SAP Systems create the standard users SAP*, DDIC and EARLYWATCH during the installation process in the clients as shown in the table below.
During the installation process, SAP Systems creates standard users such as SAP*, DDIC and EARLYWATCH. The table below shows these ID’s with their standard passwords.
SAP* will be available right after the installation in all client and contains composite profile SAP_ALL assigned and with all authorizations, including the ones needed for system set up.
SAP® has implemented this standard, hard-coded (backdoor) ID to allow a login, if the basis administrator’s user-ID is disable or for emergency access. However, to enable this standard ID, SAP* created as regular user-ID needs to be deleted.
To prevent a login with SAP* after a deletion, the parameter login/no_automatic_user_sapstar should be set. Value 0 (zero) allows users to log in with SAP*. Value 1 will prevent users from logging on after SAP* is deleted.
- The standard password for this user directly after the installation of clients 000,001 and 066 is 06071992.
- The standard password for all new clients is PASS.
The preferable method to protect this user is the deactivation of SAP* :
- Remove all authorizations from this user.
- Create a new superuser and deactivate SAP*.
- Change all of the default passwords for these users.
- Lock the user account.
- Set the parameter login/no_automatic_user_sapstar to 1.
- Activate the audit log for this user.
- Assign them to the group SUPER so that they only be modified by administrators who are authorized to change users in the group SUPER.
Report RSDELSAP deletes the user SAP*in the client 066. The corresponding source code is not active but available.
The user DDIC is established in the client 000 and 001 with the installation and copies of these clients. This standard user -id is uitilized to cover installation and release updates including changes to the data dictionary. The use of the transport management system is restricted to display only.
This is the protection against any direct development. As the technical steps related to this process are initiated in the client 000, the DDIC only needs to be a dialog user in 000. In all other clients he can be set to the user type “system”. The standard password for this user directly after the installation is 19920706.
The report RDDPWCHK allows to check the password that is assigned to the user DDIC. In case the password matches, the dialog window will be closed. For mismatches the message False is displayed. The counter for false login does not count these password detection attempts.
Remote Support Users
When using the SAP support services, you often need to allow remote access to your system using a user defined at your site. Because you are allowing system access to someone outside of your system, you should take extra precautions to protect this user. We recommend the following:
- Define a special user for remote access. Do not use any of the standard users.
- Define a procedure for activating and deactivating the user. Activate it only when necessary and deactivate it once the remote session is completed.
- Do not disclose this user’s password over the remote session. Send it over a separate channel such as an e-mail or a return telephone call. Change the password once the session is completed.
EARLYWATCH is created in the client 066 during installtion and is used for remote control by SAP® and is only set up with some standard authorizations S_TOOLS_EX_A for performance monitoring. The user is to be locked in general, and can be unlocked upon request. Initial password for EARLYWATCH is support.
To summarize, we recommend that you regularly review the following criteria for protecting the standard users:
- Maintain an overview of the clients that you have and make sure that no unknown clients exist.
- Make sure that SAP* exists and has been deactivated in all clients.
- Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
- Make sure that these users belong to the group SUPER in all clients.
- Lock the users SAP*, DDIC, EARLYWATCH and your remote support user. Unlock them only when necessary. (Note that it should never be necessary to use SAP*!)
- Lock DDIC and EARLYWATCH and unlock them only when necessary.
But wait, don’t walk away,there is more….
This ID is automatically created at the set up the change and transport management system in the client 000. The user type is “Communication”, and is utilized for transports by the CTS. TMSADM is assigned to profile S_A.TMSADM assigned that authorizes the use of RFC with display of the development environment as well as access to write to the file system. The standard password for this user directly after the installation is PASSWORD.
SAPCPIC is created as a “communication” user at the installation and is mostly used for EDI. The standard profile S_A.CPIC restricts the access to the use of RFC. This user is hard-coded into the function module INIT_START_OF_EXTERNAL_PROGRAM together with a standard password. This needs to be considered in case of password changes for this user.
The standard password for this user directly after the installation is ADMIN.
SAP* in J2EE
The user is established with full authorizations for the administration. With regard to security, the user has no standard password assigned. To utilize this user as emergency user the properties in the UME need to be maintained. Setting the ume.superadmin.activated property to true will activate the use of this user for emergency cases. Setting a password in ume.superadmin.password will then activate the user finally after the restart of the engine. While the user SAP* is in use, all other users will be inactivated during this time.
When the system is fixed, the deactivation can be achieved by setting the ume.superadmin.activated property to false.
This user is the Java standard user with full administration authorization in this environment. The password is to be assigned during the set up.
High complexity is recommended for this password.
This user is a Java standard user who can be utilized for anonymous access. The user is locked per default. The password is assigned during the installation.
This user is a standard communication user for LDAP Lightweight Directory Access Protocol data sources.
This standard user is utilized for the communication between Java and ADS Adobe Document Service.
This standard user is utilized in the context of the Composite Application Framework (CAF) core transport system and communication with other Java services.