For the password aspect, you can consider using trusted RFC for the internal connection and then encrypt the data being sent to the bank. In the trusted RFC case, you control the access via authorizations in the target system and not a password in the source.
Which leads into the second aspect... if your basis folks are not responsible for any role maintenance (e.g. in production...) you can switch their access to display for user and role maintenance.
Of course, you will meet some resistance when doing this...
My recommendation would be to compensate the "anything can happen and basis always has to solve it..." scenarios with an emergency user procedure. There are a number of cool and less cool ways of going about this so that during "normal" operations the access to roles is restricted.
Cheers,
Julius
ps: Do not close this thread by just posting "s". The comment field is not mandatory! I deleted some of your recent posts of this type and there are some nasty mails in your inbox which the system sends automatically. Please read them.
Edited by: Julius Bussche on Nov 2, 2009 10:12 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.