How to Protect Special Users in SAP?

How To Protect Special Users In SAP

Default Passwords for Special Users
User	Description	Client	Default Password
SAP*	SAP Net Weaver AS system super user	000, 001, all new clients	Hard-coded password is PASS.
DDIC	ABAP dictionary and software logistics super user	000, 001	Master password set during installation.
EARLYWATCH	Dialog user for the Early Watch service in client 066	066	Master password set during installation.
SAPCPIC	User for remote connections to legacy SAP systems (4.5)	000, 001, all new clients	ADMIN
TMSADM	User for transport management system (TMS)	000	Master password set during installation.

 

Since above users have standard names and passwords, you must secure them against unauthorized use by outsiders who know of their existence.

How to protect SAP*

It is not possible to delete the SAP* user. The suggested measure is to create a new super-user account with a complex password, and deactivatethe SAP* default account.

This can be done by activating the profile parameterlogin/no_automatic_user_sap* or login/no_automatic_user_sapstar.

Even though the SAP* account is being deactivated, the default password for this account must be changed.

How to protect DDIC

As for the DDIC user, this account cannot be deleted or deactivated either. And therefore, the best protection is to change its default password.

How to protect EARLYWATCH

The EARLYWATCH account is used specifically for the Early Watch service, and its password must be changed, and the account locked out. It should be unlocked when required, and re-locked after use.

How to protect SAPCPIC

The SAPCPIC user can be either disable or its default password can be changed. Either method involves disabling certain functionality. Therefore, this is an organization-specific issue where the functionality required will decide which method is best.