The system log records critical information important events.
Each individual application server maintains local log files to which the
information is written periodically. The security audit log records areas such
as successful and unsuccessful dialog log-on attempts, RFC log-on attempts,
changes to user master records, and transaction starts.
Reviewing User Activity
All SAP system users must be continuously monitored so that their problems can be rectified as soon as they occur. The timely attention to user problems can reduce administration overheads.
All SAP system users must be continuously monitored so that their problems can be rectified as soon as they occur. The timely attention to user problems can reduce administration overheads.
For example, if a SAP administrator wants to check for
unrecognizable user Ids or the users trying to use non-permitted transactions,
administrator can execute transaction AL08 and review user activity.
Monitoring User access in BASIS User Group
The BASIS users in a SAP system have access to sensitive areas
of an organization. Therefore it is vital to monitor their access. Following
instructions can be performed to check the access of BASIS User group.
Instruction Set
- Enter
transaction SUIM to view Repository Information of the system.
- Follow the Menu
Path:
- User > Lists
of users (according to selection criteria) > user IDS (Double Click).
Monitoring Change Requests
All change requests need to be properly reviewed and controlled
prior to being applied. This formal process needs to be detailed enough to
ensure that separation of duties and other control features are not breached.
Strong integration knowledge of the SAP system is required for this review.
Critical profiles, authorizations, and transactions need to be identified and
treated even more carefully.
Checking Important Default SAP Profiles
Administrators must check that default profiles act a template
for user defined profiles and are not directly used in production. Default
profiles contain values, which apply to all application servers. These include:
SAP_ALL, SAP_NEW, S_A.ADMIN, S_A.CUSTOMIZ, S_A.DEVELOP, S_A.DOKU, S_A.SYSTEM,
S_A.USER, S_ENT_IMG_GE, S_WF_ALL, and P_ALL.
Changing Default SAP User ID’s
SAP comes with some pre-configure clients (independent business
units). They are client 000, 001 and 066 in the non-IDES system. In the IDES
system, client 800 is the default client. SAP installation process
automatically creates default user Ids and their corresponding passwords. SAP
administrators must ensure that they are not used to access the system. The
following table explains default user Ids in various SAP clients.
|
User Ids
|
Client Name
|
User Function
|
|
SAP*
|
000 and 001
|
SAP* denotes the default super user and has all administrative
powers.
|
|
DDIC
|
000 and 001
|
DDIC user is responsible for the maintenance of the ABAP/4
Dictionary and the software logistics.
|
|
EarlyWatch
|
066
|
The EarlyWatch user has access only to monitoring and
performance data.
|
Instruction Set
- Change all
default passwords and verifying the password change by logging into
various client areas.
- Assign SAP* to
the Super user group.
- Enter
transaction SE16.
- Enter SAP* into
the field called BNAME.
- Click “Execute”
and verify.
As a final step, check that the secret super
user has been created (with a different user ID and password). All of the
authorizations assigned to SAP* should then be removed (an empty profile list
followed by a password change.
0 comments:
Post a Comment