SAP Security - Protecting Standard Users


When you install the SAP system for the first time, there are a few default users that are created to perform administrative tasks. By default, it creates three clients in the SAP Environment, which are −

  • Client 000 − SAP Reference Client

  • Client 001 − Template Client from SAP

  • Client 066 − SAP Early Watch Client

SAP creates standard users in the above-mentioned client in the system. Each standard user has its own default password with the first installation.

Standard Users in a SAP system includes the following users under default client −

User Details Client Default Password
SAP SAP System Super User 000, 001, 066 6071992
All New Clients PASS
DDIC ABAP Dictionary Super User 000, 001 19920706
SAPCPIC CPI-C User for SAP 000, 001 admin
EARLYWATCH Early Watch User 66 support

These are the standard users under SAP Default clients to perform administrative and configuration task in SAP system. To maintain security in a SAP system, you should protect these users −

  • You should add these users to group SUPER, so that they are only modified by an Administrator who has the privilege to add/modify users to group SUPER.

  • Default password for Standard users should be changed.

How to See the List of Clients in a SAP System?

You can see the list of all the clients in your SAP environment by using Transaction SM30, display the table T000.

Table T000

When you enter the table, and click on Display, it will show you the list of all clients in your SAP system. This table includes detail of all default clients and new clients that you create in an environment for sharing of resources.

Environment for sharing of resources

You can use report RSUSR003 to make sure that the user SAP has been created in all clients and that the standard passwords have been changed for SAP, DDIC and SAPCPIC.

Go to ABAP Editor SE38 and enter the report name and click on EXECUTE.

ABAP Editor

Enter the report title and click on Execute button. It will display all the clients and standard users in SAP System, Password Status, Reason for Use Lock, Valid From and Valid To, etc.

Test

Protecting the SAP System Super User

To protect a SAP System Super User “SAP”, you can perform the following steps in a system −

Step 1 − You need to define the new Super User in a SAP system and deactivate the SAP user. Note that you must not delete user SAP in the system. To deactivate the hard-coded user, you can use the profile parameter: login/no_automatic_user_sapstar.

If the user master record of the user SAP* is deleted, it is possible to log on with “SAP” and the initial password PASS.

“SAP” user has the following properties −

The user has full authorizations, since no authorization checks are performed.

  • The default password PASS cannot be changed.

  • You can use the profile parameter login/no_automatic_user_sapstar to deactivate these special properties of SAP and to control of the automatic login of user SAP* .

Step 2 − To check the value of this parameter, run Transaction RZ11 and enter the parameter name.

Run Transaction

Display

Values allowed − 0, 1, in which −

  • 0 − Automatic user SAP* is permissible.

  • 1 − Automatic user SAP* is deactivated.

Step 3 − In the following system, you can see the value of this parameter is set to 1. This shows that the Super user “SAP” is deactivated in the system.

Step 4 − Click on Display and you can see the current value of this parameter.

Display Button

To create a new Super user in the system, define a new user master record and assign the profile SAP_ALL to this super user.

DDIC User Protection

A DDIC user is required for certain tasks related to Software Logistics, ABAP Dictionary, and Tasks related to installation and upgrade. To protect this user, it is advisable to lock this user in a SAP system. You shouldn’t delete this user to perform few functionalities for future use.

To lock the user, use Transaction code: SU01.

DDIC User Protection

If you want to protect this user, you can assign the SAP_ALL authorization to this user at the time of installation and later lock it.

Protecting the SAPCPIC User

A SAPCPIC user is used for calling certain programs and function modules in a SAP system and is a non-dialog user.

You should lock this user and change the password for this user to protect it. In the previous releases, when you lock SAPCPIC user or change the password, it affects additional programs RSCOLL00, RSCOLL30, and LSYPGU01.

Protecting Early Watch

A 066 Client − This is called SAP Early watch and is used for diagnostic scans and monitoring service in SAP system and user EARLYWATCH is the interactive user for the Early Watch service in Client 066. To secure this user, you can perform the following actions −

  • Lock EARLYWATCH user until it is not required in a SAP environment.
  • Change the default password for this user.

Key Points

To protect SAP Standard users and to protect clients in SAP landscape, you should consider the following key points −

  • You should properly maintain the clients in a SAP system and ensure that there are no unknown clients that exist.

  • You need to ensure that SAP super user “SAP” exists and has been deactivated in all clients.

  • You need to ensure that default password is changed for all SAP standard users SAP, DDIC and EARLYWATCH user.

  • You need to ensure that all the Standard users have been added to the SUPER group in a SAP system and the only person authorized to make changes to SUPER group can only edit these users.

  • You need to ensure that the default password for SAPCPIC has been changed and this user is locked and it is unlocked when it is required.

  • All SAP standard users should be locked and can only be unlocked when it is required. Password should be well protected for all these users.

How to Change Password of a Standard User?

You should ensure that password for all SAP standard users should be changed in all the clients maintained in Table T000 and user “SAP” should exist for all clients.

Change of Password

To change the password, login with Super user. Enter the user Id in Username field for which you want to change the password. Click on Change Password option as shown in the following screenshot −

Change Password Option

Enter the new password, repeat password and click on Apply. You should repeat the same process for all the standard users.

Change Password Window
Advertisements