The SAP System has many reporting tools and ABAP/4 programs that provide detailed investigation and monitoring of SAP security configuration for SAP Audit Compliance. The monitoring reports can be executed via two methods, executing the actual program using transactions SE38, SA38 or SUIM (Repository Information System).
Objective: For each system, review the key security related system profile parameters.
Report: RSPARAM Frequency: Monthly
The parameter values should be configured according to the recommended by the SAP Security Administration Standard Operating Procedures developed by the company. Additionally, these parameters should be consistently set for all SAP systems.
Objective: Ensure security access is properly restricted to Security Team members as defined in Policies and Procedures.
Report: RSUSR040 Frequency: Bi-weekly
Review the users that have access to the authorization objects S_USER_GRP, S_USER_AUT and S_USER_PRO. Access to these objects should be limited to the Basis and Security Administration Teams. The Basis Team should only have display access and the ability to reset passwords for all user groups except SUPER and Security. This access lets the users’ have access to system administration functions. None of the non technical user should have access to these objects
Objective: Ensure access to security transactions is properly secured.
Report: RSUSR010 Frequency: Monthly
Check for transactional access to security administration. Execute report RSUSR010 and check for transactions PFCG, SU01, SU02, SU03 and SU05. They control access to the profile generator, user administration, profile administration, authorization maintenance and internet user administration. If you see any non sap security people have access to this transaction this should raise a red flag.
Objective: Ensure table access is properly configured.
Report: RSUSR040 Frequency: Monthly
Access to maintain tables should be coordinated with the Basis Team. And, table access needs to coincide with the ability to perform configuration. Review the users that have table access for both client independent and dependent table access. (S_TABU_CLI and S_TABU_DIS). Client independent table access should be limited to the Sandbox and Configuration Master clients.
Objective: Ensure that all users are properly assigned to the correct user group.
Report: RSUSR002 Frequency: Monthly
Review the users defined for all clients and systems. Each user should be assigned to a valid pre-approved user group. Check for user who are assigned to basis security and help desk
Objective: Ensure that impermissible passwords are consistently implemented and meet standard operating procedures.
Transaction: SE16 Frequency: Semi-annually
Verify the data contained in table USR40. This table contains specific impermissible password settings.
Objective: Ensure SAP Profile Generator is properly configured.
Transaction SPRO Frequency: Semi-annually.
Review the configuration and activation of the SAP Profile Generator. Review the documentation in the Enterprise IMG to ensure all configuration steps have been successfully completed. This activity should focus on new systems.
Objective: Check for change and manually inserted objects in to the role
Review the table for objects which have been inserted manually and changed access. This will identify the security administrators about some of the role which are developed as per security policy. It is a good practice not to have roles with manually or change authorization object
Transaction: SE16 Frequency: Semi-annually
Objective: Look for updates to transaction to object configuration in SU24 Transaction
Transaction: SE16 Frequency: Monthly
Transaction SU24 should be maintained so no manual authorization objects need to be added to the authorization tab on profile generator. Also if an incorrect authorization object or field value is brought into the profile generator it should be changed only through SU24. This will then allow only correct or blank field values are brought in so the correct values can be entered and the proper authorizations assigned. Monitoring these changes will give the SAP Audit Group the configuration changes made to the transactions.
Objective: Roles changes in the system
Transaction: SUIM Frequency: Monthly
Here the SAP Audit compliance group is looking for volume of changes happening to the roles. If the volumes of changes are too high, then this will give them a pre warning for more investigation into the approval.