How is it possible to have an overview of what has been done by a system administrator within SAP systems?

In SAP, unfortunately or fortunately, there are lots of logs (some of which must be explicitly enabled). But there is no single dashboard where you can see them, perhaps grouped by individual user. But a new feature does exist!

System administrator in SAP

The definition of "system administrator" generally identifies, in the IT field, professional figures aimed at the management and maintenance of a processing system or its components, as defined by the Privacy Guarantor.

In SAP it may not be so easy to understand what is being done by those who have the opportunity to be administrators. In fact, better not to be an administrator if possible and if not strictly necessary.

There are many logs and many ways to perform the same operation. Therefore, it becomes difficult without the aid of tools designed to solve this problem to carry out hand checking on the operation by administrators.

Read here what is the:

• National Framework for Cybersecurity and Data Protection
  
  

Why SAP GRC Access Control Can Be Useful

Certainly we have already discussed this in several situations.

• What is SAP GRC Access Control

• Do you need SAP GRC to manage a Super User in SAP?

Definitely it is important some of the features offered by SAP GRC Access Control clearly are not available out-of-the-box in SAP. Among the main ones:

• Having a single dashboard, of all logs collected by SAP, for a specific super-user used
• Have an approval process for the super user request
• Transparently and easily define super user provisioning, there are no passwords to transmit
• Have an accurate and complete audit log of all activities performed for the SAP GRC module that manages super users (Emergency Access Management)

But in some situations SAP GRC is not yet present, so what can be done?

But if I have no SAP GRC what can I do?

Through the following OSS note(2423576 - SAIS | Generic audit report about system changes) SAP offers the possibility to see the following logs in one place, for one or more users:

• Changes to client (SE06, SCC4)
• Security Audit Log (Transactions RSAU* or SM20n)
• System Log (Transaction SM21)
• Table Logging (Transaction SCU3)
• Application Log (Transaction SLG1)
• Change Document (report RSSCD100)
• Program changes (Transactions SE95, SE84) and transports (SE03 or report RSWBOSSR)

So not bad, for each of these a specific detail of what has been done.

Of course, there are some obvious limitations compared to GRC but it can definitely be a great feature even while waiting to install SAP GRC Access Control. Beware the inquiries made with the transaction above do not exhaust the possible activities performed by the user in every respect ( eventual activities performed at the database level are not present for example)

The above is possible through the new SAIS_MONI transaction. Give it a try if it is already present in your system! Available from these releases SAP_BASIS 7.50 SP 18, 7.51 SP 11, 7.52 SP 07, 7.53 SP 05, 7.54 SP 03

Topics: audit, access management, log sap, amministratore di sistema