Protecting Special Users

Clients 000, 001 and 066 are created when your SAP System is installed. Two special users are defined in clients 000 and 001. Since these users have standard names and standard passwords, you must secure them against unauthorized use by outsiders who know of their existence.

Note that no special user is created in client 066.

The two special users in the SAP System are as follows:

• The SAP System superuser, SAP*

SAP* is the only user in the SAP System that does not require a user master record, but that is instead defined in the system code itself. SAP* has by default the password PASS, as well as unlimited system access authorizations.

When you install your SAP System, a user master record is defined for SAP* with the initial password 06071992 in Clients 000 and 001. The presence of a SAP* user master record deactivates the special properties of SAP*. It has only the password and the authorizations that are specified for it in the user master record.

To secure SAP* against misuse, you should at least change its password from the standard PASS. For security reasons, SAP recommends that you deactivate SAP* and define your own superuser.

• The maintenance user for the ABAP Dictionary and software logistics, user DDIC.

The user master record for user DDIC is automatically created in clients 000 and 001 when you install your SAP System. The default password for this user is 19920706. The system code allows user DDIC special privileges for certain operations. For example, DDIC is the only user that is allowed to log on to the SAP System during an upgrade.

To secure DDIC against unauthorized use, you must change the initial password for the user in clients 000 and 001 in your R/3 System.

• The user EarlyWatch is delivered in client 066 and is protected using the password SUPPORT. The SAP EarlyWatch experts use this user which should not be deleted. Change the password. This user should only be used for EarlyWatch functions (monitoring and performance).

Function and Role of User Types and DDIC User

In "USER MAINTENANCE- SU01" --> in the "logon tab" there are 5 different "user type"

1. dialog
2. system
3. communication
4. service
5. reference

Kindly mention the function and role of all the above mentioned user types specifically and hows is one user type different from another.

These are as follows:-

1. Dialogue:-
For this kind of users:-
GUI login is possible.
Initial password and expiration of passowrd are checked.
Multi GUI logins are checked.
Usage:- These are used for GUI logins.

2. System
For this kind of users:-
GUI login is not possible.
Initial password and expiration of passowrd are not checked.
Usage:- These are used for internal use in system like background jobs.

3. Communication
For this kind of users:-
GUI login is not possible.
Users are allowed to change password through some software in middle tier.
Usage:- These are used for login to system through external systems like web application

4. Service
For this kind of users:-
GUI login is possible.
Initial password and expiration of passowrd are not checked.
Multiple logins are allowed.
Users are not allowed to change the password. Only admin can change the password
Usage:- These are used for anonymous users. This type of users should be given minimum authorization.

5. Reference
For this kind of users:-
GUI login is not ible.
Initial password and expiration of passowrd are not checked.
Usage:- These are special kind of users which are used to give authorization to other users.

Tips by : Rajeev Sharma

What are the functions of DDIC user in Production system?

There are many functions of DDIC user.

For E.g.. When you configure TMS you won't be able to configure it using sap*. For this you need a user who has access to Data dictionary and ABAP repository Object like DDIC user or user with sap_all and sap_new permission.

2) When we install R/3 in Landscape then we need to configure TMS. With the help of default user DDIC we can configure s_trnsprt and s_cts_admin. We cannot create new user for our client( Client of Company ) as creating new user gets charged.