SAP special users
SAP NetWeaver AS ABAP creates the standard users SAP*, DDIC, EARLYWATCH, TMSADM, and SAPCPIC during the installation process. The standard users are protected by defaults passwords. Nowadays, most companies are aware of this and will change this default password(s) and implement security procedures for these users.
SAP recommends to take the following action securing the users:
- Maintain an overview of the clients that you have and make sure that no unknown clients exist.
- Make sure that SAP* exists and has been deactivated in all clients.
- Make sure that the default passwords for SAP*, DDIC, and EARLYWATCH have been changed.
- Make sure that these users belong to the group SUPER in all clients.
- Lock the users SAP*, DDIC, and EARLYWATCH. Unlock them only when necessary.
- Delete SAPCPIC if you do not need it. At least make sure that you have changed the default password for SAPCPIC.
- Change the default password of TMSADM. for more information, see Changing the Password of User TMSADM.
I agree these actions need to be taken to provide a minimum level of security for these users. But is this really enough?
I would recommend to spend some time analyzing the usage of these users. This can be done via additional security audit software and/or combined with the security audit log.
You might be surprised with the results. In many cases we could see that a SAP standard user was being used for logging on to the system via interfaces or running background jobs that nobody knew of.
Then the fun part starts: answering the “what” and “why” questions and clean up/document everything……
Be warned, this might take some time!