Analyse and evaluate permissions using SAP Query
Read the old state and match with the new data
The security audit log is evaluated via the SM20 or SM20N transaction or the RSAU_SELECT_EVENTS report. We recommend using the report as you have more options to personalise the evaluation and to include archived logs of different application servers in the evaluation.
SAP_AUDITOR_TAX Collector Role: The SAP_AUDITOR_TAX collection role is made up of module-specific individual rolls and can be seen as a proposal for the read-only role of the tax inspectors (see SAP Note 445148 for details on this role). The transactions and reports included in the SAP_AUDITOR_TAX collection role have been expanded to include additional checks that define the audit period. Some of the transactions and reports included in the SAP_AUDITOR_TAX collection role have also been expanded to include a logging of the call parameters to allow the taxpayer to better understand the auditor's audit trades.
Adjust tax audit read permissions for each fiscal year
A major advantage of SAP SuccessFactors is flexibility. Different project teams can implement and use several modules, processes or add-ons in a short time. The processes can be optimized again and again. A central basis for extensively digitized processes are structured specifications that regulate system access and control access rights. In this context, SAP offers the concept of role-based authorizations. Role-based SAP authorizations grant different groups of people different options for action and views in the system, e.g., regulate access to salary data. Role-based authorizations are flexible and facilitate global implementations of SAP SuccessFactors, e.g. in different national companies. Once implemented, roles and their authorizations can be quickly rolled out to the new region. The roles do not have to be completely reconfigured each time. Slight adjustments are all that is required.
For the ABAP stack, authorization profiles can be created either manually or by using the profile generator. However, the use of the profile generator is strongly recommended, since manual administration usually results in misconfigurations of authorizations. The profile generator guarantees that users only receive the authorizations assigned by their role. Concepts, processes and workflows must therefore be adapted to the use of the profile generator. There is no choice for the Java stack; here the J2EE authorization mechanism must be used. The User Management Engine offers options that go beyond the J2EE standard.
During go-live, the assignment of necessary authorizations is particularly time-critical. The "Shortcut for SAP systems" application provides functions for this purpose, so that the go-live does not get bogged down because of missing authorizations.
Changes to access rights take effect for all users who have entered the profile in the master record.
The use of reference users reduces the number of entries per user in the user buffer, i.e. in the USRBF2 table.