Académique Documents
Professionnel Documents
Culture Documents
Applies to:
The document contains about a new functionality that can be implemented in SAP to save time of a Security
consultants. For more information, visit the Security homepage.
Summary
The document is related to new functionality in SAP that can be implemented to save the time of a security
consultant. This functionality will help the security consultants to track the changes of user in with more
details. This will help security consultants during audit activities.
Author Bio
I am Sandip Maiti. Presently I am working in SAP Security in IBM. I am working on SAP security for last two
years. I have completed my training on SAP R/3 Security (On ADM940, ADM950 and ADM 960) from SAP
academy.
Table of Contents
Problems with Security Consultants ................................................................................................................... 3
Way to Resolve the Issue ................................................................................................................................... 4
Conclusion .......................................................................................................................................................... 8
Disclaimer and Liability Notice ............................................................................................................................ 9
The entire request related information; approval related information is updated in the incident/ticket. So if we
can record the incident/ticket number in the change document of the user, the audit data can be easily found
out during audit.
To solve this new functionality can be implemented in SAP.
We can create three new transactions for adding the new functionality:
These transactions may be named as: SU01E, SU10E and PFCGE (E = Stands for ‘Evidence’)
If any new functionality is implemented in SAP, that when we are making the changes through SU01E in any
user and saving the document new window will come to track the <reason of changes>. There ticket
number or any other comment can be added their will help us to find out the evidence like what we use to do
for role change in role description. That new input can be linked with USR02E table or any new table and
user change document (USR02E, E= ‘Evidence’). That will come in user change document with the user
change document.
Again for mass user change there may be some problem to track it. But to solve this one mandatory field
<Reason of change> can be added in SU10E screen. Input of that value should be linked with USR02E and
user change document.
Also one more field should be created in Role to implement it properly in transaction PFCGE. In the user tab
in role, new field mandatory can be created as <Reason of change>. For mass user assignment of role, we
need to assign roles from PFCGE. There we may enter the ticket number what will show in user change
document.
For single user unlock/password reset also new window should come in the screen to track the <reason of
change>.
New Pop-up after password reset, User Lock/unlock done through SU01E:
So if we are able to implement the above functionality and link these changes to a table what will be
connected with user change document, then we can easily find out the evidence of the changes from change
document. This will save productive time of a security consultant.
But this will again some take more time due to some more new mandatory fields. But this will make SAP
more independent and save comparatively more time. Also this will be helpful for the auditors. Also make
SAP more secured.
Also normally as non-production systems do not comes under audit activity, this functionality can be
deactivated there. For this <new parameter> should be created for the new functionality. The mandatory
field can be deactivated for Non-Production systems.
Also the <Reason of change> window can be made customized by different organization. There some
specific value can be added, and the field can be added by the selection procedure. This will make more
familiar to the organization.
Conclusion
I have specified some transaction as example in above specified new idea (SU01E, SU10E and PFCGE).
But this idea can be implemented for every transaction where there is no such scope to documenting
changes and those part are important in terms of audit, and very difficult to find that data. This will help to all
the consultants who are working in SAP as an administrator. Also it will make change document data more
useful in terms of AUDIT.
Also this is a very small functionality. This should not impact the performance of the system. If we are able to
implement the new functionality in SAP itself it will make SAP more efficient also it will be help full for
preceding our day to day work. Also this standard documentation procedure for production system will make
it more secure.
Now GRC tool is available for making the overall procedure more stream line. This is helpful to us in terms of
approval procedure, SOD checks etc. But we can not find out reason of any particular change within very
short time specifically for the changes those were done by mass user change request. Also this will not
provide us the required information directly as the new functionality can provide us.