In this subsequent phase, a track of the authorizations created (previous phase) is kept. Detailed accounts of system events are used to record the actions of a user
corresponding to that unique user account identifier. Auditing/Monitoring activities should be in compliance with enterprise�s overall IT strategy and should be performed on a weekly, monthly,
quarterly, and yearly basis.
Figure 3
There are some key tasks
that should be included in a monitoring plan. The following reviews
should be a part of an ideal monitoring plans.
Using System Logs and Security Audit Logs
The system log records
critical information important events. Each individual application
server maintains local log files to which the information is written
periodically. The security audit log records areas such as successful
and unsuccessful dialog log-on attempts, RFC log-on attempts, changes to
user master records, and transaction starts.
Reviewing User Activity
All SAP system users must be continuously monitored so that their
problems can be rectified as soon as they occur. The timely attention to
user problems can reduce administration overheads.
For example, if a SAP
administrator wants to check for unrecognizable user Ids or the users
trying to use non-permitted transactions, administrator can execute
transaction AL08 and review user activity.
Monitoring User access in BASIS User Group
The BASIS users in a SAP
system have access to sensitive areas of an organization. Therefore it
is vital to monitor their access. Following instructions can be
performed to check the access of BASIS User group.
Instruction Set
Enter transaction SUIM to view Repository Information of the system.
Follow the Menu Path:
User > Lists of users (according to selection
criteria) > user IDS (Double Click).
Monitoring Change Requests
All change requests need
to be properly reviewed and controlled prior to being applied. This
formal process needs to be detailed enough to ensure that separation of
duties and other control features are not breached. Strong integration
knowledge of the SAP system is required for this review. Critical
profiles, authorizations, and transactions need to be identified and
treated even more carefully.
Checking Important Default SAP Profiles
Administrators must check
that default profiles act a template for user defined profiles and are
not directly used in production. Default profiles contain values, which
apply to all application servers. These include: SAP_ALL, SAP_NEW,
S_A.ADMIN, S_A.CUSTOMIZ, S_A.DEVELOP, S_A.DOKU, S_A.SYSTEM, S_A.USER,
S_ENT_IMG_GE, S_WF_ALL, and P_ALL.
Changing Default SAP User ID�s
SAP comes with some pre-configure clients
(independent business units). They are client 000, 001 and 066 in the
non-IDES system. In the IDES system, client 800 is the default client.
SAP installation process automatically creates default user Ids and
their corresponding passwords. SAP administrators must ensure that they
are not used to access the system. The following table explains default
user Ids in various SAP clients.
User Ids
Client Name
User Function
SAP*
000 and 001
SAP* denotes the
default super user and has all administrative powers.
DDIC
000 and 001
DDIC user is
responsible for the maintenance of the ABAP/4 Dictionary and the
software logistics.
EarlyWatch
066
The EarlyWatch
user has access only to monitoring and performance data.
Instruction Set
Change all default passwords and verifying the
password change by logging into various client areas.
Assign SAP* to the Super user group.
Enter transaction SE16.
Enter SAP* into the field called BNAME.
Click �Execute� and verify.
As a final step, check that the secret super user
has been created (with a different user ID and password). All of the
authorizations assigned to SAP* should then be removed (an empty
profile list followed by a password change.
