Compensating measures for segregation of duties conflicts
Copy the user from the Clipboard to the Transaction SU10 selection
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
An overview of the actual relevant information for your system landscape can be obtained from the application System recommendations in the Change Management section of the SAP Solution Manager (transaction SOLMAN_WORKCENTER or SM_WORKCENTER). This application will provide you with a recommendation for the SAP and non-SAP hints to be implemented for the evaluated systems.
Implementing the authorization concept in the FIORI interface
For this very reason, there is a solution to automate the checking of authorizations with regard to critical authorizations and segregation of duties by means of tool support. This gives the authorization administrators more time to correct any errors that occur instead of having to search for them first.
Use the RSUSR003 standard report (or RSUSR003 transaction) to validate the default users for initial passwords and ensure the security policies associated with those users. You can define and use your own layout on the home page. After the report is executed, you will be presented with an overview of the existing standard users in the different companies. This includes the password status, a lock flag, the reasons for the lock, the number of false logins, the user validity periods and the security policies associated with the users. The security policy appears to help you understand whether these users are subject to special login or password rules.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
Since identical passwords are often used for different systems, the determined password may also be usable for downstream systems.
You can also find some useful tips from practice on the subject of SAP authorizations on the page www.sap-corner.de.
For more tips on how to use this trace, see Tip 32, "Maintain permission values using trace evaluations," and Tip 39, "Maintain suggestion values using trace evaluations.".