Hi Eileen

You might be successful with a trace in order to find out, what values you have to enter in S_RFC authorization.

Our RFC users are all defined with user type 'system' or 'communication' including SAP_ALL profile. Then we have a compensating control - job which runs monthly to check whether user type has been changed to dialog. SOX has no problem with that.

As far as I understand SOX, it is not them saying you mustn't use *, but they want you to be aware that there is a RFC-user with this critical authorization. SOX might also accept the following: Clearly document for which purpose you use the user and why you have to give *. Further to this you should set-up a compensating control if you are not able to restrict it.

Hope this helps.

Regards,

Corinne

PS: thanks for points

In fact we created a specific role with the authorization for creating Purchase Order and purchase requisition.

This is for the RFC user wich is desclared in our backend.

So we add to his role the authorization object S_RFC but we don't know wich values we have to fill in RFC_NAME.

We fill the RFC_TYPE with 'FUGR' but we can't make * for RFC_NAME and don't know what to add...

Hi,

I am Putting the same information as per the note as per the note mentioned by Yaan(For those who dont have access for that note)

<b>Solution</b>

1. The RFC user should be created as a background user in the back-end system.

2. If you do not want to use profile SAP_ALL for safety reasons, you can create your own profile with restricted basis authorizations:

Call Transaction PFCG for the role maintenance and create your own role.

In the role, go to the 'Authorizations' tab and choose 'Change Authorization Data'.

Do not select ANY template on the dialog box.

Choose menu option 'Edit -> Insert authorization(s) -> Full authorization' and confirm the dialog box 'Insert all authorizations' with 'Yes'.

Choose menu option 'Utilities -> Technical names on'.

For object class 'Basis Administration' (BC_A), set the following authorization objects to inactive:

System authorizations (S_ADMI_FCD)

Authorizations: Check for roles (S_USER_AGR)

User master maintenance: Authorizations (S_USER_AUT)

User master maintenance: User groups (S_USER_GRP)

Authorizations: Deactivate authorization objects globally (S_USER_OBJ)

User master maintenance: Authorization profile (S_USER_PRO)

Users: System specific assignment authorization checks (S_USER_SAS )

User master maintenance: System for central user maintenance (S_USER_SYS )

Authorizations: Transactions in roles (S_USER_TCD)

Authorizations: Field values in roles (S_USER_VAL)

For object class 'Basis Development Environment' (BC_C), set the following authorization objects to inactive:

ABAP Workbench (S_DEVELOP)

Authorization for documentation maintenance via SE61 (S_DOKU_AUT)

Maintenance of glossary and terminology objects (S_TERM_AUT)

Authorization object for translation environment (S_TRANSLAT)

Transport Organizer (S_TRANSPRT)

Generate and save the authorizations, profiles and role.

3. Assign the new role to your RFC user by using Transaction SU01.

Cheers...

Santosh

HI,

Check

http://help.sap.com/saphelp_erp2005vp/helpdata/en/84/d3eb4190966024e10000000a1550b0/frameset.htm

Authorisations are: S_RFC, S_RFCACL, S_RFC_ADM

Regards,

Marcin Gajewski