05-14-2012 9:27 AM
Hi there,
What is the risk of assigning the SAP_ALL profile to the SAP* (star) account?
It is my understanding that it is good practise to have no roles or profiles assigned to the SAP* star account?
Thank you.
05-14-2012 11:43 AM
Hi,
the risk is that somebody will misuse this user. Hence it's a good idea to remove all authorizations from this user and lock it in every client. The problem with this user is that it used to be created with default password. Another issue is that this account does not need to have user master record in client. In that case you can log on with password "pass" and you get full authorization. This behavior is by default turned off but it used to be turned on.
Cheers
05-14-2012 12:04 PM
Hi Martin, thanks for the feedback appreciate it.
But if SAP* already has full access to the SAP sytem, then what difference will adding the SAP_ALL profile make in terms of access to the system?
05-14-2012 12:49 PM
Hi,
SAP* has full access if there is no user master record for SAP* in client. So if you delete user SAP* then the system lets you logon as SAP* with password "pass" and gives you full authorization. This behavior is turned off by default. It used to be turned on. The reason for this feature is a need for emergency user if all admins forgot their passwords.
Cheers