sap audit information approach
DESCRIPTION
SAP AuditTRANSCRIPT
-
5/24/2018 SAP Audit Information Approach
1/37
SAP Audit Information and Approach
Authorization Example
1. User Master Record
User: Frank W. LonsProfile: Example
2. Profile: Example
Object: Authorizatios: !"Pro#ram A$AP:%. Authorizatio: A$AP: Object: !"Pro#ram &alues: 'ields: ( Pro#ram )roup !U$M*+, &AR*A-+ Actiit/
1
-
5/24/2018 SAP Audit Information Approach
2/37
Authorizatio !/stem:
1. Profiles Oe or more assi#ed to a user
2. Objects Must be ui0ue ames ith oe or morefields
%. 'ields otai alues for authorit/ chec3i#
4. Authorizatios a hae the same ames as the/ areph/sicall/ ad ph/sicall/ li3ed to a
object
'ield #roup for a object has multiple alues ad ca be shared across objects
2
-
5/24/2018 SAP Audit Information Approach
3/37
Initial !efaults
1. *itial liets
liet 555 !tadard model
liet 551 Model for user defied cliets. 6template7
2. *itial User *ds
!AP( 8efault super user. A user master record is created duri#
istallatio but it is ot eeded b/ !AP( to access the completes/stem. *f the !AP( master record is deleted, the !AP( accout hasthe folloi# special priile#es:
*t is ot subject to authorizatio chec3s ad therefore has allauthorizatios
*t has the passord 9PA!!, hich ca ot be cha#ed
ithout creati# a e user master record.
+o preet deletio, assi# !AP( user to a #roup called
!UPER ad ol/ super user should be able to maitai user#roup !UPER.
%
-
5/24/2018 SAP Audit Information Approach
4/37
%. *itial !ecurit/ Parameters
Parameters for user lo#o
lo#i;mi"passord;l# Miimum passord le#th default is 6%7
lo#i;passord"expiratio"time
-umber of da/s after hich a passord must be
cha#ed. +he default is zero, hich does ot eforcepassord cha#es. Recommeded alue < 4=.
lo#i;fails"to"sessio"ed
-umber of times a user ca eter a icorrect
passord before the s/stem eds the lo#i attempt.
+he default is 6%7. lo#i;fails"to"user"loc3
-umber of times a user ca eter a icorrect
passord before the s/stem loc3s the user a#aistfurther lo#o attempts. +he default is 6127.Recommed 6%7. >he a passord is loc3ed i thismaer, it is automaticall/ uloc3ed b/ the s/stem atthe start of the ext da/ 6midi#ht7.
4
-
5/24/2018 SAP Audit Information Approach
5/37
Addin" Users
1. Each user must hae a master record.
2. Each user master record refers to oe or more profiles that determiethe access ri#hts for the user.
%. Master record cotais:
User *8
Passord
User #roups
User t/pe
Period of alidit/
refereces to authorizatio profiles
Master records ca be deleted but it ill affect the audit trail. $etter to loc3the user?s master record Meu Path: +ools @ Admiistratio @ UserMaiteace @ User @ oc3;Uloc3.
4. User )roup
*f a perso is assi#ed to a user #roup, ol/ the admiistrators hoare authorized for that user #roup ca alter user master records. *f auser is ot assi#ed to a #roup the a/ user admiistrator ca alterthe user master record.
=
-
5/24/2018 SAP Audit Information Approach
6/37
Addin" Profiles
Profiles ad Authorizatios exist i both maiteace ad actie ersios.Allos for updates to maiteace before it is actiated. !eparatio of
maiteace ad actiatio fuctios.
1. !/stem Profiles
SAP Standard and Super UserProfiles!"A.!B!+EM Ulimited access to all users,
profiles, ad authorizatios!"A.A8M*- Authorizatios for !AP s/stem
admiistratio. +his icludes allauthorizatios except for:
Maiteace of users i user
#roup !UPER
Maiteace of profiles ad
authorizatios ith amesbe#ii# 9!"A.
!"A.U!+OM*C Authorizatios for use i the !APustomizi# s/stem
!"A.8E&EOP Authorizatios for use i the !AP8eelopmet eiromet 6excludesa/ user or profile authorizatios7
!"A.U!ER $asis s/stem authorizatios for ed@users 6e.#., !"Pro#ram,!"8$"MO-*, etc.
D
-
5/24/2018 SAP Audit Information Approach
7/37
2. !tartup Profiles
Profile #ame !escription!"A$AP"A All A$AP;4 authorizatios!"A8M*"A All s/stem admiistratio fuctios!"$8"A All batch iput actiities!"$+"A All batch processi# authorizatios!"88*"A 88*: All authorizatios!"88*"!U 8ata 8ictioar/: All authorizatios!"-UM$ER -umber ra#e maiteace: All
authorizatios!"!85"A ha#e documets: All
authorizatios!"!RP"A All !APscript text, st/les, la/out sets
maiteace!"!POO"A All spool authorizatios!"!B!+"A All s/stem authorizatios!"+A$U"A !tadard table maiteace: All
authorizatios!"+!F"A All s/stem admiistratio
authorizatios!"U!ER"A User maiteace: All authorizatios!AP"A Proides ulimited access to maitai
all !AP R;% s/stem authorizatios,
ith the folloi# exceptios: Maiteace of users i user
#roup !UPER
Maiteace of profiles ad
authorizatios ith amesbe#ii# !"U!ER
!AP"A->E-8 All !AP R;% 6excludi# s/stem7applicatio authorizatios
!AP"-E> Proides ulimited access to allauthorizatios added ith ereleases of !AP R;%.
C"A->E-8 All user authorizatios 6excludi# $s/stem7
%. Profiles ad their associated authorizatio alue sets are stored iU!Rxx tables.
G
-
5/24/2018 SAP Audit Information Approach
8/37
Addin" Authorizations
Authorizatio objects are used to chec3 a user?s authorit/ to perform actiosad access data i R;%. A user?s actio is approed ol/ if the user passesthe authorizatio test for each field listed i a object.
1. Authorizatio Objects
!AP cotais a umber of authorizatio objects that are used to
restrict the abilit/ of users to perform certai fuctios ad accessiformatio. Authorizatio objects ca cotai up to teauthorizatio *8s represeti# such s/stem elemets astrasactios, tables, fields, or pro#rams.
A user is alloed access if the their master record lists the object
for hich the authorizatio is bei# tested ad the user passes theauthorizatio test for each authorizatio *8.
A authorizatio alue set is re0uired for access 52 < cha#e
Authorizatio Profiles are used to #rat the authorizatio alue sets
to a user. +he user master record refers to profiles ad the profiles,i tur, refer, to alue sets that determie the access capabilities ofthe user.
-e authorizatio objects ca be created b/ Meu Path: !/stem @!erices @ +able Maiteace. Merel/ creati# a e object doesot iitiate a/ authorizatio chec3i#. Either A$APs eed to bemodified to test the e objects, or additioal authorizatio chec3seed to be defied.
'irst assi# a object class for the e object.
-ext use AU+OR*+B@EF for A$AP;4 pro#rams
Or add additioal authorizatio chec3s to the +!+
6trasactio table7 Meu Path: !/stem @ !erices @ +able
Maiteace.
H
-
5/24/2018 SAP Audit Information Approach
9/37
2. Objects
Objects are defied i the s/stem ad cotai oe or more fields
that are used to test user access.
%. Authorizatio &alue !ets
Are lists of all alues 6for each field7 for hich a user is authorized.
Usuall/ used to defie tas3s
Profile allocate the tas3s 6authorizatio alue set7 to lo#ical
fuctios. +hese profiles are assi#ed to a ph/sical user 6masterrecord7.
I
-
5/24/2018 SAP Audit Information Approach
10/37
4. $asis !/stem Authorizatio Objects
$%&ect Fields Uses!@PRO)RAM Pro#ram #roup Actiit/ A$AP;4 pro#rams that
ma/ be ru.!"E8*+OR Pro#ram #roup Actiit/ A$AP;4 pro#rams that
ma/ be displa/ed oredited
A$AP;4 Juer/!"JUERB
Actiit/ >hether a user ca ru0ueries ad hether theuser ca maitaiA$AP;4 Juer/ user#roups
!/stem Admiistratio'uctios Admiistratio'uctios A ariet/ of s/stemfuctios such as:
1. >hether a user ma/eter a alueiteractiel/ to pass aauthorizatio test that hedoes ot haeauthorizatio for i hisuser master record
2. Access to theA$AP;4 8ictioar/%. Access to theiterface paiter4. !/stem traceauthorit/=. Abilit/ to add ordelete additioalauthorizatio tests i the+!+ table
D. Execute hostoperati# s/stemcommads
etral 'ield !electio Actiit/Authorizatio #roup
>hich A$AP;4pro#rams a user ca useto d/amicall/ alter
15
-
5/24/2018 SAP Audit Information Approach
11/37
attributes of fields+able Maiteace Authorizatio class
Actiit/Authorize users to iead;or modif/ tablecotets
$atch Processi#: $atchAdmiistrator
Admiistrator )ie user admiistratorauthorizatio oer
bac3#roud processi#$atch Processi#: $atchUser -ame
Authorized user !pecif/ user *ds that auser ma/ specif/ as theauthorizatio forrui# bac3#roud
jobs$atch Processi#:Operatios o $atch
Kobs
Operatios Kob )roup !pecif/ the operatiosthat users ma/ perform
o bac3#roud jobs6Release, delete, etc.7$atch *putAuthorizatios
Jueue #roup ameActiit/
Authorize a user toor3 ith batch iputsessios
Jueue Maa#emetAuthorizatios
Jueue #roup ameActiit/
Maa#emet of 0ueuesfor trouble@shooti# or
problem aal/sisAuthorizatio hec3 for!M54, !M=5
Admiistratio +o authorized users toloc3 or uloc3
trasactios ad tomaa#e user sessiosother tha their o.
Authorizatio forUpdate Admiistratio
Admiistratio Authorizatio to maa#eupdate records for otherusers
E0ueue:8ispla/i# ad 8eleti#oc3 Etries
Actiities Authorize users tomaitai loc3 etries ofother users
!pool: 8eice
Authorizatio
Output 8eice Authorizes users to use
particular priters!pool Actios !pool actio &alue Authorizes a
admiistrator to performspecified actios o thespool s/stem
Public olida/ adaledar Access
Actiit/ Authorizatio to displa/ad;or maitai
11
-
5/24/2018 SAP Audit Information Approach
12/37
Priile#es caledars-umber Ra#eMaiteace
Actiit/-umber ra#e object
Authorize users tomaitai umber ra#es
ha#e 8ocumets Actiit/ Authorizatio todispla/, maitai, ad;ordelete cha#edocumets
+ools PerformaceMoitor
Authorizatio ame Authorizatio to usesesitie fuctios ofthe performace moitor
12
-
5/24/2018 SAP Audit Information Approach
13/37
$%&ects ' Authorizations
!"+OO!"EL Access to ie lo#o parameters
!"PRO)RAM A$AP pro#ram access
Fields (alues )omments
P")ROUP ( Pro#ram #roupP"A+*O- !U$M*+ Execute pro#ram
E8*+ Maitai pro#ram attributes ad texts&AR*A-+ !tart ad maitai ariats$+!U$M*+ !ubmit pro#rams for bac3#roud
executio
!"E8*+OR A$AP pro#ram access
Fields (alues )omments
P")ROUP ( Pro#ram #roupE8*+"A+*O- !O> 8ispla/ pro#ram source
E8*+ Amed pro#ram source
!"$8"MO-* $atch iput sessio
Fields (alues )omments
$8)ROUP*8 ( -ame of batch sessio for hich a user isauthorized 6e.#. 9'RA-F7
$8AF+* A$+ !ubmit sessios for executioAO- Ru sessios i iteractie modeA-A Aal/ze sessios, lo# ad 0ueue
'REE Release sessiosOF oc3;uloc3 sessios8EE 8elete sessios
1%
-
5/24/2018 SAP Audit Information Approach
14/37
!"-UM$ER -umber ra#e authorizatio
Fields (alues )omments
-RO$K ( -umber ra#e object ame for a edor
A+&+ 52 ha#e5% 8ispla/11 ha#e the last@used umber i a umber
ra#e iteral1% *itialize the last@used umber he
trasporti# ra#es betee cliets1G Maitai umber ra#e object 6pre %.57
!"!8O ha#e documet authorizatio
Fields (alues )omments
A+&+ 52 Maitai ad displa/ cha#e documets5D 8elete cha#e documets5H 8ispla/ cha#e documets12 Maitai cha#e documet objects
14
-
5/24/2018 SAP Audit Information Approach
15/37
Processes
1. $atch -umber of trasactios etered ito the s/stem as a batch. $atch iputs ca ta3e place i thebac3#roud here o cha#es ca be made or i
the fore#roud here trasactios cotaii# errorsca be iteractiel/ corrected.
Restricti# Access
+he $atch *put object restricts user actiities i differet batch
iput sessios.
A-A Aal/ze sessios. 8ispla/ sessio, lo#, ad 0ueue dump
8EE 8elete sessios
OF oc3 ad uloc3 sessios
'REE Release sessios
A$+ !ubmit sessios for bac3#roud executio
AO- Ru sessios i iteractie modes
2. O@ie
%. $ac3#roud Pro#ram executes o a bac3#roud processi#serer ithout iteractie user iput. +o ru it must
be scheduled.
+his ca be doe to a/s:
Meu Path: A$AP;4 @ !/stem !erices @ Reporti# @ $atch Re0uest fuctio
'rom bac3#roud processi# meu b/ selecti# #oto @ $atch Re0uest
* either case the user must hae a User *8 to ru the job. Users could beauthorized to ru bac3#roud jobs but ot fore#roud jobs.
$efore a bac3#roud job ca ru, it must be released. +he releasi# of jobsis usuall/ restricted to 9$atch Admiistrators.
Restricti# Access
1=
-
5/24/2018 SAP Audit Information Approach
16/37
+he field A d m i n i the $atch Admi object is used to #ie a user
admiistratio authorizatios. *f this field cotais a 9B, the userhas access to all bac3#roud jobs i a !AP s/stem ad ca performa/ operatio o a/ job.
+he field A cti v it y i the !"PRO)RAM object determiesactiities users are able to perform o a A$AP. A alue of$+!U$M*+ allos a user to schedule the A$AP;4 pro#ram for
bac3#roud executio.
+he Aut h user field of the $atch User -ame object is used to
restrict user@*8s specified as the authorized user for rui# a job.
+he O p e r a t i o n field of the Operatios o $atch Kobs object is
used to specif/ the operatios that a user ca perform o their ojobs. +his is used to restrict users from deleti# or releasi# jobs.
4. !erices
a ru o differet serers.
8ialo#
Update
E0ueue
$ac3#roud
Messa#e !erer
P*@ )atea/ !erer
!pool
=. >or3 Processes
+!F +as3 adler
8B-P !cree Processor
A$AP Pro#ram Processor
8$@!! 8atabase iterface that coerts A$AP;4 !J ito8$M! !J.
1D
-
5/24/2018 SAP Audit Information Approach
17/37
*ransactions
!AP trasactios allo differet fuctios to be performed ithi R;%. Meuselectio also #eerates trasactios. +o see hich trasactio is curretl/executi# select Meu Path: !/stem @ !tatus.
!/stem trasactios are applicable to the basis s/stem ad applicatiotrasactios are specific to a certai module.
+rasactios ca be loc3ed ad uloc3ed usi# Meu Path: Admiistratio @+code Admiistratio. >he a trasactio is loc3ed, users ca ot executethat trasactio. +o perform this fuctio, a user re0uires the authorizatio
object Aut h o r iz at i o n c h e c k for !M54, !M5= ith a alue of ! i theA d m i n field.
1. otrolled b/ 8B-P processor
hec3s hether additioal authorizatio chec3s are re0uired to ru
the trasactio 6i +!+ +able7.
*terprets the 8/pros, hich ioles creati# the screes ad
appl/i# the lo#ic defied i the d/pro 6field chec3s, etc.7.
2. All trasactios are listed i the +!+ +able. +his table icludes:
A idicator that the trasactio has bee loc3ed or is aailable to
be used. +he abilit/ to loc3 ad uloc3 trasactios is cotrolledusi# authorizatio object Authorizatio hec3 for !M54, !M=5.
Additioal authorizatio chec3s to be performed. Ol/ users ith
the alue +O8 i the field, A d m i n Fu n c t i o n s in o b j e c t ,
S y st e m A d m i n F u n ct i o n s hae the abilit/ to add, alter, ordelete these additioal authorizatio tests.
*f a trasactio is ot mar3ed as re0uiri# authorizatio chec3s thea/ user ca ru the trasactio.
1G
-
5/24/2018 SAP Audit Information Approach
18/37
+rasactio t/pes:
!UI% ad !UI1 8ispla/s cha#es master records ad profiles
!E%5 +race fuctio !U=% Authorizatio chec3 failures
!U52 Actiatio of profiles
!U5% Actiatio of authorizatios
!U5 Assi#met of user *8
!U51 Assi#met of users to profiles ad alter the
passord of a/ user
!U15 Assi#met of profiles for a ra#e of users
!U12 8elete all users
+U52 &ie lo#o parameters
!M=2 Uix commad lie prompt
!U21 )roupi# of objects ito object classes
6example is $asis Admiistratio,'iacial Accouti#7
1H
-
5/24/2018 SAP Audit Information Approach
19/37
*a%les
!AP is characterized b/ the use of thousads of applicatio ad cotroltables. +he setup of the cotrol tables, to a lar#e extet, determies i hicha/ a !AP istallatio fuctios.
o#ical ies proided b/ the A$AP;4 8ictioar/ of all data 6cotrol data,master data, ad trasactio data7 stored i !AP s/stem.
All cotrol tables start ith the letter 9+.
otrol tables ca be displa/ed ad maitaied o@lie. Meu Path: !/stem @
!erices @ +able Maiteace. * order to restrict tables a umber of tableauthorizatio classes should be defied. All stadard tables hae bee
assi#ed to authorizatio classes. Authorizatio object, Ta b l e
M a i nt e n a n c e is used to maitai the tables i each authorizatio class.+o leels of access are alloed alue < 52 6add, cha#e, or delete7 ad 5%6displa/ ol/7.
+o modif/ a table structure Meu Path: +ools @ A!E @ 8eelopmet @ 8ata8ictioar/ @ Maiteace.
o##i# of cha#es ca be accomplished b/ usi# cha#e documet objectsto specif/ hich tables are lo##ed ad the leel of lo##i# performed o eachtable.
1I
-
5/24/2018 SAP Audit Information Approach
20/37
1. +!++rasactios
2. MA Matchcodes
%. +551 8etails about a compa/
4. +551$ 8efies accouti# periods for compa/ +551.
=. U!Rxx Profiles
D. +U!R54 Authorizatio Profiles
G. +U!R51 User master record
H. +U!R52 User *8 ad passord
I. +U!R5% Exteded iformatio about the user.
15. +U!R5= 'ield defaults for each R;% user ad field.
11. +O$K Pre@defied authorizatio objects ad fields
12. +O$K+ 8escriptie text of the authorizatio objects.
1%. +U!R15 Authorizatio Profiles ad 8escriptiosad+U!R11
14. +5== 'ield #roup fields
1=. +5==) 'ield #roups
1D. +5==+ 'ield )roup descriptios
1G. AU+ *teral table @ 'iacial objects
1H. +A+ Actiit/ codes
1I. +A++ Actiit/ codes descriptios
25
-
5/24/2018 SAP Audit Information Approach
21/37
25. +A+C &alid actiit/ codes for each authorizatio object
21. U!R45 ustom passord chec3s
22. +88A+ 8efies the li3 betee tables ad their authorizatioclasses
2%. +555 !AP liets
24. +551 !AP compaies
2=. +)!$ $usiess Areas ad Plats
21
-
5/24/2018 SAP Audit Information Approach
22/37
Lo"s
Errors ad importat eets are lo##ed i the s/stem lo#s. +hese lo#s shouldbe reieed dail/.
+he serers i a !AP s/stem record eets ad problems i a set of localad cetral s/stem lo#s. +hese lo#s ma/ be displa/ed ad maitaied o@liefrom the Meu Path: +ools @ Admiistratio @ Moitori# @ !/stem lo#.
ocal lo#s 3eep ol/ messa#es issued b/ the local applicatio serer. Eachapplicatio serer has a local lo# file.
!/stem lo#s are cofi#ured b/ setti# parameters i the s/stem profile.
+rasactio !UI% ad !UI1 displa/ cha#es made to a user?s master recordor profiles.
o##i# of ha#es to Authorizatios:
All cha#es to user master records, profiles, ad authorizatio alue
sets. 'or example, user master records ill displa/ added ordeleted from the list i the user master records. *t ill ot displa/
modified profiles rather, the lo# of cha#es to profiles could be usedto idetified cha#ed profiles.
ha#es to a user?s passord, user t/pe, user #roup, period of
alidit/, ad accout umber.
'or each item i the lo#, the s/stem reports both the old ad e
ersio of a/ lies that hae cha#ed. +his lo# is a aluablecotrol oer uauthorized cha#es to users? access capabilities adeeds to be reieed dail/.
22
-
5/24/2018 SAP Audit Information Approach
23/37
Reports for Auditi# !ecurit/
Meu Path: *formatio @ urret *formatio
8ispla/s detailed iformatio o user master records,
authorizatio profiles, authorizatio objects, adauthorizatio alue sets. >ith this facilit/, it is possible todispla/ all user master records ad;or profiles that cotai aspecific object.
+odules
!AP applicatio modules.
1. $ !AP $asis module
2. o#istics: !8, MM, PP, JM, PM
%. uma Resources: R
4. 'iacial ad Admiistratio: '*, O, AM, P!, O
)han"e +ana"ement
,ackup and -ecoer
8ail/ bac3ups are ecessar/ to esure the recoerabilit/ of data, i the eetof a disaster.
!AP icludes !AP8$A pro#ram that is used to perform databaseadmiistratio tas3s.
!AP ca be bac3ed up o@lie.
Redo lo#s 6Oracle7 should also be archied dail/.
Securit Administration
2%
-
5/24/2018 SAP Audit Information Approach
24/37
Users ho are able to cha#e user master records, profiles ad;orauthorizatio alue sets eed to be ti#htl/ cotrolled. +he s/stem proides aumber of stadard authorizatio objects that ca be used.
User )roups !"U!ER")RP
Fields (aluesUser #roup -ames of the user #roups for
hich a admiistrator isauthorized.
Admiistrator 51: reate user master recordsactios add profiles to e or
existi# records52: Edit5%: 8ispla/5=: oc3 or uloc3 user5D: 8elete a user master record5H: 8ispla/ user cha#e records
24
-
5/24/2018 SAP Audit Information Approach
25/37
Authorizatio Profile !"U!ER"PRO
Fields (alues
Profile ame +he profile ames forhich a admiistrator isauthorized.
Admiistrator 51: reate profiles ad eteractios authorizatios ito them
52: Edit5%: 8ispla/5D: 8elete a profile
5H: 8ispla/ cha#e records22: Add profiles to user master
record
Authorizatios &alue !ets !"U!ER"AU+
Fields (aluesObject ame +he ames of the authorizatio
objects for hich aadmiistrator is authorized.
Authorizatio +he ames of the authorizatioame alue sets for hich a
admiistrator is authorized
Admiistrator 51: reate authorizatio alueactios set
52: Edit5%: 8ispla/5D: 8elete5G: Actiate5H: 8ispla/ cha#e records 22: Eter authorizatios ito a
profile
+able Maiteace !"+A$U"8*!
2=
-
5/24/2018 SAP Audit Information Approach
26/37
Fields (alues
8*$ER! +able classes for hich a useraccess is authorized
A+&+ Actiit/ code
+able Maiteace Across liets !"+A$U"*
Fields (alues
*8MA*-+ Access idicator
Object !"U!ER")RP
8etermies hich user #roups ca be admiistered ad
cose0uetl/ all users ho are assi#ed to those #roups.
2D
-
5/24/2018 SAP Audit Information Approach
27/37
Object !"A8M*"'8
9!/stems Admiistratio 'uctios proides poerful s/stems
admiistratio fuctios, icludi# the folloi# 6field < 9!/stemsAdmiistratio 'uctios7:
-A8M @ -etor3 Admiistratio 6!M=4, ==, =I7
UA8M @ Update Admiistratio 6!M1%7
+555 @ reate -e liet
+F @ oc3;Uloc3 +rasactios
!PA8 @ Authorizatio for spool admiistratio i all
cliets
!PAR @ Authorizatio for cliet@depedet spooladmiistratio
!P51 @ Authorizatio for admiistratio of spool
re0uests i spool output cotrol 6all usersad cliets7
!POR @ !pool admiistratio
$+ @ +est eiromet, batch
U-*L @ Execute U-*L commads from
!APM!O!5
R!E+ @ Reset;delete data ithout archii#
!B- @ Reset buffers
2G
-
5/24/2018 SAP Audit Information Approach
28/37
A,AP/0 !ictionar
R;% uses a exteral database 6Oracle i most cases7 to hold applicatio data,but it ma3es use of its o A$AP;4 8ictioar/. +his 8ictioar/ #ies R;%the fuctioalit/ to cotrol the eiromet.
1. Each field i the A$AP;4 8ictioar/ is described b/ a domai. >hea/ iput is ot alid i terms of the domai, it ill ot be acceptedad the user ill hae to correct the etr/ i the 8B-PRO scree
before cotiui#. +he A$AP;4 8ictioar/ proides the folloi#domai chec3s:
+he format of the field must match the defiitio i the A$AP;48ictioar/ 6character, umeric, date, etc.7
A umber of discrete alues ma/ be cotaied i the domai that
are alid for the field.
A table ca be specified that cotais all the alues alloed for a
particular field. *f a table is specified, there must be procedures foresuri# that the table?s cotets are 3ept up@to@date.
Restricti# Access
otrolled b/ the authorizatio object Sy st e m A d m i nF u n ct i o n s . Ol/ users ith the alue < 88* i the Admi'uctio fields ca ma3e cha#es to the A$AP;4 8ictioar/ or usethe database table utilit/.
*t is ot possible to further restrict access to alterable tables.
ha#es are lo##ed b/ the s/stem ad ca be 0ueried usi# the
A$AP;4 8ictioar/ *formatio !/stem Meu Path: 8eelopmet @A$AP;4 8ictioar/ @ *fo !/stem
8ictioar/ cha#es should be reieed dail/.
2H
-
5/24/2018 SAP Audit Information Approach
29/37
A,AP/0 Pro"rammin"
A$AP;4 is the fourth #eeratio iterpretatie la#ua#e i hich all R;%applicatios are ritte. +he $asis !/stem is ritte i .
A$AP;4 is a comprehesie pro#rammi# la#ua#e. A$AP statemets cabe ritte that ill read ad update data, create e records, etc. A$AP alsoca cotai !J statemets alloi# almost urestricted access to thedatabase.
A$AP;4 must be ti#htl/ cotrolled. -o A$AP statemet cha#es should bealloed i the productio s/stem?s eiromet.
1. ocatio
O Applicatio !erer
Restricti# Access
Each A$AP eeds to be assi#ed to a authorizatio #roup i the reportattributes set he creati# a A$AP report. A/ A$AP that has ot
bee assi#ed to a authorizatio #roup ma/ be ru b/ a/ user ithauthorizatio for object !"PRO)RAM.
2I
-
5/24/2018 SAP Audit Information Approach
30/37
A$AP that hae bee assi#ed to a pro#ram #roup ca ol/ be ru b/ usersho are authorized to that pro#ram #roup usi# object !"PRO)RAM.+his object further restricts the maer i hich a user is able to ru aA$AP.
!U$M*+ +he user ma/ start pro#rams iteractiel/
$+!U$M*+ +he user ma/ submit pro#rams for executio i the
bac3#roud partitio.
E8*+ +he user ca maitai attributes ad text elemets
ad use utilities for cop/i# ad deleti# reports 6+his does ot allo the user to edit A$AP;4
pro#rams7.
&AR*A-+ +he user ma/ maitai ariats. &ariats are
parameters that are passed to a A$AP pro#ram.
* the stadard s/stem, oe of the A$APs are assi#ed to authorizatio#roups. +herefore a/ user that ca ru trasactio !A%H 6or !E%H todeelop A$AP;4 pro#rams7, ca ru a/ of the stadard A$APs. *t isrecommeded that all A$APs be placed i authorizatio classes ad thatusers should ol/ hae authorizatio for authorizatio classes 6A$APs7 thatare re0uired for their job fuctios. -o matter hat, the database iterfacechec3s are still i pla/ for all A$APs ad the user ill ot be able to act o
data for hich the/ hae o authorit/.
A$APs ma/ be deeloped o@lie usi# the !AP A$AP editor.
+he A$AP pro#rams ca be assi#ed to authorizatio #roups. +he!"E8*+OR authorizatio object is used to restrict authorizatio#roups a user is able to edit. A/ user ith !"E8*+ORauthorizatio object is able to edit a/ A$AP pro#ram that has ot
bee assi#ed to a authorizatio #roup.
-o users should hae !"E8*+OR. Otherise the/ ma/ rite ad/amic !J that allos complete access to all cliet?s data.
A,AP/0 1uer
%5
-
5/24/2018 SAP Audit Information Approach
31/37
A$AP;4 Juer/ is the report riti# softare that allos users to #eeratereports 0uic3l/ ad easil/ ithout pro#rammi# 3oled#e. *t #eerates aA$AP pro#ram. Users caot access a/ iformatio to hich the user
ould otherise ot hae access.
Restricti# Access
Must be assi#ed to a user #roup before the/ ca be ru
User #roup cotais the fuctioal areas ad the ames of all people
authorized to ru 0ueries.
Esure that procedures are i effect to update the user #roups he
job assi#mets cha#e.
A/ user ca ru a/ 0ueries defied for a user #roup of hichhe;she is a member, re#ardless of ho rote the 0uer/.
* order to create or maitai A$AP;4 Jueries, a user must be a
member of oe or more user #roups ad hae a alue < 52 6cha#e7i the actiit/ field of the A$AP;4 Juer/ authorizatio object.
* order to maitai the A$AP;4 Juer/ user #roups, a user eeds
the alue < 2% 6Maitai Eiromet7 i the actiit/ field of theA$AP;4 Juer/ authorizatio object. +his should be restricted toadmiistrators.
%1
-
5/24/2018 SAP Audit Information Approach
32/37
$peratin" Sstems
1. Uix
!tart@Up Profiles are stored i ;usr;sap!AP !/stem
-ameN;s/s;profile
2. -+
!ata%ase +ana"ement Sstems
1. Oracle
!npros Screen 2enerator
8/pros are the iput screes used he processi# !AP trasactios. +he/iclude details of the processi# lo#ic to be performed o the fields.
1. 8/pros ca be deeloped o@lie usi# the stadard !AP 8/pro!cree Paiter Meu Path: +ools @ ase @ 8eelopmet @ !creePaiter.
2. otrols eed to be i place to esure that cha#es to 8/pros areauthorized, tested, ad approed.
%2
-
5/24/2018 SAP Audit Information Approach
33/37
#um%er -an"es
!AP proides a 9iteral ad 9exteral umberi# mechaism
1. *teral umbers are se0uetial codes #ie b/ the s/stem fordocumets, article umbers, persoel umbers, etc.
2. $oth iteral ad exteral umbers are stored i a file !B!&.
+atchcodes
+hese are secodar/ idexes to eable users to fid specific records he the
primar/ 3e/ is u3o.
1. !tored i +able MA
2. +able MA ca be edited o@lie usi# trasactio !M%1 adaccessible throu#h the Meu Path: !/stem @ !erices @ +ableMaiteace.
%%
-
5/24/2018 SAP Audit Information Approach
34/37
Weaknesses
1. * the stadard s/stem, oe of the A$APs are assi#ed to
authorizatio #roups.
2. 8o ot use atie !J calls i A$APs as the/ ill b/pass thedictioar/ cosistec/ chec3s. Use ope !J statemets.
Uli3e ormal A$AP statemets, atie !J ad ope !J do ottri##er a/ authorizatio chec3s at ru time. $ut usi# A$APs ithAU+OR*+B@EF statemet, the users authorit/ ca be chec3edat ru time for specified objects.
%. !AP( is the default user *8 ad it has ulimited access capabilities. *tshould ol/ be #ie to the s/stem admiistrators 6!UPERU!ER7.
4. 8efault s/stem profiles ma/ proide too much authorit/.
=. 8efault lo#o *ds
!AP( passord < 5D5G1II2
!AP( passord < PA!!
88* passord < 1II25G5D Oracle
!/s passord < cha#e"o"istall
!/stem passord < maa#er
!apr% passord < sapr%
!AP;R% applicatio *8
!AP8$A
'rot@ed to !J(8$A
a perform all 8$A fuctios ithi !AP Autheticatio is completed i U-*L
%4
-
5/24/2018 SAP Audit Information Approach
35/37
D. Ad@hoc Jueries
!J(Plus
O8$
G. Oracle +ables
User52 +able cotais all !AP user *8s ad passords
%=
-
5/24/2018 SAP Audit Information Approach
36/37
Standard -eports
R!A&)55 +able compariso across clietsR!8EOMP ompari# tables across to s/stemsR!8E!AP 8elete !AP( from cliet 5DD 6Earl/>atch cliet7
R!FEB!55 +ables compariso: s/stem ersus se0uetial fileR!+A$55 As for R!FEB!55R!!+A+I2 +able cha#es for a selected mothR!!+A+I= +able access statisticsR!PARAM 8ispla/ s/stem parameters setti#sR!U!ER51 +est !AP"AR!U!R555 ist all actie users
%D
-
5/24/2018 SAP Audit Information Approach
37/37
Financial
Authorizatio Objects
Master 8ata@ )@ ustomer@ &edor@ $a3
8ocumets$alace !heetsredit otrol 8ataPa/met Rus
8ui# Rus
Example:
Object < ompa/ odes
Fields (alues
ompa/ codes 51 reate52 ha#e5% 8ispla/5= $loc3;Ubloc3 5D 8elete5H 8ispla/ cha#e documets
%G