SAP Security Risks - System Users

In many of the SAP security guides and OSS notes, SAP states that system users should be restricted to the minimum permissions needed to perform their approved activities. Assigning SAP_ALL or SAP_NEW is great for debugging, but a risk in a production environment. What are the associated risks? How can they be exploited? (ODBC connections, portal access, RFC connections, Visual Basic apps, Excel) Is the risk limited to the developers of the application also creating additional functionality for downloading data, displaying sensitive information, etc?

  • SAP Mentor