Top 10 Ways to Monitor Your SAP Roles for SAP Audit Compliance
The SAP system has many reporting tools and ABAP/4 programs that provide detailed investigation and monitoring of SAP security settings for SAP audit compliance. Tracking reports can be executed through two methods, executing the actual program using SE38, SA38 or SUIM (Repository Information System) transactions.
Objective: For each system, review the key parameters of the system profile related to security.
Report: RSPARAM Frequency: Monthly
The parameter values should be configured as recommended by the SAP security administration standard operating procedures developed by the company. Also, these parameters must be set consistently for all SAP systems.
Objective: To ensure that security access is appropriately restricted to members of the security team, as defined in policies and procedures.
Report: RSUSR040 Frequency: Fortnightly
Review the users who have access to the authorization objects S_USER_GRP, S_USER_AUT, and S_USER_PRO. Access to these objects should be limited to the Security and Base Management Teams. The basic team should only have screen access and the ability to reset passwords for all user groups except SUPER and Security. This access allows users to access system administration functions. None of the non-technical users should have access to these objects.
Objective: To guarantee that access to securities transactions is duly assured.
Report: RSUSR010 Frequency: Monthly
Check transactional access to security administration. Run report RSUSR010 and check transactions PFCG, SU01, SU02, SU03, and SU05. They control access to the profiler, user management, profile management, authorization maintenance, and Internet user management. If you see people other than SAP security having access to this transaction, this should raise a red flag.
Objective: To ensure that access to the table is configured correctly.
Report: RSUSR040 Frequency: Monthly
Access to the maintenance tables must be coordinated with the Base Team. And, access to the table must match the ability to configure. Review the users who have access to the table for client-independent and client-dependent table access. (S_TABU_CLI and S_TABU_DIS). Access to the client-independent table should be limited to Sandbox and Configuration Master clients.
Goal: Make sure all users are correctly assigned to the correct user group.
Report: RSUSR002 Frequency: Monthly
Review the users defined for all clients and systems. Each user must be assigned to a valid pre-approved user group. Check the user that is assigned to basic security and help desk
Objective: To ensure that disallowed passwords are implemented consistently and comply with standard operating procedures.
Transaction: SE16 Frequency: Semiannual
Check the data contained in the USR40 table. This table contains specific password settings that are not allowed.
Objective: To ensure that the SAP Profile Generator is correctly configured.
SPRO transaction Frequency: Semi-annual.
Review the configuration and activation of the SAP Profiler. Please review the documentation in the Enterprise IMG to ensure that all configuration steps have been completed successfully. This activity should focus on new systems.
Objective: verify changes and manually insert objects in the role
Review the table for objects that have been manually inserted and whose access has changed. This will identify the security administrators about some of the roles that are developed according to the security policy. It is good practice not to have roles for manual or change authorization purposes.
Transaction: SE16 Frequency: Semiannual
Objective: Check for transaction-to-object configuration updates in SU24 Transaction
Transaction: SE16 Frequency: Monthly
The SU24 transaction must be kept so that manual authorization objects do not need to be added to the authorization tab in the profiler. Also, if an incorrect authorization object or field value is entered in the profiler, it should be changed only via SU24. This will allow only correct or blank field values to be brought in so that the correct values can be entered and proper authorizations assigned. Tracking these changes will provide the SAP audit group with configuration changes made to transactions.
Objective: Role changes in the system
Transaction: SUIM Frequency: Monthly
Here, the SAP audit compliance group is looking at the volume of changes that occur in roles. If the change volumes are too high, this will give them an early warning for further approval investigation.