cancel
Showing results for 
Search instead for 
Did you mean: 

SAP* & ddic user

Former Member
0 Kudos

Hi All,

Sometimes I get very confused with sap* & ddic user.When I should use sap* only & not ddic & viceversa??What tasks can we perform with sap* but not with ddic??

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

Hi All,

Can I create and use ddic user in my new clients, or should I use it just in clients 000 and 001?

Thanks in advance..

MERAL

Former Member
0 Kudos

Hi,

I would recommend you to copy DDIC user and create by separate name.

Hope this helps.

Manoj

Former Member
0 Kudos

Thanks for your recommendation but in fact I want to learn that if there exists a rule saying "ddic must only exist in clients 000 and 001, you musn't create it in new clients" in terms of security and general SAP approach.

Former Member
0 Kudos

Thanks to All..

Former Member
0 Kudos

Hello

Forgot to mention that Also check the value for the parameter login/no_automatic_user_sapstar in the instance profile.This has a default value 1 but should be set to 0 for such a scenario.

I don't think SAP* would be visible in SU01 since it has the default settings.Once you make customizations , only then you will get it in the SU01 screen.

Former Member
0 Kudos

"I don't think SAP* would be visible in SU01 since it has the default settings.Once you make customizations , only then you will get it in the SU01 screen" This is the problem I am having..Why SAP* would not be visible in SU01 though I have logged in with sap* user id??

Former Member
0 Kudos

HI

SAP* has 2 functionalities over the DDIC user..

1. Whenever performing the client copy first time,the user SAP* is used.

2. If in case due to some accident, you lose all the login accounts for the system,you can login by SAPafter deleting the user from the USR02 table through the OS level. The database would be needed to restart to get the new setting into effect. Doing this,would set the SAP user with the default password PASS.

Regards

Chen

Former Member
0 Kudos

Hi,

The SAP system has a default superuser, SAP, in the clients 000 and 001. A user master record is defined for SAP when the system is installed. However, SAP* is programmed in the system and does not require a user master record.

If you delete the SAP* user master record and log on again as SAP* with initial password PASS, then SAP* has the following attributes:

· The user is not subject to authorization checks and therefore has all authorizations.

· The user has the password "PASS", which cannot be changed.

If you want to deactivate the special properties of SAP, set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is set, then SAP has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on.

You should set the parameter in the global system profile, DEFAULT.PFL, so that it is effective in all instances of an SAP system. You should ensure that there is a user master record for SAP* even if you set the parameter. Otherwise, resetting the parameter to the value 0 would once again allow you to log on with SAP*, the password u201DPASSu201D and unrestricted system authorizations.

If a user master record exists for SAP*, it behaves like a normal user. It is subject to authorization checks and its password can be changed.

-- Kishore

JPReyes
Active Contributor
0 Kudos

You should not use either of them... first thing you need to do is create a new user for yourself and then proceed.

You should only use SAP* as first logon then usually most companies lock the user as a security measure.

Regards

Juan

Former Member
0 Kudos

Thanks for the suggestion..But still I need to know the differences between sap* & ddic user..When sap* can be used but not ddic & vice versa..

JPReyes
Active Contributor
Former Member
0 Kudos

Thanks Juan..It has helped me a lot..The last question regarding sap.I can login to my dev client 520 or 530 with sap & password pass.But when I am going to su01 & type sap* in client 520 or 530 it is saying sap* does not exist.How this is so??If I can login with sap* to the clients then why it is saying it does not exist??