| SAP Security and Authorization
Concepts
R/3 audit review questions. Here is a list of items most commonly reviewed by internal/external auditors when reviewing your R/3 system. It is always a good idea to review this list a couple times a year and to take the appropriate steps to tighten your security. Review the following :- * System security file parameters (TU02) (e.g. password
length/format, forced password sessions, user failures to end
Security-Parameter-Settings-Documentation * Setup and modification of user master records follows a specific procedure and is properly approved by management. * Setup and modification of authorizations and profiles
follows a specific procedure and is performed by someone
* An appropriate naming convention for profiles, authorizations
and authorization objects has been developed to help
* A user master record is created for each user defining
a user ID and password. Each user is assigned to a user group, in
* Check objects (SU24) have been assigned to key transactions) to restrict access to those transaction. * Authorization objects and authorizations have been assigned to users based on their job responsibilities. * Authorization objects and authorizations have been assigned to users ensuring segregation of duties. * Users can maintain only system tables commensurate with their job responsibilities. * Validity periods are set for user master records assigned to temporary staff. * All in-house developed programs contain authority check
statements to ensure that access to the programs are properly
Select a sample of :- * Changes to user master records, profiles and authorizations
and ensure the changes were properly approved.
* Ensure that security administration is properly segregated.
At a minimum there should be separate administrators
- User master maintenance. (This process can be further segregated by user group.) - User profile development and profile activation. (These processes can be further segregated.) * Verify that a naming convention has been developed for
profiles, authorizations and in-house developed authorization
- They can be easily managed. - They will not be overwritten by a subsequent
release upgrade (for Release 2.2 should begin with Y_ or Z_ and for
* Assess through audit information system (SECR)
or through a review of table USR02, whether user master records have
- The SAP_ALL profile is not assigned to any user master records. - The SAP_NEW profile is not signed to any user
master records. Verify that procedures exist for assigning new
* Assess and review of the use of the authorization object
S_TABU_DIS and review of table authorization classes
- All system tables are assigned an appropriate authorization class. - Users are assigned system table maintenance access
(Through S_TABU_DIS) based on authorization classes
* Assess and review of the use of the authorization objects
S_Program and S_Editor and the review of program classes
- All programs are assigned the appropriate program class. - Users are assigned program classes commensurate with their job responsibilities. * Ensure through a review of a sample of :- - In-house developed programs that the program, code either: - Contains an Authority-Check statement referring to an appropriate authorization object and valid set of values; or - Contains a program Include statement, where the
referred program contains an Authority-Check statement referring to
I think an auditor would want to know what methods you are using to approve who gets what profile and what method you are using to document it so that if you review your documentation you could compare it with what authorization the user currently has and determine if the user has more authorizations (roles) than he has been approved for by the approval system in place.
SAP Authorizations
SAP Basis Admin Books
SAP Basis Tips
Best regards,
All the site contents are Copyright © www.erpgreat.com
and the content authors. All rights reserved.
|