Solved: SAP* does not exist

Former Member · ‎08-13-2007

Hello

we are going to create a new Client in an existing SAP System.

I have already defined the Client in SCC4.

But because of the paremeter login/no_automatic_user_sapstar set to 1 the SAP* was not created.

How can I start creating that new Client without logging into that brand new Client with SAP*?!

Thank you

best regards

Nesimi

Former Member · ‎08-14-2007

Hi Nesimi,

Following information might help you in getting a clear picture of sap* user.

Securing User SAP* Against Misuse

The SAP System has a default superuser, SAP, in the clients 000 and 001. A user master record is defined for SAP when the system is installed. However, SAP* is programmed in the system and does not require a user master record.

If you delete the SAP* user master record and log on again as SAP* with initial password PASS, then SAP* has the following attributes:

The user is not subject to authorization checks and therefore has all authorizations.

The user has the password "PASS", which cannot be changed.

If you want to deactivate the special properties of SAP, set the system profile parameter login/no_automatic_user_sapstar to a value greater than zero. If the parameter is set, then SAP has no special default properties. If there is no SAP* user master record, then SAP* cannot be used to log on.

You should set the parameter in the global system profile, DEFAULT.PFL, so that it is effective in all instances of an SAP System. You should ensure that there is a user master record for SAP* even if you set the parameter. Otherwise, resetting the parameter to the value 0 would once again allow you to log on with SAP*, the password "PASS" and unrestricted system authorizations.

See Profile maintenance for system profile parameter details.

If a user master record exists for SAP*, it behaves like a normal user. It is subject to authorization checks and its password can be changed.

Deactivating User SAP*

As SAP* is a known superuser, SAP recommends that you deactivate it and replace it with your own superuser. In the SAP* user master record, you should proceed as follows:

Create a user master record for SAP* in all new clients and in client 066.

Assign a new password to SAP* in clients 000 and 001.

Delete all profiles from the SAP* profile list so that it has no authorizations.

Ensure that SAP* is assigned to the user group SUPER to prevent accidental deletion or modification of the user master record.

The SUPER user group has a special status in the predefined user profiles. The users that are assigned to group SUPER can be maintained or deleted only by the new superuser that you define, provided that:

you use the predefined profiles, and

you follow SAP's other user and authorization maintenance recommendations.

Defining a New Superuser

To define a superuser to replace SAP*, you need only give a user the SAP_ALL profile. SAP_ALL contains all SAP R/3 authorizations, including new authorizations released in the SAP_NEW profile.

SAP_NEW assures upward compatibility of authorizations. The profile ensures that users are not inconvenienced when a release or update includes new authorization checks for functions that were previously unprotected.

markus_doehr2 · ‎08-13-2007

SAP* is no real user, it's a hard compiled kernel user. It gets created when you initially logon to the system.

If you have logged out yourself from your system, you can delete the user in the particular client with database tools and you can again logon with SAP*.

Set the parameter to 0, shutdown and restart the instance, and you will be able to logon with SAP*.

--

Markus

SAP* does not exist

Accepted Solutions (1)

Accepted Solutions (1)

Answers (1)

Answers (1)

Re: CAP: How to properly pass parameters to a View...

sap-approuter-userapi calling the route from ui x...

Re: SAC Story : Recent n Dates calculation

SAC Import Job for Month End

Re: Disrupted screen after S4 2023 upgrade