Compensating measures for segregation of duties conflicts
Permissions with status
In practice, the main problem is the definition of content: The BMF letter remains very vague here with the wording "tax relevant data". In addition, there is the challenge of limiting access to the audited financial years.
You can also use the SU53 transaction to centrally view failed permission checks. Open the transaction and go to Permissions > Other Users or F5 to the User Selection menu. Enter the user whose permissions have failed in the field with the same name. In the results list, you can see permissions that have failed for each user, as in our example, the missing permission to display the AGR_1251 table. You can see that more than one authorization object appears in this evaluation.
Rebuilding the authorization concept
Authorization: An authorization allows a user to perform a specific activity in the SAP system based on a set of authorization object field values. Authorizations allow users to perform actions within the system.
So much information... how can you keep it so that you can find it again when you need it? That's what Scribble Papers is great for.
The daily business of an authorization administrator includes the checks and analyses of critical authorizations and combinations in the system. The focus is on users and roles in the respective clients and system rails. The SAP standard report RSUSR008_009_NEW is suitable for this purpose. You must first create corresponding check variants and authorization values for critical authorizations or combinations either using the program itself or transaction SU_VCUSRVARCOM_CHAN. These then correspond to your internal and external security guidelines. You can then run the report with your respective check scope and the corresponding critical authorization or combination variant and check in which roles or users such violations exist. This serves to protect your entire IT system landscape and should be carried out periodically.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
For the Client and User selection criteria, you can use generic values, i.e. you can select all clients or users that meet specific naming criteria (e.g., Client 10* or User SOS_*).
However, there was always the case that users had far too many permissions and the system was therefore not compliant.