Showing posts with label Earlywatch. Show all posts
Showing posts with label Earlywatch. Show all posts

Saturday, January 7, 2012

Default Clients in R/3 system and default users with passwords


There are 3 standard clients in sap r/3 system. They are 000, 001 and 066. These three clients come with default users along with default passwords. I have listed in the following paragraphs.
What is a client: A client is an independent unit within the R/3 system or an area in the system with data on which a user works.
We have to do client copy right after installation of the software as our first job to begin the technical phase of implementation. We have to copy from one of the standard clients available. We can use copied clients for testing, training or for starting real customization.
We will discuss about what is data and what types of data is available in the sap R/3 system before going into the explaining of definition of the standard clients.
Data: The information residing in the database tables is called data. There are different types of data involved in the R/3 system. They are client dependent data, client-independent data and the client repository data.
Client dependent data: The data which is accessible through a particular client is called client dependent data. The user data is one of the examples of client dependent data.
Client-independent data: The data which can be accessible from any client or which is common to any client in the system is called client-independent data. The transaction code or t-code data is example of the client-independent data.
Client repository data: The different application programs which makes SAP runs is called client repository data. The transaction data, application data, customizing data are other different types of data of the sap r/3 system.
Standard clients of the SAP R/3 system:
000 Client: This client is called as master client in the r/3 system. This client is included in the sap r/3 system as default. We can find this client in the system as soon as we install sap r/3 software. Client 000 contains a simple organizational structure of a test company and includes parameters for all applications, standard settings, configurations for the control of standard transactions and examples to be used in many different profiles of the business applications. For these reasons, 000 is a special client for the R/3 system since it contains the client−independent settings. We can access the entire standard data with this client. We should not do any changes in the data through master client. The default users of this client are mentioned below along with default passwords.
  • User name: sap*
  • Password: This password will be set by the person during the sap r/3 installation
  • User name: ddic
  • Password: This password will be set by the person during the sap r/3 installation

001 client: This client is best example for customizing or development client and we can access entire customizing data. This client is a copy of the 000 client including the test company. This client’s settings are client-independent if it is configured or customized. This client is reserved for the activities of preparing a r/3 system for the production environment. The customers of the SAP normally use this client as a source for copying other new clients. The default users and passwords of this client are listed below.
  • User name: sap*
  • Password: 06071992
  • User name: ddic
  • Password: 19920706
066 Client: This client also called as early watch client which is reserved for sap access. SAP will access their customer systems using this client to perform the Early Watch service. SAP will generate the performance report of its customer system and this report is called as Early Watch report. The default users of this client are listed below.
  • User name: sap*
  • Password: 06071992
  • User name: earlywatch
  • Password: support
There are 3 standard clients in sap r/3 system. They are 000, 001 and 066. These three clients come with default users along with default passwords. I have listed in the following paragraphs.
What is a client: A client is an independent unit within the R/3 system or an area in the system with data on which a user works.
We have to do client copy right after installation of the software as our first job to begin the technical phase of implementation. We have to copy from one of the standard clients available. We can use copied clients for testing, training or for starting real customization.
We will discuss about what is data and what types of data is available in the sap R/3 system before going into the explaining of definition of the standard clients.
Data: The information residing in the database tables is called data. There are different types of data involved in the R/3 system. They are client dependent data, client-independent data and the client repository data.
Client dependent data: The data which is accessible through a particular client is called client dependent data. The user data is one of the examples of client dependent data.
Client-independent data: The data which can be accessible from any client or which is common to any client in the system is called client-independent data. The transaction code or t-code data is example of the client-independent data.
Client repository data: The different application programs which makes SAP runs is called client repository data. The transaction data, application data, customizing data are other different types of data of the sap r/3 system.
Standard clients of the SAP R/3 system:
000 Client: This client is called as master client in the r/3 system. This client is included in the sap r/3 system as default. We can find this client in the system as soon as we install sap r/3 software. Client 000 contains a simple organizational structure of a test company and includes parameters for all applications, standard settings, configurations for the control of standard transactions and examples to be used in many different profiles of the business applications. For these reasons, 000 is a special client for the R/3 system since it contains the client−independent settings. We can access the entire standard data with this client. We should not do any changes in the data through master client. The default users of this client are mentioned below along with default passwords.
  • User name: sap*
  • Password: This password will be set by the person during the sap r/3 installation
  • User name: ddic
  • Password: This password will be set by the person during the sap r/3 installation

001 client: This client is best example for customizing or development client and we can access entire customizing data. This client is a copy of the 000 client including the test company. This client’s settings are client-independent if it is configured or customized. This client is reserved for the activities of preparing a r/3 system for the production environment. The customers of the SAP normally use this client as a source for copying other new clients. The default users and passwords of this client are listed below.
  • User name: sap*
  • Password: 06071992
  • User name: ddic
  • Password: 19920706
066 Client: This client also called as early watch client which is reserved for sap access. SAP will access their customer systems using this client to perform the Early Watch service. SAP will generate the performance report of its customer system and this report is called as Early Watch report. The default users of this client are listed below.
  • User name: sap*
  • Password: 06071992
  • User name: earlywatch
  • Password: support
Posted by at No comments:
Labels: , , , , , , , , , , , , , , , , ,

Monday, July 4, 2011

SAP User (Must known)


SAP Systems create the standard users SAP*, DDIC and EARLYWATCH during the installation process in the clients as shown in the table below.
During the installation process, SAP Systems creates standard users such as SAP*, DDIC and EARLYWATCH. The table below shows these ID’s with their standard passwords.

SAP*

SAP* will be available right after the installation in all client and contains composite profile SAP_ALL assigned and with  all authorizations, including the ones needed for system set up.
SAP® has implemented this standard, hard-coded (backdoor) ID to allow a login, if the basis administrator’s user-ID is disable or for emergency access. However, to enable this standard ID, SAP* created as regular  user-ID needs to be deleted.
To prevent a login with SAP* after a deletion, the parameter login/no_automatic_user_sapstar should be set. Value 0 (zero)  allows users to log in with SAP*. Value 1 will prevent users from logging on after SAP* is deleted.
  • The standard password for this user directly after the installation of clients 000,001 and 066  is 06071992.
  • The standard password for all new clients  is PASS.
The preferable method to protect this user is the deactivation of SAP* :
  • Remove all authorizations from this user.
  • Create a new superuser and deactivate SAP*.
  • Change all of the default passwords for these users.
  • Lock the user account.
  • Set the parameter login/no_automatic_user_sapstar to 1.
  • Activate the audit log for this user.
  • Assign them to the group SUPER so that they only be modified by administrators who are authorized to change users in the group SUPER.
Report RSDELSAP deletes the user SAP*in the client 066. The corresponding source code is not active but available.

DDIC

The user DDIC is established in the client 000 and 001 with the installation and copies of these clients. This standard user -id is uitilized to cover installation and release updates including changes to the data dictionary. The use of the transport management system is restricted to display only.
This is the protection against any direct development. As the technical steps related to this process are initiated in the client 000, the DDIC only needs to be a dialog user in 000. In all other clients he can be set to the user type “system”. The standard password for this user directly after the installation is 19920706.
The report RDDPWCHK allows to check the password that is assigned to the user DDIC. In case the password matches, the dialog window will be closed. For mismatches the message False is displayed. The counter for false login does not count these password detection attempts.
Do not delete DDIC or its profiles. DDIC is needed for certain tasks in installation and upgrade, software logistics, and for the ABAP Dictionary. Deleting it results in loss of functions in these areas.
To make sure everything runs smoothly, give DDIC the authorizations for SAP_ALL during an installation or upgrade and then lock it afterwards. Only unlock it when necessary.
To find out which clients you have in your system, display the table T000 using transaction SM30.
Use the report RSUSR003 to make sure that the user SAP* has been created in all clients and that the standard passwords have been changed for SAP*, DDIC (and also the older user SAPCPIC). For more information, see SAP Note 40689.

Remote Support Users

When using the SAP support services, you often need to allow remote access to your system using a user defined at your site. Because you are allowing system access to someone outside of your system, you should take extra precautions to protect this user. We recommend the following:
  • Define a special user for remote access. Do not use any of the standard users.
  • Define a procedure for activating and deactivating the user. Activate it only when necessary and deactivate it once the remote session is completed.
  • Do not disclose this user’s password over the remote session. Send it over a separate channel such as an e-mail or a return telephone call. Change the password once the session is completed.

EARLYWATCH

EARLYWATCH is created in the client 066 during installtion and is used for remote control by SAP® and is only set up with some standard authorizations S_TOOLS_EX_A for performance monitoring. The user is to be locked in general, and can be unlocked upon request. Initial password for EARLYWATCH is support.

Summary

To summarize, we recommend that you regularly review the following criteria for protecting the standard users:
  • Maintain an overview of the clients that you have and make sure that no unknown clients exist.
  • Make sure that SAP* exists and has been deactivated in all clients.
  • Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
  • Make sure that these users belong to the group SUPER in all clients.
  • Lock the users SAP*, DDIC, EARLYWATCH and your remote support user. Unlock them only when necessary. (Note that it should never be necessary to use SAP*!)
  • Lock DDIC and EARLYWATCH and unlock them only when necessary.

But wait, don’t walk away,there is more….

TMSADM

This ID is automatically created at the set up the change and transport management system in the client 000. The user type is “Communication”, and is utilized for transports by the CTS. TMSADM is assigned to profile S_A.TMSADM assigned that authorizes the use of RFC with display of the development environment as well as access to write to the file system. The standard password for this user directly after the installation is PASSWORD.

SAPCPIC

SAPCPIC is created as a “communication” user at the installation and is mostly used for EDI. The standard profile S_A.CPIC restricts the access to the use of RFC. This user is hard-coded into the function module  INIT_START_OF_EXTERNAL_PROGRAM together with a standard password. This needs to be considered in case of password changes for this user.
The standard password for this user directly after the installation is ADMIN.

SAP* in J2EE

The user is established with full authorizations for the administration. With regard to security, the user has no standard password assigned. To utilize this user as emergency user the properties in the UME need to be maintained. Setting the ume.superadmin.activated property to true will activate the use of this user for emergency cases. Setting a password in ume.superadmin.password will then activate the user finally after the restart of the engine.  While the user SAP* is in use, all other users will be inactivated during this time.
When the system is fixed, the deactivation can be achieved by setting the ume.superadmin.activated property to false.

J2EE_ADMIN_

This user is the Java standard user with full administration authorization in this environment. The password is to be assigned during the set up.
High complexity is recommended for this password.

J2EE_GUEST

This user is a Java standard user who can be utilized for anonymous access. The user is locked per default. The password is assigned during the installation.

SAPJSF_

This user is a standard communication user for LDAP Lightweight Directory Access Protocol data sources.

ADSuser

This standard user is utilized for the communication between Java and ADS Adobe Document Service.

caf_mp_scvuser

This standard user is utilized in the context of the Composite Application Framework (CAF) core transport system and communication with other Java services.
Posted by at No comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)