Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP_ALL assigned to SAP*

Former Member
0 Kudos

Hi there,

What is the risk of assigning the SAP_ALL profile to the SAP* (star) account?

It is my understanding that it is good practise to have no roles or profiles assigned to the SAP* star account?

Thank you. 

3 REPLIES 3

martin_voros
Active Contributor
0 Kudos

Hi,

the risk is that somebody will misuse this user. Hence it's a good idea to remove all authorizations from this user and lock it in every client. The problem with this user is that it used to be created with default password. Another issue is that this account does not need to have user master record in client. In that case you can log on with password "pass" and you get full authorization. This behavior is by default turned off but it used to be turned on.

Cheers

0 Kudos

Hi Martin, thanks for the feedback appreciate it.

But if SAP* already has full access to the SAP sytem, then what difference will adding the SAP_ALL profile make in terms of access to the system?

0 Kudos

Hi,

SAP* has full access if there is no user master record for SAP* in client. So if you delete user SAP* then the system lets you logon as SAP* with password "pass" and gives you full authorization. This behavior is turned off by default. It used to be turned on. The reason for this feature is a need for emergency user if all admins forgot their passwords.

Cheers