Show TOC

Procedure documentationSecuring User SAP* Against Misuse Locate this document in the navigation structure

 

To make sure that nobody can misuse the standard user SAP*, you should define a new super user and deactivate SAP* in all clients that exist in table T000.

Caution Caution

Do not delete the user SAP*! SAP* is hard-coded in AS ABAP systems and does not require a user master record! If a user master record for SAP* does not exist in a client, then anybody can log on to the AS ABAP as the user SAP* using the well-known password PASS. In this case, SAP* is not susceptible to authority checks and has all authorizations. Therefore, do not delete SAP* from any client.

This is mitigated by the profile parameter login/no_automatic_user_sapstar is activated by default. Deleting SAP* user master record does not automatically activate the hard-coded SAP* user, as long as this profile parameter is set. Resetting the parameter to the value 0 would once again allow you to log on with SAP*, the password PASS and unrestricted system authorizations.

For more information, see SAP Note 68048.

End of the caution.

Procedure

  1. Create a user master record for the new super user.

  2. Assign the profile SAP_ALL to this super user.

    SAP_ALL contains all authorizations, including new authorizations released in the SAP_NEW profile. SAP_NEW assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected.

  3. Change the initial password of the user.

    Recommendation Recommendation

    Make sure only a limited number of persons have access to the password of this user. Write it down, lock it in a safe, and use it only in emergencies! If you do have to use this super user, then make sure you change its password again after use.

    End of the recommendation.

  4. If no user master record for SAP* exists in the client, then create a user master record for SAP*.

  5. Assign the SUPER user group to SAP* (in all clients) to make sure that only authorized administrators can change its user master record.

  6. Deactivate all authorizations for SAP* (in all clients) by deleting all of the profiles in the profile list.