RFC interfaces
Adjust tax audit read permissions for each fiscal year
The IF_IDENTITY interface of the CL_IDENTITY class provides various methods for maintaining the fields of the user master record. As a template for the implementation of the BAdIs, you can use the CL_EXM_IM_IDENTITY_SU01_CREATE implementation example, which automatically populates the SU01 transaction's surname, space number, phone, email address, user group, billing number, and cost centre fields. This example implementation does not provide an external data source; the user name is set as the last name and fixed values are used for the other fields. At this point, you must complete the implementation, depending on your requirements. There are several possible data sources for the user master data that you can access from the BAdI.
The assignment of combinations of critical authorizations (e.g., posting an invoice and starting a payment run), commonly known as "segregation of duties conflicts," must also be reviewed and, if necessary, clarified with those responsible in the business departments as to why these exist in the system. If compensating controls have been implemented for this purpose, it is helpful if the IT department also knows about this so that it can name these controls to the IT auditor. The IT auditor can then pass this information on to his or her auditor colleagues.
Full verification of user group permissions when creating the user
You can use the Security Audit Log to control security-related events. Learn how to configure it to monitor the operations that are relevant to you. You want to use the Security Audit Log to monitor certain security-related operations or particularly well-authorised users in the SAP system. For example, you can log failed RFC calls system-wide, delete users, or log all activities of the default user, DDIC. For these loggers you need different recording filters and, if necessary, the possibility to select generic clients or users. Therefore, we will show you the settings you can make when configuring the Security Audit Log.
Standard users such as SAP* or DDIC should also be implemented correctly in accordance with the authorization concept or SAP's recommendations. An important preparatory action here is to check whether the passwords have been changed for all standard users.
If you get into the situation that authorizations are required that were not considered in the role concept, "Shortcut for SAP systems" allows you to assign the complete authorization for the respective authorization object.
A clear role concept enables a modular structure of authorizations without having to create separate roles for each user.
However, there is also the situation that eligibility fields are collected at organisational levels.