Security within the development system
Extend permission checks for documents in FI
This advanced functionality of the transaction SU53 is delivered via a patch. Please refer to SAP Note 1671117 for more information on the required support packages and technical background. Unsuccessful permission checks are now written to a ring buffer of the application server's Shared Memories. This will allow you to view failed permission checks in Web Dynpro applications or other user interfaces, which was not previously possible. Depending on the size of the ring buffer and system usage, up to 100 failed permissions checks per user can be displayed for the last three hours. The size of the ring buffer is calculated from the number of defined work processes. By default, 100 permission checks can be saved per workprocess. You can adjust this size using the auth/su53_buffer_entries profile parameter.
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
User and authorization management
When displaying or posting receipts in SAP Finance, are the standard eligibility checks insufficient? Use document validation, BTEs, or BAdIs for additional permission checks. The posting of documents, and often their display, is protected by standard permission checks; but they may not meet your requirements.
Structural authorizations work with SAP HCM Organizational Management and define who can be seen, but not what can be seen. This is done based on evaluation paths in the org tree. Structural authorizations should therefore only be used together with general authorizations. Just like the general authorizations in SAP ECC HR, they enable regulated access to data in time-dependent structures. An authorization profile is used to determine the authorization. In addition, it is defined how the search is carried out on the org tree.
Assigning a role for a limited period of time is done in seconds with "Shortcut for SAP systems" and allows you to quickly continue your go-live.
The website www.sap-corner.de offers a lot of useful information about SAP authorizations.
So, if you want to protect yourself against the access of passwords during the transfer, you have to set up an encryption of this communication yourself.
We need a test configuration for this.