diff --git a/roles/sap_swpm/defaults/main.yml b/roles/sap_swpm/defaults/main.yml
index 5ab134ff..f56156df 100644
--- a/roles/sap_swpm/defaults/main.yml
+++ b/roles/sap_swpm/defaults/main.yml
@@ -231,9 +231,14 @@ sap_swpm_java_scs_instance_hostname: ""
 sap_swpm_master_password:
 
 # New Install - define DDIC 000 password
-# Restore - DDIC 000 password from backup
+#  If not set, DDIC will be set to the master password
+# Restore - DDIC 000 password from
 sap_swpm_ddic_000_password:
 
+# New Install - define SAP* 000 password
+#  If not set, SAP* will be set to the master password
+sap_swpm_sapstar_000_password:
+
 # initial = not an HA setup
 # set this in the input file when installing ascs, ers to indicate an HA setup
 sap_swpm_virtual_hostname: "initial"
diff --git a/roles/sap_swpm/templates/configfile.j2 b/roles/sap_swpm/templates/configfile.j2
index e71291e1..f107f1cc 100644
--- a/roles/sap_swpm/templates/configfile.j2
+++ b/roles/sap_swpm/templates/configfile.j2
@@ -254,6 +254,25 @@ HDB_Userstore.useABAPSSFS = false
 # NW_HDB_DBClient.checkCreateUserstore = true
 # NW_HDB_DBClient.clientPathStrategy = LOCAL
 {% endif %}
+{% if sap_swpm_ddic_000_password | d('',true) | length > 0 %}
+
+######
+# newinstall_ddic_000_password_not_master
+######
+# Are the passwords for the DDIC users different from the default value?
+NW_CI_Instance_ABAP_Reports.ddic000Password = {{ sap_swpm_ddic_000_password }}
+NW_CI_Instance_ABAP_Reports.needNewDDIC000Password = true
+{% endif %}
+{% if sap_swpm_sapstar_000_password | d('',true) | length > 0 %}
+
+######
+# newinstall_sapstar_000_password_not_master
+######
+# Are the passwords for the SAP* users different from the default value?
+NW_CI_Instance_ABAP_Reports.ddic000Password = 
+NW_CI_Instance_ABAP_Reports.needNewSapStar000Password = true
+NW_CI_Instance_ABAP_Reports.sapStar000Password = {{ sap_swpm_sapstar_000_password }}
+{% endif %}
 {% if 'credentials_syscopy' in sap_swpm_inifile_list %}
 
 ######