on 01-24-2007 9:31 AM
Hello,
We are on SRM 5 and our RFC user to our backend is SAP_ALL.
But for Sarbane Oaxley Controle we can't keep this SAP_ALL for this user.
Does Someone knows wich profile or authorization we have to give to the RFC user?
Thanks
Hi Eileen
You might be successful with a trace in order to find out, what values you have to enter in S_RFC authorization.
Our RFC users are all defined with user type 'system' or 'communication' including SAP_ALL profile. Then we have a compensating control - job which runs monthly to check whether user type has been changed to dialog. SOX has no problem with that.
As far as I understand SOX, it is not them saying you mustn't use *, but they want you to be aware that there is a RFC-user with this critical authorization. SOX might also accept the following: Clearly document for which purpose you use the user and why you have to give *. Further to this you should set-up a compensating control if you are not able to restrict it.
Hope this helps.
Regards,
Corinne
PS: thanks for points
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
In fact we created a specific role with the authorization for creating Purchase Order and purchase requisition.
This is for the RFC user wich is desclared in our backend.
So we add to his role the authorization object S_RFC but we don't know wich values we have to fill in RFC_NAME.
We fill the RFC_TYPE with 'FUGR' but we can't make * for RFC_NAME and don't know what to add...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I am Putting the same information as per the note as per the note mentioned by Yaan(For those who dont have access for that note)
<b>Solution</b>
1. The RFC user should be created as a background user in the back-end system.
2. If you do not want to use profile SAP_ALL for safety reasons, you can create your own profile with restricted basis authorizations:
Call Transaction PFCG for the role maintenance and create your own role.
In the role, go to the 'Authorizations' tab and choose 'Change Authorization Data'.
Do not select ANY template on the dialog box.
Choose menu option 'Edit -> Insert authorization(s) -> Full authorization' and confirm the dialog box 'Insert all authorizations' with 'Yes'.
Choose menu option 'Utilities -> Technical names on'.
For object class 'Basis Administration' (BC_A), set the following authorization objects to inactive:
System authorizations (S_ADMI_FCD)
Authorizations: Check for roles (S_USER_AGR)
User master maintenance: Authorizations (S_USER_AUT)
User master maintenance: User groups (S_USER_GRP)
Authorizations: Deactivate authorization objects globally (S_USER_OBJ)
User master maintenance: Authorization profile (S_USER_PRO)
Users: System specific assignment authorization checks (S_USER_SAS )
User master maintenance: System for central user maintenance (S_USER_SYS )
Authorizations: Transactions in roles (S_USER_TCD)
Authorizations: Field values in roles (S_USER_VAL)
For object class 'Basis Development Environment' (BC_C), set the following authorization objects to inactive:
ABAP Workbench (S_DEVELOP)
Authorization for documentation maintenance via SE61 (S_DOKU_AUT)
Maintenance of glossary and terminology objects (S_TERM_AUT)
Authorization object for translation environment (S_TRANSLAT)
Transport Organizer (S_TRANSPRT)
Generate and save the authorizations, profiles and role.
3. Assign the new role to your RFC user by using Transaction SU01.
Cheers...
Santosh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI,
Check
http://help.sap.com/saphelp_erp2005vp/helpdata/en/84/d3eb4190966024e10000000a1550b0/frameset.htm
Authorisations are: S_RFC, S_RFCACL, S_RFC_ADM
Regards,
Marcin Gajewski
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Please read OSS note 642202.
Kind regards,
Yann
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.