replace SAP*, you need only give a user the SAP_ALL profile. SAP_ALL contains all R/3 authorizations, including new authorizations released in the SAP_NEW profile.

SAP_NEW assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected.