SAP*, DDIC, EARLYWATCH
SAP Systems create the standard users SAP*, DDIC and EARLYWATCH during the installation process in the clients as shown in the table below.
Default Passwords for Standard Users
User | Description | Clients | Default Password |
SAP* | SAP system super user | 000, 001, 066 all new clients | 06071992 PASS这些密码安装时已修改。 |
DDIC | ABAP Dictionary and software logistics super user | 000, 001 | 19920706 |
EARLYWATCH | Dialog user for the Early Watch service in client 066 | 066 | support |
To protect these users from unauthorized use:
● Define a new superuser and deactivate SAP*.
● Change all of the default passwords for these users.在安装时事先设定密码。
● Assign them to the group SUPER so that they only be modified by administrators who are authorized to change users in the group SUPER.
● Lock DDIC and EARLYWATCH and unlock them only when necessary.
Do not delete DDIC or its profiles. DDIC is needed for certain tasks in installation and upgrade, software logistics, and for the ABAP Dictionary. Deleting it results in loss of functions in these areas.
To make sure everything runs smoothly, give DDIC the authorizations for SAP_ALL during an installation or upgrade and then lock it afterwards. Only unlock it when necessary.
To find out which clients you have in your system, display the table T000 using transaction SM30.
Use the report RSUSR003 to make sure that the user SAP* has been created in all clients and that the standard passwords have been changed for SAP*, DDIC (and also the older user SAPCPIC). For more information, see SAP Note 40689.
For information on protecting pre-defined RFC users, for example, WF_BATCH or TMSADM, see Security Measures – Overview (RFC).
远程支持用户
When using the SAP support services, you often need to allow remote access to your system using a user defined at your site. Because you are allowing system access to someone outside of your system, you should take extra precautions to protect this user. We recommend the following:
● Define a special user for remote access. Do not use any of the standard users.
● Define a procedure for activating and deactivating the user. Activate it only when necessary and deactivate it once the remote session is completed.
● Do not disclose this user's password over the remote session. Send it over a separate channel such as an e-mail or a return telephone call. Change the password once the session is completed.
There are additional precautions to take when using the SAP Support Portal support services. For more information, see the information on the SAP Service Marketplace at http://service.sap.com/access-support.
总结
To summarize, we recommend that you regularly review the following criteria for protecting the standard users:
● Maintain an overview of the clients that you have and make sure that no unknown clients exist.
● Make sure that SAP* exists and has been deactivated in all clients.
● Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
● Make sure that these users belong to the group SUPER in all clients.
● Lock the users SAP*, DDIC, EARLYWATCH and your remote support user. Unlock them only when necessary. (Note that it should never be necessary to use SAP*!)
因为SAP*由profile参数login/no_automatic_user_sapstar控制。