Protecting Standard Users
SAP*, DDIC, EARLYWATCH
SAP systems create the standard users SAP*, DDIC and EARLYWATCH during the installation process in the clients as shown in the table below.
Default Passwords for Standard Users
User |
Description |
Clients |
Default Password |
SAP* |
SAP system super user |
000, 001, 066 all new clients |
06071992 PASS |
DDIC |
ABAP Dictionary and software logistics super user |
000, 001 |
19920706 |
EARLYWATCH |
Dialog user for the Early Watch service in client 066 |
066 |
support |
To protect these users from unauthorized use:
· Define a new superuser and deactivate SAP*.
· Change all of the default passwords for these users.
· Assign them to the group SUPER so that they only be modified by administrators who are authorized to change users in the group SUPER.
· By default, the user DDIC is set up to be used for the transport background job (RDDIMPDP). We recommend you set up a different user for this job so that you can lock DDIC. Note the following:
¡ The user needs SAP_ALL and SAP_NEW authorizations because the job calls function modules for various applications that cannot be determined for all cases ahead of time.
¡ Therefore, set up the user as a system user so that no one can use it as a dialog user.
¡ Set up the user in all clients that are used for import.
¡ Adjust the jobs RDDIMPDP and RDDIMPDP_CLIENT_<client> so that the new user is the owner (in transaction SM37).
· Lock DDIC and EARLYWATCH and unlock them only when necessary.
Do not delete DDIC or its profiles. DDIC is needed for certain tasks in installation and upgrade, software logistics, and for the ABAP Dictionary. Deleting it results in loss of functions in these areas.
To make sure everything runs smoothly, give DDIC the authorizations for SAP_ALL and SAP_NEW during an installation or upgrade and then lock it afterwards. Only unlock it when necessary.
To find out which clients you have in your system, display the table T000 using transaction SM30.
Use the report RSUSR003 to make sure that the user SAP* has been created in all clients and that the standard passwords have been changed for SAP*, DDIC (and also the older user SAPCPIC). For more information, see SAP Note 40689.
For information
on protecting pre-defined RFC users, for example, WF_BATCH or TMSADM, see
Security Measures
– Overview (RFC).
Remote Support Users
When using the SAP support services, you often need to allow remote access to your system using a user defined at your site. Because you are allowing system access to someone outside of your system, you should take extra precautions to protect this user. We recommend the following:
● Define a special user for remote access. Do not use any of the standard users.
● Define a procedure for activating and deactivating the user. Activate it only when necessary and deactivate it once the remote session is completed.
● Do not disclose this user's password over the remote session. Send it over a separate channel such as an e-mail or a return telephone call. Change the password once the session is completed.
There are additional precautions to take when using the SAP Support Portal support services. For more information, see the information on the SAP Service Marketplace at http://service.sap.com/access-support.
Summary
To summarize, we recommend that you regularly review the following criteria for protecting the standard users:
● Maintain an overview of the clients that you have and make sure that no unknown clients exist.
● Make sure that SAP* exists and has been deactivated in all clients.
● Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
● Make sure that these users belong to the group SUPER in all clients.
● Lock the users SAP*, DDIC, EARLYWATCH and your remote support user. Unlock them only when necessary. (Note that it should never be necessary to use SAP*!)