Authorization concepts in SAP systems
Conclusion
SAP*: The SAP* user is part of the SAP kernel, and since it is hard-coded in the SAP system, it does not require a user master set. If there is no user master set for SAP*, anyone can log on to the SAP system after rebooting with this user, as the default password will then apply. The user thus has access to all functions, since Authority Checks in this case do not take effect. You can prevent this behaviour by setting the login/no_automatic_user_sapstar profile parameter to 1. If you want to copy clients, you have to set this parameter to 0 again before you do so, because the user SAP* is required for this. Safeguard measures: Despite the parameter setting, the SAP user should have a user master set in all clients. However, you should remove all profiles and lock the user. In addition, change the password, assign the user to the SUPER user group, and log it with the Security Audit Log.
You assign a reference user to a dialogue user by registering the reference user for additional rights in the SU01 transaction on the Roles tab in the Reference User field. If you are using Central User Administration (ZBV), the assignment applies to all connected systems. If the reference user does not exist in one of the systems, the mapping is ignored. However, the use of reference users also creates risks. This makes it easier to summarise permissions because it is difficult to keep track of the assigned permissions. In SAP NetWeaver AS ABAP 7.0 and above, reference users are considered in the reports of the user information system.
Customise Permissions After Upgrade
All external services with their suggested values can be viewed or maintained in the transaction SU24. Access to external services or all CRM functions and data within CRM functions is realised via PFCG roles. To create these PFCG roles, you must first create a role menu. To do this, run the report CRMD_UI_ROLE_PREPARE. You can specify either the name of the CRM Business Role (User Role) or the name of the assigned PFCG role. It is also important that you specify the language in which the PFCG role will be maintained in the appropriate field.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
You can also find some useful tips from practice on the subject of SAP authorizations on the page "www.sap-corner.de".
However, you should not use this user for them, nor for batch processes, but you must create other users for these applications.