2. 1
In This Session
• Learn about:
Important audit concerns in an SAP Access Control environment
Control objectives of auditing SAP Access Control
• Gain an understanding of:
Major risks associated with the identified control weaknesses
Preventative measures to remediate identified risks and possible issues
• Learn how to implement and operate an audit-compliant SAP Access Control system
3. 2
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
4. 3
The Big Picture – System Architecture
Source: SAP Access Control sizing guide
5. 4
Why Audit SAP Access Control?
• A system audit is an exercise performed to gain assurance that defined controls work as
intended, thereby eliminating the likelihood of fraudulent or malicious activities
It involves the verification of conformance to policies and procedures through acute
review of objective and empirical evidence
• SAP Access Control is the compliance tool in the SAP system landscape; hence, it needs
to be self-compliant
Compromise of the tool can mean compromise of the entire system (SAP and non-SAP)
in the landscape
• Evaluation of the organization’s internal control design
• Gain assurance on the operating effectiveness of defined controls
6. 5
When to Audit
• Review of the SAP Access Control system should be performed:
Pre-go-live
Post-go-live
On an ongoing basis
• Irrespective of the timing, you should check the controls defined in the system against
what is defined in the security policies of the organization
7. 6
What to Audit
• Technical Infrastructure
Hardware – Memory, CPU, etc.
Software – SAP component, databases, operating system
Network
• Processes
• Master data
• Internal controls and policies
• Customization settings
• Documentation
8. 7
What Happens If You Do Not Audit
• Business implications
Possible compromise of the compliance tool
Loss of goodwill for the organization
Payment of huge fines
Inability of the business to continue to operate, in extreme cases
• Technical implications
System performance degradation
Knowledge transfer gaps
Error-prone system
System unavailability
Obsolete functionalities
9. 8
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
10. 9
Technical and System Information
• Technical installation validation
• Activation of Internet Communication Framework (ICF) Services
• Background jobs administration and monitoring
• Integration with back-end systems
• Performance optimization
11. 10
Technical Installation Validation
• Installation of SAP Access Control requires installation of:
SAP
Database
Operating system
• Major risk
The system might be:
Error prone
Unusable
Missing functionalities
• Preventative measures
Ensure that the systems run the required, correct, and current software components
and products
12. 11
Technical Installation Validation (cont.)
• SAP Access Control 10.x requires the following GRC software components and other
dependent components:
GRCFND_A — Mandatorily installed on the GRC server
GRCPINW — Mandatorily installed on the back-end system
GRCPIERP — Optionally installed on the back-end system
Confirm GRCPIERP is installed if you need specific functionalities like HR triggers
Requires SAP_ABA and SAP_HR software components
• Gain assurance about the consistency and synchronization requirement with the support
package (SP) levels of the foundation and plug-in components
For SAP GRC 10.0 (prior to SP10), the version of the SP GRC foundation component
and the plug-in must be the same
13. 12
Technical Installation Validation (cont.)
• Auditors must be assured that all required software components are installed
Setup of Adobe Document Services (which requires a Java instance) is required for
PDF reports
Crystal Reports ALV adapter is required for generating Crystal Report-based reports
• The technical review should evaluate the currency of software components
Current support package is implemented
Kernel is upgraded to the current patch level
Important SAP Notes are implemented (e.g., SAP Note 1545511)
Current operating system and database patches are deployed
14. 13
Technical and System Information
• Technical installation validation
• Activation of Internet Communication Framework (ICF) Services
• Background jobs administration and monitoring
• Integration with back-end systems
• Performance optimization
15. 14
Activation of ICF Services
• ICF supports the processing of HTTP, HTTPS, or SMTP requests in the ABAP work
processes of an SAP system
• As part of the post-installation activities, you need to activate a number of ICF services
• Major risk
The system might be vulnerable to Internet (external) browser-based attacks
• Preventative measure
Enforce control in the activation of ICF services
Only activate ICF services on a need-to-do basis
16. 15
Activation of ICF Services (cont.)
• It is possible to explicitly assign a user to an ICF service
This is commonplace when end-user log-on functionality is implemented
The authorization assigned to the user in the system must be adequately controlled
• Check that ICF services are prevented from using functions that present a risk
Confirm that the following administrator settings are configured (Transaction code
SICF Go to Settings):
Do not allow recording function
Do not allow trace function
Do not allow debugging function
Do not allow runtime analysis function
17. 16
Technical and System Information
• Technical installation validation
• Activation of Internet Communication Framework (ICF) Services
• Background jobs administration and monitoring
• Integration with back-end systems
• Performance optimization
18. 17
Background Jobs Administration and Monitoring
• Background jobs are programs or a collection of programs that can be executed by
background work processes
• Different background jobs are normally scheduled in the system to ensure that activities
are performed properly
• Major risk
Data inconsistencies between the SAP GRC system and the satellite system
Smooth running of the system might be impacted if administrative background jobs are
not scheduled and executed successfully
• Preventative measure
Schedule (in the correct order) and monitor background jobs for successful completion
19. 18
Background Jobs Administration and Monitoring (cont.)
• Important to have a meaningful job-naming convention to find correct and appropriate
application knowledge for quick support
• Recommendation for a background job name (e.g.,
(S_PRD100_UK_SPM_WORKFLOWSYNC_H)
Prefix: Indicate if the job contains customer coding (Z) or SAP standard coding (S)
System/client: Indicate the involved system/client combination (e.g., PRD100)
Organization: Indicate the involved organizational information (e.g., abbreviations for
regions or countries [US, DE, FR])
Component: Involved component/application area such as ARA, SPM, CUP, and BRM
Job description: Specify a speaking name for the job (e.g., SPM_WORKFLOWSYNC)
Frequency: Job frequency (e.g., Hourly [H], Daily [D], Weekly [W])
20. 19
Background Jobs Administration and Monitoring (cont.)
• Ensuring data currency and consistency
Schedule standard background jobs in SAP Access Control to synchronize data
between the GRC system and satellite systems
• Major master data elements that need to be synchronized in the access control system
PFCG authorization
Profile
Roles
Users
Action usage
Role usage
EAM master data
21. 20
Background Jobs Administration and Monitoring (cont.)
• The implication of failed synchronization jobs can be grave because outdated data can
expose the system to fraudulent activities. For example:
Access request might be routed to incorrect approver who might approve it based on
inadequate knowledge of the risk exposure
This can happen because data source information for approver determination is
unsynchronized
Detective control associated with the review of firefighter logs can be impaired
This can happen if the background job responsible for collecting firefighting session
logs and sending same to the controller fails to execute successfully
22. 21
Background Jobs Administration and Monitoring (cont.)
• An auditor will be interested in ascertaining that the background jobs that drive data
synchronization are always executed successfully as scheduled
• Sequence of execution of these background jobs is also an important consideration
during a technical review
• Recommended sequence for background job execution:
1. Program GRAC_PFCG_AUTHORIZATION_SYNC
2. Program GRAC_REPOSITORY_OBJECT_SYNC
3. Program GRAC_ACTION_USAGE_SYNC
4. Program GRAC_ROLE_USAGE_SYNC
23. 22
Background Jobs Administration and Monitoring (cont.)
• Other programs that should be reviewed to ensure they are properly scheduled include:
Batch risk analysis: Program GRAC_BATCH_RISK_ANALYSIS
Firefighter logs collection: Program GRAC_SPM_LOG_SYNC_UPDATE
Firefighter workflow synchronization: Program GRAC_SPM_WORKFLOW_SYNC
IDM schema update: Program GRAC_SCHEMA_UPDATE
• Check the status of background jobs via transaction SM37
24. 23
Background Jobs Administration and Monitoring (cont.)
• A technical system auditor should be abreast of required background jobs that should be
scheduled for different underlying databases
• For example, the following database management-related background jobs should be
executed for a Microsoft SQL Server database:
CCMS Blocking Database Locks Statistics
CCMS Check Database (DBCC – Database Consistency Checker)
CCMS Update Table Statistics
MSSQL COLLECTOR
• Also, review the successful execution of administrative background jobs, such as report
RSBTCDEL (Delete Batch Job)
25. 24
Background Jobs Administration and Monitoring (cont.)
• Variants are used to eliminate the need to define same values in selection criteria fields
every time you need to execute a report
• This functionality is designed to reduce both data entry time and processing time of the
system, which makes it commonplace in every SAP system environment
• Variants should be reviewed for correctness and currency
• Ideally, variants that are no longer relevant in the system should be discontinued or
adjusted accordingly to avoid the chances of using them unknowingly
• You can review the entries in table TBTCP to access the currency and relevance of
defined variants
26. 25
Technical and System Information
• Technical installation validation
• Activation of Internet Communication Framework (ICF) Services
• Background jobs administration and monitoring
• Integration with back-end systems
• Performance optimization
27. 26
Integration with Back-End Systems
• Typical SAP GRC system is made up of more than just the GRC box
It also contains other back-end systems, such as SAP ERP, SAP Enterprise Portal, or
Microsoft Active Directory
• GRC system is used to provision access to the back-end system
Or the back-end system is used as the data source for user authentication and user
details in the SAP Access Control system
• Major risk
Vulnerabilities and data inaccuracy in the back-end system can impact the operation of
the GRC system
• Preventative measure
Ensure appropriate security and data accuracy is enforced in the satellite systems
28. 27
Integration with Back-End Systems (cont.)
• System review of back-end systems is just as important as system review of SAP Access
Control
• Security breaches in any dependent back-end system can impact the integrity of the
access control system
For example, if the HR system is designed as the source of user details (e.g., Personnel
Area drives the assignment of approval agent) and data maintained in the HR system is
not accurate, an access request can be incorrectly routed
• System auditor needs to be assured that systems connected to the GRC system are
performing their intended roles in terms of:
Functionality delivery
Data accuracy
System availability
29. 28
Technical and System Information
• Technical installation validation
• Activation of Internet Communication Framework (ICF) Services
• Background jobs administration and monitoring
• Integration with back-end systems
• Performance optimization
30. 29
Performance Optimization
• Performance of the SAP Access Control system is dependent on the following:
Master data volume
Transaction data volume
Configuration settings (customizing)
Number of concurrent users
Size of the system landscape (number of systems and available system resources)
• Major risk
Slowness or unavailability of the system
• Preventative measure
Optimal preliminary sizing, appropriate configuration settings, efficient
parameterization, and adequate capacity planning
31. 30
Performance Optimization (cont.)
• If system performance is degraded, it can lead to unavailability of the access control
system and consequently affect functional use of the application
• Audit should be focused on data maintenance strategies such as:
Data prevention
Data deletion
Table indexing and data reorganization
• An auditor should review performance-centric customizing settings such as:
Indexing of tables
Profile parameter settings
Parameterization in IMG (configuration settings)
32. 31
Performance Optimization (cont.)
• Indexing of tables
Fields MANDANT, UTIME, UDATE, USERNAME in table CDHDR (SAP Note 1039144)
Fields MANDT, LANGU, and FIELD in table GRACFLDSYST (SAP Note 1866822)
• Profile parameters
abap/heap_area_dia (limit of heap memory per dialog work process)
abap/heap_area_nondia (limit of heap memory per non-dialog work process)
abap/heap_area_total (limit of heap on application server)
em/initial_size_MB (initial size of extended memory pool)
abap/buffersize (program buffer size)
33. 32
Performance Optimization (cont.)
• Parameterization in IMG
Default user type for risk analysis (Parameter 1026) set to DIALOG
Include locked users (Parameter 1031) set to No
Include expired users (Parameter 1028) set to No
Include mitigated risks (Parameter 1030) set to No
Ignore critical roles and profiles (Parameter 1031) set to Yes
Batch size for batch risk analysis (Parameter 1120)
Batch size for user sync (Parameter 1121)
Batch size for role sync (Parameter 1122)
Batch size for profile sync (Parameter 1123)
34. 33
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
35. 34
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
36. 35
Definition and Maintenance of Rule Set
• Rule set is a group of data elements that collectively form the segregation of duties risks
and sensitive access risks in an enterprise
• Validation of the rule set normally involves the review of dependent master data elements
of a rule set, such as Risks and Functions (Actions and Permissions)
• Major risk
Access risk violations might be under-reported or over-reported
• Preventative measure
Ensure that SoD and sensitive access rules reflect the approved risk perception of the
enterprise
37. 36
Definition and Maintenance of Rule Set (cont.)
• The review of the content of a rule set needs to be detailed
For example, the correctness of the absolute value defined for the corresponding
authorization objects
Authorization object value :- 1 is not synonymous to 01 and “*” is not “any value”
• Check via transaction SCPR20 that SoD ruleset-related BC sets were activated without
errors
• Check that the operators (AND, OR, and NOT) used in the rule set definition are properly
defined
• Validate the access risk level to ensure correct master data attributes (e.g., risk levels)
are maintained
• Review the SoD rule set for completeness
Inclusion of custom transaction codes and sensitive access
38. 37
Definition and Maintenance of Rule Set (cont.)
• Check for the existence of effective policies and procedures aimed at ensuring changes
to the rule set are made in a controlled manner
Transport changes to ruleset via IMG
Activate change log functionality so audit trail is available for an auditor to review
changes made to the elements of the rule set
39. 38
Definition and Maintenance of Rule Set (cont.)
• Parameterization for ruleset changes – workflow
Parameter 1062: Risk Maintenance
Parameter 1064: Function Maintenance
Parameter 1101: Create Request for Risk Approval
Parameter 1102: Update Request for Risk Approval
Parameter 1103: Delete Request for Risk Approval
Parameter 1104: Create Request for Function Approval
Parameter 1105: Update Request for Function Approval
Parameter 1106: Delete Request for Function Approval
40. 39
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
41. 40
Workflow Maintenance
• Workflow is designed to ensure that activities within the system are properly reviewed
and approved by designated individuals before changes are made to specific information
or processes
This can include the provision of access to users or changes to master data, such as
functions or assignment of mitigating controls to users and roles
• Major risk
Approval request might not be treated in a timely manner and by the correct approver
• Preventative measure
Ensure the workflow mechanism is properly configured and the approver (agent)
master data is properly maintained
42. 41
Workflow Maintenance (cont.)
• Approver delegation table should be reviewed to gain assurance that every approval
delegation entry is justifiable
• Review the status of email messages generated in the system over a period of time via
transaction SOST to ensure messages are not being trapped unnoticed
• Check that all users have their email addresses correctly maintained
43. 42
Workflow Maintenance (cont.)
• Gain preliminary assurance that the workflow engine is working properly via transaction
SWU3
• An audit interest in a workflow process is who the actor (approver) is
The approver must be reviewed for correctness and currency at defined intervals
• Review the agent master data to ensure the workflow approval requests are routed to the
appropriate approvers and that approval requests are attended to promptly
Review Service Level Agreement (SLA) report if configured
44. 43
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
45. 44
Change Management
• The system landscape must be configured to adhere to at least the three-system
landscape, typically made up of the development, quality assurance, and production
systems
• Major risk
Data and customization setting inconsistencies, thus making the system error prone
• Preventative measure
Enforce control in the promotion of changed data or customizations across the system
landscape by avoiding performing customizing activities directly in production system
46. 45
Change Management (cont.)
• System settings are designed to prevent the ability to make changes to client-
independent objects in non-development systems
SE06 – Should be set to “Not modifiable”
• Production client settings should be reviewed for appropriateness via transaction SCC4
Recommended production client settings
Client-specific changes/transports – No Changes allowed
Cross-client object changes – No change to repository and cross-client customizing
objects
Protection: Client Copier and Comparison Tool – Protection level 2: No overwriting
and no external availability
CATT and eCATT restriction – CATT and eCATT not allowed
47. 46
Change Management (cont.)
• Ascertain that all configuration changes, including master data (BRFplus rules [such as
logic and master data, approvers, or user defaults]), are tested before the changes are
promoted to destination/subsequent systems in the landscape
• For BRFplus objects – Local object vs. transportable object
48. 47
Change Management (cont.)
• A number of master data items cannot be transported in SAP Access Control
These include reason codes, access control owner’s definition, coordinators, and
firefighter master data
• The authorization concept in conjunction with the SoD concept should be used to enforce
control in the management of the non-transportable master data
• Development and quality assurance systems also need to be secured appropriately
Defined security policy should address access rights, modification, and data
composition of the non-production systems
49. 48
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
50. 49
Authorization Management of Technical Users
• To operate the SAP Access Control system normally, some system users need to be
created and assigned specific authorizations
• Examples of these technical users are:
Remote Function Call (RFC) users
WF-BATCH users
• Major risk
The technical user account might be used for malicious activities in the system
• Preventative measure
Enforce control in the authorization assignment of technical users
51. 50
Authorization Management of Technical Users (cont.)
• SAP recommends that the following authorization objects and values be assigned to the
RFC user for SAP Access Control:
ACTVT: 16
RFC_NAME: /GRCPI/GRIA, BAPT, RFC1, SDIF, SDIFRUNTIME, SDTX, SUSR, SUUS,
SU_USER, SYST, SYSU
RFC_TYPE: FUGR
• WF-BATCH user is a communication user that is required to run the workflow engine
• Authorization assigned to these users must be well controlled
Check that SAP_ALL is not assigned to this user
Consult SAP Note 1251255 for WF-BATCH user authorization management
Don’t forget standard SAP users – SAP*, DDIC, SAPCPIC, etc.
52. 51
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
53. 52
Firefighter ID Login Prohibition
• Firefighting is an act of using privileged user accounts in times of emergency
• Because the firefighter ID possesses elevated privileges, it should not be directly used in
the back-end system
• Instead, it should be used via the assigned firefighter user on the SPM log-on pad
• Major risk
The firefighter ID (with privileged authorization) might be used to log on directly to the
back-end system to perform malicious activities and the logs will not be captured
• Preventative measure
Implement the user exit as described in SAP Note 1545511
54. 53
Firefighter ID Login Prohibition (cont.)
• To enforce control around the use of the firefighter ID directly in the back-end system,
implement a user exit in the back-end system where the firefighter ID resides
• Check whether or not report ZXUSRU01 exists in the back-end system containing the
include /GRCPI/GRIA_USEREXIT (SAP Note 1545511)
• To further review if the user exit has been implemented, attempt to log on directly to the
back-end system using a firefighter ID
The action should trigger the display of a dialog box confirming you are not authorized
to directly log on
55. 54
Workflow and Authorizations
• Definition and maintenance of rule set
• Workflow maintenance
• Change management
• Authorization management of technical users
• Firefighter ID login prohibition
• Segregation of duties
56. 55
Segregation of Duties
• SoD forms part of the requirements of many regulations, including Sarbanes-Oxley
• The idea is to prevent the concentration of authority from carrying out critical activities in
the system with specific users
• Major risk
Perpetration of malicious activities as a result of the possession of excessive
authorization
• Preventative measure
Employ the principle of “least privilege” in authorization assignment and grant
authorization on a “need-to-know” basis
57. 56
Segregation of Duties (cont.)
• Check if a set of incompatible SoD matrices for the SAP Access Control system exist
For example, the person who creates a mitigating control should not be able to
maintain or assign the mitigating control
• A technical review should establish that the authorizations assigned to specific job roles
are optimal and do not create a mitigating conflict
• SoD-centric configuration settings, such as the ones below, should be reviewed for
correctness and appropriateness:
Approver cannot approve his own request (EUP settings)
Firefighter ID owner can submit request for firefighter ID owned (Parameter 4013)
Firefighter ID controller can submit request for firefighter ID controlled (Parameter
4014)
58. 57
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
59. 58
Time Zone and Documentation
• Time zone setting
• Documentation
60. 59
Time Zone Setting
• Output of some log reports generated for Emergency Access Management is based on
input in transaction STAD (SAP Workload: Business Transaction Analysis) in the plug-in
system
Reports in transaction STAD are based on operating system time
• Major risk
The difference in time zone is capable of impacting log collection, which will
consequently impact correct reporting of firefighting session activities in the satellite
system
This situation erodes the detective control capability of firefighter log review
• Preventative measure
Ensure the time zone of the operating system and the SAP NetWeaver® engine are in
sync in the SAP Access Control system and the satellite systems
61. 60
Time Zone Setting (cont.)
• An auditor should ensure the appropriate operating system time zone setting is
maintained in the SAP Access Control system and the back-end system
It is best practice to have the same setting for:
The time zone of the operating system and the SAP NetWeaver system in the GRC
system
The time zone of the operating system and the SAP NetWeaver system in the plug-in
system (e.g., SAP ERP system)
• However, the time zone setting of the GRC system and the plug-in system need not
necessarily be the same
• The time zone setting of the SAP NetWeaver system can be checked via report
TZONECHECK (Check Time Zone Data for Consistency)
• More information in SAP Notes 1430336, 198411, and 481835
62. 61
Time Zone and Documentation
• Time zone setting
• Documentation
63. 62
Documentation
• Documentation is an integral part of any business solution delivery project, and serves as
part of the knowledge transfer requirement
• Major risk
Knowledge gap may exist as it relates to the system design, configuration, and
operational activities, which can consequently impact the optimal support of the
system
• Preventative measure
Ensure documentation deliverables are agreed upon at project inception and
consequently approved by senior management
64. 63
Documentation (cont.)
• Documentation related to the project should be assessed for completeness and
correctness and cover the following:
Technical installation, blueprint and system design, support and operation guide,
security and authorization design, testing materials, and users’ guide
• Documentation must be approved by designated individuals with at least one
representative from senior management or the project steering committee
• Changes to documentation need to be approved and versioned
• Security of where documents are stored needs to be reviewed to ensure they cannot be
tampered with or manipulated
• You can use SAP Solution Manager for document management
65. 64
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
67. 66
Data Archiving
• Aside from business requirements and corporate policies, prevailing legal and regulation
requirements influence data retention strategies adopted by an enterprise
• Data archiving has a laudable implication, as it relates to enhancing system performance
• Major risk
System performance might be impaired and data retention policies might be flaunted
• Preventative measure
Archive data at defined intervals and based on corresponding local and global
regulations
68. 67
Data Archiving (cont.)
• Gain an understanding of the archiving strategy of an organization and apply that in
ensuring data is properly archived as scheduled using the appropriate tools
• The following archiving objects are available to archive access control-specific data via
transaction SARA:
GRFNMSMP – Archiving for GRC AC 2010 Requests
SPM_AU_LOG – SPM Audit Log Archive
SPM_CH_LOG – Change Log Archive
SPM_LOG – Archiving for SPM Log Reporting
SPM_OC_LOG – SPM OS Command Log Archiving
SPM_SY_LOG – SPM System Log Archival
• Check the integrity of the storage location of the archived data
70. 69
Business Continuity and Disaster Recovery
• Impact of the unavailability of the SAP Access Control system should be analyzed and
documented
• System unavailability might present a window to perpetrate malicious activities,
especially when there are no tested procedures to address such business events or
scenarios
• Major risk
Data loss or inability to continue business operation in the event of a disaster
• Preventative measure
Ensure that appropriate business continuity plan and disaster recovery plans exist and
are tested at defined intervals
71. 70
Business Continuity and Disaster Recovery (cont.)
• Check to ensure there are adequate processes and controls in place to address the
challenges that come with system unavailability or downtime (both planned and
unplanned)
• Gain assurance that business impact analysis has been performed
• Confirm that adequate and effective back-up and restore strategies exist
• Obtain test evidence of back-up and disaster recovery tests
Reviewing back-up log directly in the system via transaction DB12
• Technical review should also cover storage of back-up media and other back-up and
recovery conventional audit concerns, such as back-up frequency
72. 71
What We’ll Cover
• Why, when, and what of an SAP Access Control audit
• Technical and system information
• Workflow and authorizations
• Time zone and documentation
• Archiving and disaster recovery
• Wrap-up
73. 72
Where to Find More Information
• Kehinde Eseyin, “How to Prepare for a Comprehensive System Audit and Technical
Review of SAP Access Control 10.0” (SAP Professional Journal, October 2013).
http://bit.ly/1G5aZzF
• SAP Access Control 10.1 Security Guide
http://bit.ly/15aAAq2 *
• Kehinde Eseyin, “10 Best Practices for Enforcing Data Security, Control, and Consistency
in the Software Logistics Process” (Financials Expert, March 2010).
http://bit.ly/1yp2ieD
• Kehinde Eseyin, “Combat Chaos with a Lock-Down Security Policy in 12 Key Areas of
Your SAP Environment” (Financials Expert, June 2009).
http://bit.ly/1x8phG9
* Requires login credentials to the SAP Service Marketplace
74. 73
7 Key Points to Take Home
• Set the recommended administrator security-centric settings for ICF services
• Archiving objects relevant to SAP Access Control objects
• Implement workflow verification using transaction SWU3
• Know specific authorizations to assign to RFC technical users
• Enhance system performance by using specific configuration and profile parameters
• Enhance system performance for derived role import and firefighter log collection by
indexing tables GRACFLDSYST and CDHDR respectively
• Use report TZONECHECK to check time zone settings for data consistency
75. 74
Your Turn!
How to contact me:
Barun Kumar
Barun.Kumar@turnkeyconsulting.com
Please remember to complete your session evaluation
76. 75
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.