The user can do this themselves in SU3. Or the program can force them to ask for a parameter value even if not initial.
But user parameters should not be used for meaningful security ideally and only defaults and preferences which the user can influence. Unfortunately this is not the case in all applications.
J* applications also have a special meaning. Much like /xx/ namespaces. They can dodge SAP's own QA checks, so you might want to report it to SAP or the vendor.
Cheers,
Julius
