SAP Security Audit Guidelinses - SAP Security Easy Way To Learn Sap Security!!

7/4/2014 SAP Security Audit Guidelines - SAP Security easy way to learn sap security! !
http://sapsecurityanalyst.com/WP/sap-security-audit-guidelines-part-i 1/9
Structural Authorization
Interview Questions Part 5
HR General Authorization Concept
SU24 Custom Tables USOBT_C and USOBX_C
How to Regenerate SAP_ALL profile
google-results
How to Transport Roles in SAP
HR Authorization Fields
IMG Authorization
SU25 Steps
SAP Security Audit Guidelines Part I
(Personnel Planning) PLOG
SAP Security Audit Guidelines Part II
SAP Table Authorization
SAP Table Authorization contd
SAP Program authorization
SAP Security Quiz
HR Master Data Authorizations (P_ORGIN / P_ORGINCON)
Indirect Assignment of Roles
Relationship between various organizational units
STMS Extra Other Requests Add option is greyed out
Personnel Number Check (P_PERNR)
Applicant Infotype Authorization (P_APPL)
Double Verification Principle
company
VLOOKUP
PFL_CHECK_DIRECTORY
General Disclaimer
Search
Home
Basics
Web AS ABAP
Web AS cont..
R/3 Security
Security Tables
Security Tcodes
Elements in SAP Authorization
As already discussed, roles play an important part in
user authorization. In this post we will discuss about
roles and ...
Recommend
Authentication
Authorization
Auth Elements
Roles
Authority-Check
Org levels
Master-Derived Roles
SU24 Concepts
SU24 Continued..
Upgrade
RFC
RFC Authorization
RFC Maintenance
RFC Maint. Contd..
SECATT
Mass user creation using SECATT
Mass Role assignment
HR Security
HR Tcodes
HR Auth Objects
HR Infotypes
General Authorization
HR Auth Fields
P_ORGIN
P_PERNR
P_APPL
PLOG
Indirect Role Assignment
Double Verification Principle
Structural Auth
Elements of a comp
Audit Guidelines
SAP Security Audit II
Interview Q Part 1
Interview Q Part 2
Interview Q Part 3
Interview Q Part 4
Interview Q Part 5
Interview Q Part 6
SAP Security Quiz1
Miscellaneous Issues
Password expired
Regenerate SAP_ALL
Role Transport
IMG Authorization
Table Authorization
Table Auth cont
Program Authorization
Rel. b/w org units
SAP Security Audit Guidelines Part I

In this post we will be discussing about some of the basic SAP Security Audit
Guidelines. Since each company has its own set of business requirements and various
business processes, the audit guidelines may also slightly differ from company to
company. The points which are being discussed in this post and in the subsequent
post on Security audit (SAP Security Audit Guidelines Part II), more or less cover the
basic points which need to be taken care of during SAP Security audit.
SAP Role administrators and compliance managers should follow these guidelines
while preparing for the SAP System audit:
(1) Status of SAP Standard user ids should be checked using report RSUSR003.
The SAP Standard user ids are SAP*, DDIC, EARLYWATCH and SAPCPIC. From audit
point of view, the passwords of these user ids should not be default.
Default passwords of SAP Standard user ids are as follows:
SAP* 06071992
DDIC 19920607
EARLYWATCH SUPPORT
SAPCPIC ADMIN

(2) Security audit log should be properly configured. It is configured using
B H E L O P E N I N G S J U L Y ' 1 4
Exp: 3 to 10 Yrs, Sal: 7L to 25L PA Apply Now & Get Multiple Interviews
Sap Transport
Sap Security Audit
Tcode of Sap
19 Recommend Share
transaction code SM19. Certain parameters need to be enabled during configuration of
audit logs.
The parameters are:
rsau/enable The value should be set to 1.
rsau/max_diskspace/per_day or rsau/max_diskspace/per_file Either of
the two can be set
rsau/selection_slots This is used for deciding the number of filters based on
the various types of logs needed (like a filter for logs related to RFC function
calls, filter for logs related to transaction and reports executed by users etc.)
The logs which get generated can be seen using tcode SM20. SM20 gives logs based
on the filter which has been set ( like what transaction or report was executed by
what user at what time etc.) It also gives a very important information i.e. from
what terminal the transactions were executed.
The old logs can be deleted using tcode SM18. This access should be restricted to
Basis team only.
(3) Maintaining User Groups : It is a Best Practice to maintain User groups. User
groups can be created using transaction code SUGR and can be assigned to users.
User groups are very helpful as they help in identifying whether the user is a business
user or an IT user or System user etc. To some extent this helps in identifying the
responsibilities that a user is supposed to have.
Some of the user groups can be as follows (name can be used as per convenience):
BASIS For Basis Team members
SECURITY For Security Team Members
MM, SD, FI etc For IT production support users belonging to various
functional modules
BUSINESS Business Users
ESS For users who login through portal
CANCEL For cancelled users
INACTIVE For Inactive users
SYSTEM For user type system
SUPER For super users like SAP*, DDIC, etc

(4) Table logging : There are certain tables where table logging should be enabled in
Production system. The technical setting of such tables need to be adjusted to Log
data changes. Transaction code SE13 can be used for verifying whether table logging
is enabled or not. Table DD09L can also be used with the condition Log = X to get an
overview of the tables for which table logging is enabled. Change document for such
tables can be viewed using table DBTABLOG.

(5) Maintaining proper values for Profile Parameters : Proper profile parameters
values must be maintained as per the Best Practices so as to satisfy Security Audit
Requirements. Below are examples of some such profile parameters.
Profile Parameter Description
Expected
Value
login/min_password_lng Minimum length of password that user need
to Input
8
login/password_expiration_time Number of days after which
password expires
90
login/password_max_idle_productive Maximum period for which a productive
password (a password chosen by the user)
remains valid if it is not used.
60
login/password_max_idle_initial Maximum number of days for which
initial password remains valid
7
login/fails_to_session_end Number of invalid login attempts
until session ends
3
rdisp/gui_auto_logout Maximum time in seconds after which GUI
session will automatically logout
3600
login/fails_to_user_lock Number of invalid login attempts until user
gets locked
5
login/no_automatic_user_sapstar Controls automatic login using SAP*
with default password in the case when user
master record of SAP* has been deleted
1
rec/client Activate or Deactivate Table logging in
a client
ALL which
means table logging
activated in all
clients

(6) System and Client Setting options:

Following System change options should be set for Production environment. These can
be set using transaction code SE06 (System Change Option):
Global Settings: Not Modifiable
Software Component: Not Modifiable
Namespace / Name Range: Not Modifiable
Following client setting should be set in Production environment:
Client Role: Production
Changes and Transports for Client-Specific objects: No changes allowed
Cross-Client Object Changes: No changes to Repository and cross-client
customizing objects
Catt and eCatt Restrictions: Catt and eCatt not Allowed

Audit is a never ending topic. We can continue to talk about as many security audit
concepts as possible. We will discuss about some other very important points in our
next post on SAP Security Audit Guidelines.

19 Recommend Share
Facebook social plugin
Also post on Facebook
Posting as Raju Yadav (Change) Comment
Add a comment...
Keisha Forrest-Meek Kingston, Jamaica
This is a new window for me...great!
Reply Like Follow Post January 28 at 10:26am 1
Selva Kumar SAP GRC 10.0 Lead Consultant at U.S.
government 271 followers
We can automate all your SAP Compliance need
http://www.auditbots.com/products/
Reply Like Follow Post September 28, 2013 at 5:23am
Follow
Dev Bharat Senior Software Engineer at Igate Patni
Hi please post sap security implementation documents
Reply Like Follow Post October 17, 2013 at 1:41am
Rayala Seema
what are the things to be observed in DBTABLOG table and what is
the diff b/w DBTABLOG and DBTABPRT table
Reply Like Follow Post April 17 at 4:32pm
Sap Security
DBTABPRT was used before rel 4.0. Archiving of the logs
can be done for DBTABLOG. Logging needs to be
enabled for the respective table for table logs to be
stored in DBTABLOG.
Reply Like April 19 at 12:19am 1
Pradeep Kumar Mishra Indian Statistical Institute, Kolkata (Calcutta)
Nice coverage. Please continue the good work.
Reply Like Follow Post May 20 at 8:24am
SAP SECURITY QUIZ
No material should be copied without the author's permission. Send your feedbacks/suggestions to
feedback@sapsecurityanalyst.com
*General Disclaimer* Every effort is made to ensure content integrity. Use information on this site at your own risk.
Sap Security
1,178 people like Sap Security.
Facebook social plugin
Like
DISCUSSION FORUM

SAP Security Audit Guidelinses - SAP Security Easy Way To Learn Sap Security!!

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP Security Audit Guidelinses - SAP Security Easy Way To Learn Sap Security!!

Uploaded by

Copyright:

Available Formats

7/4/2014 SAP Security Audit Guidelines - SAP Security easy way to learn sap security! !

You might also like