System administrator

Posted by Klea Duro on Mar 8, 2024 8:45:00 AM

How is it possible to have an overview of what has been done by a system administrator within SAP systems?

SYSTEM ADMIN

In SAP, unfortunately or fortunately, there are lots of logs (some of which must be explicitly enabled). But there is no single dashboard where you can see them, perhaps grouped by individual user. But a new feature does exist!

System administrator in SAP

The definition of "system administrator" generally identifies, in the IT field, professional figures aimed at the management and maintenance of a processing system or its components, as defined by the Privacy Guarantor.

 

In SAP it may not be so easy to understand what is being done by those who have the opportunity to be administrators. In fact, better not to be an administrator if possible and if not strictly necessary.

 

There are many logs and many ways to perform the same operation. Therefore, it becomes difficult without the aid of tools designed to solve this problem to carry out hand checking on the operation by administrators.

 

Read here what is the:

 

Why SAP GRC Access Control Can Be Useful

Certainly we have already discussed this in several situations.

Definitely it is important some of the features offered by SAP GRC Access Control clearly are not available out-of-the-box in SAP. Among the main ones:

 

  • Having a single dashboard, of all logs collected by SAP, for a specific super-user used
  • Have an approval process for the super user request
  • Transparently and easily define super user provisioning, there are no passwords to transmit
  • Have an accurate and complete audit log of all activities performed for the SAP GRC module that manages super users (Emergency Access Management)

 

But in some situations SAP GRC is not yet present, so what can be done?

 

But if I have no SAP GRC what can I do?

Through the following OSS note(2423576 - SAIS | Generic audit report about system changes) SAP offers the possibility to see the following logs in one place, for one or more users:

 

  • Changes to client (SE06, SCC4)
  • Security Audit Log (Transactions RSAU* or SM20n)
  • System Log (Transaction SM21)
  • Table Logging (Transaction SCU3)
  • Application Log (Transaction SLG1)
  • Change Document (report RSSCD100)
  • Program changes (Transactions SE95, SE84) and transports (SE03 or report RSWBOSSR)

 

SAP AUDIT EVALUATION

 

So not bad, for each of these a specific detail of what has been done.

 

SAIS

 

Of course, there are some obvious limitations compared to GRC but it can definitely be a great feature even while waiting to install SAP GRC Access Control. Beware the inquiries made with the transaction above do not exhaust the possible activities performed by the user in every respect ( eventual activities performed at the database level are not present for example)

 

The above is possible through the new SAIS_MONI transaction. Give it a try if it is already present in your system! Available from these releases SAP_BASIS 7.50 SP 18, 7.51 SP 11, 7.52 SP 07, 7.53 SP 05, 7.54 SP 03

 

Iscriviti al blog se ancora non lo hai fatto!

 

Topics: auditaccess managementlog sapamministratore di sistema

Yes Subscribe!

Blog Aglea, what you could find out?

Every Friday a new post, interview or content related to SAP Security.

  • Tips on how to design SAP Security
  • How to
  • Checklist
  • Common error and pitfall on security SAP
  • Interview with experts
  • Who we are and Aglea vision on SAP Security

Recent Posts

Post By Topic

See all

SAP Security Blog AGLEA RSS Feed

Aglea s.r.l. - Subject to the management and coordination of Horsa S.p.A. - P. IVA: IT 03868780960 - 2024 | Privacy Policy - Cookie Policy