R/3 audit review questions.
Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3 system.
It is always a good idea to review this list a couple times a year and to take the appropriate steps to tighten your security.
Review the following :-
* System security file parameters (TU02) (e.g. password length/format, forced password sessions, user failures to end
session etc.) have been set to ensure confidentiality and integrity of password.
Security-Parameter-Settings-Documentation
* Setup and modification of user master records follows a specific procedure and is properly approved by management.
* Setup and modification of authorizations and profiles follows a specific procedure and is performed by someone
independent of the person responsible for user master record maintenance.
* An appropriate naming convention for profiles, authorizations and authorization objects has been developed to help
security maintenance and to comply with required SAP R/3 naming conventions.
* A user master record is created for each user defining a user ID and password. Each user is assigned to a user group, in
the user master record, commensurate with their job responsibilities.
* Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction.
* Authorization objects and authorizations have been assigned to users based on their job responsibilities.
* Authorization objects and authorizations have been assigned to users ensuring segregation of duties.
* Users can maintain only system tables commensurate with their job responsibilities.
* Validity periods are set for user master records assigned to temporary staff.
* All in-house developed programs contain authority check statements to ensure that access to the programs are properly
secure.
Select a sample of :-
* Changes to user master records, profiles and authorizations and ensure the changes were properly approved.
(The changes can be viewed with transaction (SECR).
* Ensure that security administration is properly segregated. At a minimum there should be separate administrators
responsible for:
- User master maintenance. (This process can be further segregated by user group.)
- User profile development and profile activation. (These processes can be further segregated.)
* Verify that a naming convention has been developed for profiles, authorizations and in-house developed authorization
objects to ensure:
- They can be easily managed.
- They will not be overwritten by a subsequent release upgrade (for Release 2.2 should begin with Y_ or Z_ and for
Release 3.0 by Z_ only.)
* Assess through audit information system (SECR) or through a review of table USR02, whether user master records have
been properly established and in particular:
- The SAP_ALL profile is not assigned to any user master records.
- The SAP_NEW profile is not signed to any user master records. Verify that procedures exist for assigning new
authorization objects from this profile to users following installation of new SAP releases.
* Assess and review of the use of the authorization object S_TABU_DIS and review of table authorization classes
(TDDAT) whether :-
- All system tables are assigned an appropriate authorization class.
- Users are assigned system table maintenance access (Through S_TABU_DIS) based on authorization classes
commensurate with their job responsibilities.
* Assess and review of the use of the authorization objects S_Program and S_Editor and the review of program classes
(TRDIR) whether:
- All programs are assigned the appropriate program class.
- Users are assigned program classes commensurate with their job responsibilities.
* Ensure through a review of a sample of :-
- In-house developed programs that the program, code either:
- Contains an Authority-Check statement referring to an appropriate authorization object and valid set of values;
or
- Contains a program Include statement, where the referred program contains an Authority-Check statement referring to
an appropriate authorization object and valid set of values.
I think an auditor would want to know what methods you are using to approve who gets what profile and what method you are using to document it so that if you review your documentation you could compare it with what authorization the user currently has and determine if the user has more authorizations (roles) than he has been approved for by the approval system in place.
SAP Security and Authorization Concepts
Audit of SAP multiple logons
hen a user logs onto SAP multiple times a selection screen pops up.
If the user wants to continue with the multiple logon the following message is part of the option:
"If you continue with this logon without ending any existing logons to system, this will be logged in the system. SAP reserves the right to view this information."
If you have users who are logging in with other users login and need to view where this information is stored, check the table 'USR41_MLD' via transaction code 'SE16'.
The field 'Counter' tells you how many times the user have done a multiple logon.
The Step required to Audit at the User Level
The followings will help you to Understand how to Audit at the Users level:
Creating a User Audit Profile
1. Log on to any client in the appropriate SAP system.
2. Go to transaction SM19.
3. From the top-most menu bar on the Security Audit: Administer Audit Profile screen, click Profile -> Create.
4. On the Create new profile popup, type in a new Profile name and click the green Enter picture-icon.
5. On the Filter 1 tab of the Security Audit: Administer Audit Profile screen, click the BOX to the left of Filter active to place a TICK in the box. In the Selection criteria section, select the Clients and User names to be traced. In the Audit classes section, click "on" all the auditing functions you need for this profile. In the Events section, click the radio button to the left of the level of auditing you need. Once you have entered all your trace information, click the Save picture-icon. You will receive an Audit profile saved in the status bar at the bottom of the screen.
6. Please note that while the user trace profile has been saved, it is not yet active. To activate the user trace, see the next section Activating a User Audit Profile.
7. You may now leave the SM19 transaction.
Activating a User Audit Profile
1. Log on to any client in the appropriate SAP system.
2. Go to transaction SM19.
3. On the Security Audit: Administer Audit Profile screen, select the audit profile to be activated from the Profile dropdown. Click the lit match picture-icon to activate it. You will receive an Audit profile activated for next system start in the status bar at the bottom of the screen. The audit will not begin until after the SAP instance has been recycled.
4. You may now leave the SM19 transaction.
Viewing the Audit Analysis Report
1. Log on to any client in the appropriate SAP system.
2. Go to transaction SM20.
3. In the Selection, Audit classes, and Events to select sections of the Security Audit Log: Local Analysis screen, provide your information to filter the audit information. If you need to trace the activities of a specific user, be sure to include that user's ID. Click the Re-read audit log button.
4. The resulting list is displayed. This list can be printed using the usual methods.
5. You may now leave the SM20 transaction.
D
