From what I've seen it generally works kind of like webservices. You define one user that's used to interact between the two systems and all security is handled via those credentials.
I'd try to find out a bit more on what credentials you can use to authenticate yourself to the SAP server and see what you can do with that.
If the password of SAP changes, my guess is that you need to change the password in the Modeler (or at least in the runtime configuration file) as well.
I believe the case is that individual users have different permissions within SAP. It sounds like you require one user for the SAP connection from Mendix, however, this would of course permit the same actions in SAP for each Mendix user.
So the conclusion is ... the SAP user roles must be mirrored in Mendix to restrict functionality within the Mendix app? Else somehow map the user to the corresponding SAP user and retrieve permissible actions?
Sorry I don't have more details yet ... wanted to have some idea when talking to our potential partner again.