This post is part 2 of our discussion on SAP Security Audit Guidelines. In the previous post, we had discussed about some of the important points which need to be followed for SAP Security Audit Guidelines. We would continue to do so in this part as well and try to cover as many important points as possible.
List of some common tables for which table logging should be enabled
Table |
Description |
|---|---|
T000 |
List of clients |
T001 |
Company Codes |
TSTC |
Definition of tcodes |
TOBJ |
Definition of Authorization objects |
TACTZ |
Valid activities |
TSTCP |
Parameters for Transactions |
TPGP |
Authorization Groups for Programs |
TBRG |
Authorization Groups for Tables |
TDDAT |
Table to Authorization group mapping |
TNRO |
Definition of number range objects |
TSTCA |
Values for Transaction code authorizations |
Some transaction codes are very critical and should not be assigned to any one in production system and should be locked. Also, there are some transaction codes which should only be assigned to Basis or Security team or to some super user roles. These super user roles can be assigned for temporary period of time based on emergency requirements after following a proper approval process. Below is a list of a few such critical transaction codes:
Critical Transaction Codes in Production:
Transaction Code |
Description |
Assignment Status in Production |
|---|---|---|
SU01 |
Create User |
Security Team |
SU10 |
Mass User creation |
Security Team |
PFCG |
Role Maintenance |
Display only version to Security Team |
ST01 |
System Trace |
Basis/Security Team |
SM19 |
Security Audit Configuration |
Basis/Security Team |
SM20 |
Analysis of Security Audit Log |
Basis/Security Team |
SM18 |
Reorganize Security Audit Log |
Basis Team |
EWZ5 |
Lock Users |
Security Team |
RZ10 |
Maintain Profile Parameters |
Basis Team |
SM12 |
Display and Delete Locks |
Basis Team |
SM04 |
User List |
Basis Team |
SM59 |
RFC Destinations (Display/Maintain) |
Basis Team |
SA38 |
ABAP Reporting |
Super User Role |
SP01 |
Output Controller |
Basis Team |
SECATT |
Extended Computer Aided Test Tool |
Super User Role |
SCC4 |
Client Administration |
Locked |
SE09 / SE10 |
Transport Organizer |
Locked |
SM49 |
Execute external OS commands |
Locked |
SM69 |
Maintain External OS Commands |
Locked |
SHD0 |
Transaction and Screen Variants |
Locked |
SE38 |
ABAP Editor |
Locked |
SE93 |
Maintain Transaction Codes |
Locked |
|
|
|
|
Lets have a look at some of the critical authorization objects in SAP. From Audit perspective, it is pertinent that special care must be taken while assigning full access ‘*’ to any field value.
- S_PROGRAM – All critical programs and reports should be linked with proper authorization groups. Appropriate action should be maintained for this object.
- S_TABU_DIS – Caution should be taken while maintaining change access for this object.
- S_TABU_CLI – Access to this object should be strictly restricted.
- S_TCODE – Make sure that this authorization object does not give access ‘*’ access or access to big ranges using wildcards on the TCD field.
- S_DEVELOP – Should be assigned with caution. Make sure not to give the change – debug access in production.
- S_RZL_ADM – For R/3 System administration using the CCMS. This should only be required by Basis.
- S_ADMI_FCD – For checking access to some Basis functions, like spool administration and monitoring. Normally for Basis Team only.
- S_BTCH_ADM – For processing background jobs. Only needed by Basis or Background admin.
- S_BDC_MONI – For batch input management and monitoring – Can be assigned to Functional Team when they upload data using LSMW
- S_CTS_ADMI – For administration functions in the Change and Transport System. Only to Basis.
- S_LOG_COM – For executing external operating system commands – Only to Basis.
- S_TRANSPRT – For transport organizer – Only to Basis.
- S_DATASET – For accessing files from ABAP/4 programs. ABAP Program name and File Path should be maintained with caution.
- S_USER_* – Should be maintained very carefully. Make sure to give display access (activity 03) only. For Security Team.