One of the easiest and most common ways to hack SAP system is to make the connection with the use of default passwords. Some of them are well-known and some are not (for example TMSADM). All the users who have default passwords are very powerful.
So if you think that you are a great GRC expert and seek to secure your SAP environment to solve 5-dimensional cross-system SoD conflicts, there is something you must do right now – change these passwords:
SAP*:06071992 or PASS clients: 000 001 066 and custom
DDIC:19920706 clients: 000 001 066 and custom
SAPCPIC:ADMIN clients: 000 001 and custom
EARLYWATCH:support clients: 066
TMSADM:password clients: 000 001
P.S. If you think that this is a well-known issue and everybody has already changed it, you are mistaken. Every time at all security assessments I come across at least one system with those passwords.