New Functionality in SAP to Save

Time of Security Consultants

Applies to:
The document contains about a new functionality that can be implemented in SAP to save time of a Security
consultants. For more information, visit the Security homepage.

Summary
The document is related to new functionality in SAP that can be implemented to save the time of a security
consultant. This functionality will help the security consultants to track the changes of user in with more
details. This will help security consultants during audit activities.

Author: Sandip Maiti

Company: IBM
Created on: 19 August 2009

Author Bio
I am Sandip Maiti. Presently I am working in SAP Security in IBM. I am working on SAP security for last two
years. I have completed my training on SAP R/3 Security (On ADM940, ADM950 and ADM 960) from SAP
academy.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 1
 New Functionality in SAP to Save Time of Security Consultants

Table of Contents
Problems with Security Consultants ................................................................................................................... 3
Way to Resolve the Issue ................................................................................................................................... 4
Conclusion .......................................................................................................................................................... 8
Disclaimer and Liability Notice ............................................................................................................................ 9

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 2
 New Functionality in SAP to Save Time of Security Consultants

Problems with Security Consultants

As a security consultant normally we have to do User administration and role administration activities. Also
we have collect audit evidences of these activities. During audit we need to find out the reason/evidence of
user administration works and role administration activities. Sometime end user may have come to security
consultants to know why his/her access was changed, if he/she is suddenly facing any authorization issue. It
is very difficult to find out the reason of changing access within short time. For this, consultant has to spent
lot off times to collect Audit evidence. This causes loss of productive times of a technical consultant.
To solve the problem a new functionality can be implemented in SAP what will help us to collect evidence
and to save the loss of productive times.
All role administration evidence can be find out the from the role description as normally we use to maintain
the changes details and request number in the description of the role. But for user administration like user
creation, password reset, user unlock, authorization changes there are no such scope of documenting the
any information related reason of changing it in the SAP system.
In the change document of user, we can find out what changes was done, when it was changed, and who
changed it. But there is no scope of documenting the reason of changing it in the SAP system. Also it is not
possible to document all the evidence in the system. These kinds of evidences are logged in the ticketing
tool. Also each request of the ticketing tool have specific identification in terms of ticket number or incident
number.
But the most common process flow of a security related work on any organization is:
 Create request for the authorization in SAP. There must be some ticketing tool for the request.
 Security consultants provide solution for the issue.
 Check SOD if there is any possibility.
 Go for approval process.
 Then the request should be executed by the consultants.

The entire request related information; approval related information is updated in the incident/ticket. So if we
can record the incident/ticket number in the change document of the user, the audit data can be easily found
out during audit.
To solve this new functionality can be implemented in SAP.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 3
 New Functionality in SAP to Save Time of Security Consultants

Way to Resolve the Issue

During audit if we can find out the ticket number through which the respective change was made, then the
audit related issue can be solved. But in SAP there is no such arrangement or functionality available to track
the Request number of the particular change.
This can be implemented in within SAP.
For user administration we use mainly 3 transactions:
1. SU01/SU10 – For user creation, role assignment.
2. PFCG: For addition of single role to a mass number of users.

We can create three new transactions for adding the new functionality:
These transactions may be named as: SU01E, SU10E and PFCGE (E = Stands for ‘Evidence’)
If any new functionality is implemented in SAP, that when we are making the changes through SU01E in any
user and saving the document new window will come to track the <reason of changes>. There ticket
number or any other comment can be added their will help us to find out the evidence like what we use to do
for role change in role description. That new input can be linked with USR02E table or any new table and
user change document (USR02E, E= ‘Evidence’). That will come in user change document with the user
change document.

New Pop-up before saving the changes done through SU01E:

Again for mass user change there may be some problem to track it. But to solve this one mandatory field
<Reason of change> can be added in SU10E screen. Input of that value should be linked with USR02E and
user change document.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 4
 New Functionality in SAP to Save Time of Security Consultants

New SU10E Screen:

Also one more field should be created in Role to implement it properly in transaction PFCGE. In the user tab
in role, new field mandatory can be created as <Reason of change>. For mass user assignment of role, we
need to assign roles from PFCGE. There we may enter the ticket number what will show in user change
document.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 5
 New Functionality in SAP to Save Time of Security Consultants

New PFCGE screen:

For single user unlock/password reset also new window should come in the screen to track the <reason of
change>.

New Pop-up after password reset, User Lock/unlock done through SU01E:

So if we are able to implement the above functionality and link these changes to a table what will be
connected with user change document, then we can easily find out the evidence of the changes from change
document. This will save productive time of a security consultant.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 6
 New Functionality in SAP to Save Time of Security Consultants

New user change document:

But this will again some take more time due to some more new mandatory fields. But this will make SAP
more independent and save comparatively more time. Also this will be helpful for the auditors. Also make
SAP more secured.
Also normally as non-production systems do not comes under audit activity, this functionality can be
deactivated there. For this <new parameter> should be created for the new functionality. The mandatory
field can be deactivated for Non-Production systems.
Also the <Reason of change> window can be made customized by different organization. There some
specific value can be added, and the field can be added by the selection procedure. This will make more
familiar to the organization.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 7
 New Functionality in SAP to Save Time of Security Consultants

Conclusion
I have specified some transaction as example in above specified new idea (SU01E, SU10E and PFCGE).
But this idea can be implemented for every transaction where there is no such scope to documenting
changes and those part are important in terms of audit, and very difficult to find that data. This will help to all
the consultants who are working in SAP as an administrator. Also it will make change document data more
useful in terms of AUDIT.
Also this is a very small functionality. This should not impact the performance of the system. If we are able to
implement the new functionality in SAP itself it will make SAP more efficient also it will be help full for
preceding our day to day work. Also this standard documentation procedure for production system will make
it more secure.
Now GRC tool is available for making the overall procedure more stream line. This is helpful to us in terms of
approval procedure, SOD checks etc. But we can not find out reason of any particular change within very
short time specifically for the changes those were done by mass user change request. Also this will not
provide us the required information directly as the new functionality can provide us.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 8
 New Functionality in SAP to Save Time of Security Consultants

Disclaimer and Liability Notice

This document may discuss sample coding or other information that does not include SAP official interfaces and therefore is not
supported by SAP. Changes made based on this information are not supported and can be overwritten during an upgrade.
SAP will not be held liable for any damages caused by using or misusing the information, code or methods suggested in this document,
and anyone using these methods does so at his/her own risk.
SAP offers no guarantees and assumes no responsibility or liability of any type with respect to the content of this technical article or
code sample, including any liability resulting from incompatibility between the content within this document and the materials and
services offered by SAP. You agree that you will not hold, or seek to hold, SAP responsible or liable with respect to the content of this
document.

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG 9