How to respond to auditors’ requirements?
The queries made by auditors always give us a headache, either because of the difficulty in finding the right answer or because it forces us to dedicate time that we do not have.
That is, a headache always!
After reviewing the system with their own software tools, they give us their reports to which we must respond to issues such as the following:
1. Users with critical authorisation objects assigned.
2. Users who have made use of critical transactions.
3. Users with privileges to run jobs.
4. Non-current users who still have roles assigned
5. Users assigned SAP_ALL and other equivalent or similar.
6. Z/Y transactions without authority check
I cannot fail to mention the SAP audit of user accounts that always detects more accounts than contracted and/or not qualified according to the license type.
There are two ways to deal with this dilemma:
- How to answer each point in the shortest time or,
- How to prepare for no findings.
The answer to these points is as follows:
1. Users with critical authorisation objects assigned.
Direct in SAP:
To answer this, I need to review the roles assigned to these users and look for which of these requested values are present in those roles. The SAP transaction, SUIM, sometimes helps, but it could take us at least 2 to 4 hours to respond, depending on the reported users and the number of roles you have assigned.
With CentinelBox: The answer in a couple of clicks!
2. Users who have made use of critical transactions.
Direct in SAP:
First download the log (Security Audit Log) in the period that has been reported.
For each user / transaction, extract the information of the use and prepare the response of the context in which it was used.
If I must unassign the transaction to a user, I must determine in which role it is assigned … for this I can rely on the SUIM.
Time for this, not counting the download of the LOG, up to one hour for each case.
With CentinelBox: In a couple of clicks he was able to know the use of the transaction by a user and, in another, in which roles he has it assigned.
3. Users with privileges to run Jobs.
Direct in SAP:
With the SUIM I can know who has assigned the SM36 and SM37 transactions and with the LOG downloaded in the previous point, we know about its use. Time for each case: 30 minutes.
With CentinelBox: The answer in a couple of clicks!
4. Current users who still have roles assigned
Direct in SAP:
With SUIM, I can only know the user-role relationship assigned. The user’s lock code is not available; therefore, they must be downloaded with the same transaction in the list of current accounts and cross, download and cross with the previous one. Estimated time: 30 minutes
With CentinelBox: The answer in one click!
5. Users assigned SAP_ALL and other equivalent or similar.
Direct in SAP:
With the SUIM I can know who has assigned the profiles …
With the LOG downloaded from its use. Time for each case: 30 minutes.
With CentinelBox: And the answer is again in one click!
CentinelBox in its risk matrix, has defined 34 critical SAP standard profiles.
6. Z/Y transactions without authority check
The interesting thing is to know the transactions that are in use, since the stock of Z/Y transactions can be very extensive.
Direct in SAP:
With SUIM, I can identify Z/Y transactions.
With the LOG downloaded, of its use.
I must download the table USOBT_C to know if each transaction is registered.
Then, by relating the three components, I will be able to know the information we are looking for, in an estimated time between 1 and hours.
With CentinelBox: And the answer is again in one click!
WANT TO LEARN MORE ABOUT CENTINELBOX AND HOW WE CAN HELP YOU TAKE CONTROL OF YOUR SAP SECURITY?
Schedule a personalized demo directly with me so you can see how our platform enables assertive and successful internal control.
