The SAP System has numerous confirming tools and ABAP/4 programs that offer detailed analysis and monitoring of SAP security configuration for SAP Audit Compliance. The monitoring reviews could be performed via two techniques, performing the particular program using transactions SE38, SA38 or SUIM (Repository Information System).
Objective: For every system, evaluate the key security related system profile parameters.
Report: RSPARAM Frequency: Monthly
The parameter values ought to be set up based on the suggested through the SAP Security Administration Standard Operating Methods produced by the organization. Furthermore, these parameters ought to be consistently looking for all SAP systems.
Objective: Ensure security access is correctly limited to Security Team people as defined in Guidelines and Methods.
Report: RSUSR040 Frequency: Bi-weekly
Evaluate the customers that have the authorization objects S_USER_GRP, S_USER_AUT and S_USER_Professional. Use of these objects ought to be restricted to the foundation and Security Administration Teams. The Foundation Team must only have display access and the opportunity to totally reset passwords for those user groups except SUPER and Security. This access allows the users' get access to system administration functions. No non-technical user should get access to these objects
Objective: Ensure use of security transactions is correctly guaranteed.
Report: RSUSR010 Frequency: Monthly
Look for transactional use of security administration. Execute report RSUSR010 and appearance for transactions PFCG, SU01, SU02, SU03 and SU05. They control accessibility profile generator, user administration, profile administration, authorization maintenance and web surfer administration. If you notice any non sap security people get access to this transaction this will raise a warning sign.
Objective: Ensure table access is correctly set up.
Report: RSUSR040 Frequency: Monthly
Use of maintain tables ought to be matched using the Basis Team. And, table access must coincide having the ability to perform configuration. Evaluate the customers which have table access for client independent and dependent table access. (S_TABU_CLI and S_TABU_DIS). Client independent table access ought to be restricted to the Sandbox and Configuration Master clients.
Objective: Make sure that all customers are correctly designated towards the correct user group.
Report: RSUSR002 Frequency: Monthly
Evaluate the customers defined for those clients and systems. Each user ought to be designated to some valid pre-approved user group. Look for user who're designated to basis security and help-desk
Objective: Make sure that impermissible passwords are consistently implemented and meet standard operating methods.
Transaction: SE16 Frequency: Semi-yearly
Verify the information found in table USR40. This table consists of specific impermissible password configurations.
Objective: Ensure SAP Profile Generator is correctly set up.
Transaction SPRO Frequency: Semi-yearly.
Evaluate the configuration and activation from the SAP Profile Generator. Evaluate the documentation within the Enterprise IMG to make sure all configuration steps happen to be effectively completed. This activity should concentrate on new systems.
Objective: Look for change and by hand placed objects to the role
Evaluate the table for objects that have been placed by hand and transformed access. This can find out the security managers about a few of the role that are developed according to security policy. It's a sound practice to not have roles with by hand or change authorization object
Transaction: SE16 Frequency: Semi-yearly
Objective: Search for updates to transaction to object configuration in SU24 Transaction
Transaction: SE16 Frequency: Monthly
Transaction SU24 ought to be maintained so no manual authorization objects have to be put into the authorization tab on profile generator. And if the wrong authorization object or area value is introduced in to the profile generator it ought to be transformed only through SU24. This can then allow only correct or blank area values are introduced in therefore the correct values could be joined and also the proper authorizations designated. Monitoring these changes can give the SAP Audit Group the configuration changes designed to the transactions.
Objective: Roles alterations in the machine
Transaction: SUIM Frequency: Monthly
Here the SAP Audit compliance group is searching for amount of changes happening towards the roles. When the volumes of changes are extremely high, then this gives them a pre warning for additional analysis in to the approval.
No comments:
Post a Comment