Home » SAP Risk With SAP System Supplied Super Users
Business

SAP Risk With SAP System Supplied Super Users

The SAP system has four default users that come with every SAP system. The four standard super users are SAP*, DDIC, Earlywatch, and SAPCPIC. These users should be strictly secured by the SAP Security Administrator. The Basis and Security Administrators will be the users who know and have access to these users.

SAP*

SAP* is the user that is set up in every client install or copy. Because this user is written into the SAP code, it is also the user that does not have a user master record. This user also has complete access to the entire SAP system.

SAP* has the profiles SAP_ALL and SAP_NEW and is controlled by Basis. The following tasks should be completed in order to properly secure this ID: (program RSUSR003 can be used to determine if the default password has been changed)

1. Change the password because the original password is highly publicized.

2. Create a user master record for SAP*.

3. Ensure SAP* is assigned to the user group SUPER to warn against deletion or modification of the user master record.

The SAP* user must always have a user master record in all clients otherwise the hard-coded password for SAP* prevails.

SAP_ALL and SAP_NEW SAP Delivered Profiles

SAP_ALL and SAP_NEW are system profiles provided by SAP. They contain unrestricted authorizations for the entire system, the Basis system and all the applications. These profiles WILL NOT be given to any dialog user on the production system, however some BASIS functions may require this and should be evaluated case by case basis

DDIC

User DDIC is a SAP supplied identifier that comes standard with every system. Unlike SAP*, this user has a defined user master record. DDIC has special privileges relating to the data dictionary in SAP and it’s the user allowed to log in during a system upgrade. Therefore, this user must be secured against misuse or unauthorized access. This user may be needed for running jobs via UNIX (i.e. unsuccessful transports will require this user ID). The following steps should be performed to mitigate the risk of user DDIC:

1. Change the password because the original password is highly publicized.

2. Ensure DDIC is assigned to the user group SUPER.

One person should be appointed as DDIC Administrator (Basis or ABAP/4 team member). Any changes that need to be made to the Data Dictionary will be sent to this person and he/she will be responsible for the Data Dictionary and it’s associated documentation. The Basis team will as backup DDIC Administrator.

Earlywatch

This ID is used by SAP to analyze the system. They usually use this ID a year to run a report which give them data on how the system is functioning. Usually this ID has SAP_ALL and SAP_NEW

SAPCPIC

This is a communication ID and should be given the profile S_A.CPIC. This ID does not need, nor will it have, SAP_ALL and SAP_NEW.

About the author

admin

Add Comment

Click here to post a comment