Did you know that there are "special" SAP users whose credentials are known, public?
This is not an SAP oversight; it is something known and familiar. Especially in the initial setup processes of the system, utilities are activated that should be secured immediately thereafter. But what are they and what should you do?
What are special SAP utilities and what are they?
These are special users also called in the SAP special literature "Special Users" that are used at certain times in the installation or activation of SAP components.
The best known in the ABAP context are as follows:
- SAP*
- DDIC
But there are several others depending on the systems you are using whether they are ABAP, JAVA or even HANA.
SAP* for example is the hard-coded user in SAP that you need, immediately following the first installation to get into the system. Sometimes I use the example of the home router to describe the concept. During the first activation there is a known password to be able to enter (e.g., admin admin) and then immediately afterwards change it.
Here in this case is the same situation. Although SAP has been going down a Security by Default path for some time and some parts are not yet subject to this approach. Most likely they will be in the near future. In the past the public password for this user during SAP installation was 06071992 (the year of SAP R/3 release) now it is decided during installation. While in the case of creating new clients the default password is PASS
Similarly, the DDIC data dictionary user also behaves similarly to us.
But what are these utilities? Beware there are also others and in some cases particular SAP systems have their own.
- SAP* here find what SAP suggests to do "Securing User SAP* Against Misuse"
- DDIC here find what SAP suggests to do "Securing User DDIC Against Misuse"
- SAPCPIC
- TSMADM here you find what to do to change the password of this user: "Changing the Password of User TMSADM"
- J2EE_ADMIN in the case of JAVA systems
- J2EE_GUEST in the case of JAVA
- SYSTEM in the case of HANA database here you find what SAP suggests to do in this case: Deactivate the SYSTEM User
Why may they be critical?
Because as we initiate seen above these users have known passwords and therefore could be exploited by third parties with access to the network where these SAP systems reside.
Moreover, an important aspect, not strictly related to the security of the systems, but more to operations, is to know these credentials. In that for the management of SAP systems it may be necessary at certain times to use them.
Therefore, it may happen that no one in the company knows the credentials of these users, and in the moment of need, password resets have to be resorted to in order to use them. This may not necessarily be a problem. But it is possible, in this scenario, that doubts arise about performing this action, e.g., "What happens if we change passwords to this user?", little documentation, failure to save these passwords, suppliers no longer present can lead to these difficulties.
So remember to ask any suppliers for credentials and evidence of management of these utilities. Which are often only used at a few times in the life of an SAP system.
How to check that everything is as it should be?
There is no single report or program to check in any system that everything is as it should be. In SAP (ABAP) systems, however, there is a transaction to check in all clients (principals) defined in the system how these utilities are configured.
The transaction is called RSUSR003, through this functionality you can see the situation of the utilities described above in this environment. Usually where there are RED flags there is something to check.
Have you checked in your systems yet? Check in the S/4HANA systems as well! Do you have any doubts?