SAP Risk With SAP System Supplied Super Users

The SAP system has four default users that come with every SAP system. The four standard super users are SAP*, DDIC, Earlywatch, and SAPCPIC. These users should be strictly secured by the SAP Security Administrator. The Basis and Security Administrators will be the only users who know and have access to these two users.


SAP* is the user that is set up in every client install or copy. Because this user is written into the SAP code, it is also the only user that does not have a user master record. This user also has complete access to the entire SAP system.

SAP* has the profiles SAP_ALL and SAP_NEW and is controlled by Basis. The following tasks should be completed in order to properly secure this ID: (program RSUSR003 can be used to determine if the default password has been changed)

1. Change the password because the original password is highly publicized.

2. Create a user master record for SAP*.

3. Ensure SAP* is assigned to the user group SUPER to warn against deletion or modification of the user master record.

The SAP* user must always have a user master record in all clients otherwise the hard-coded password for SAP* prevails.

SAP_ALL and SAP_NEW SAP Delivered Profiles

SAP_ALL and SAP_NEW are system profiles provided by SAP. They contain unrestricted authorizations for the entire system, including the Basis system and all the applications. These profiles WILL NOT be given to any dialog user on the production system, however some BASIS functions may require this and should be evaluated case by case basis


User DDIC is a SAP supplied identifier that comes standard with every system. Unlike SAP*, this user has a defined user master record. DDIC has special privileges relating to the data dictionary in SAP and it’s the only user allowed to log in during a system upgrade. Therefore, this user must be secured against misuse or unauthorized access. This user may be needed for running jobs via UNIX (i.e. unsuccessful transports will require this user ID). The following steps should be performed to mitigate the risk of user DDIC:

1. Change the password because the original password is highly publicized.

2. Ensure DDIC is assigned to the user group SUPER.

One person should be appointed as DDIC Administrator (Basis or ABAP/4 team member). Any changes that need to be made to the Data Dictionary will be sent to this person and he/she will be responsible for updating the Data Dictionary and it’s associated documentation. The Basis team will serve as backup DDIC Administrator.


This ID is used by SAP to analyze the system. They usually use this ID once a year to run a report which give them data on how the system is functioning. Usually this ID has SAP_ALL and SAP_NEW


This is a communication ID and should be given the profile S_A.CPIC. This ID does not need, nor will it have, SAP_ALL and SAP_NEW.