Top Six SAP User Parameters to Be Monitored for SAP Audit Compliance

SAP supplies a series of reporting tools and ABAP/4 programs that provides detailed analysis and monitoring of SAP security at the client and system level. The monitoring reports can be accessed via two methods, executing the actual program using transactions SE38, SA38 or SUIM (Repository Information System). As part of your SAP audit compliance process the company has to monitor these SAP Security parameters frequently.

Objective: Ensure invalid login attempts are properly reviewed to identify malicious attempts on the system

Report: RSUSR006 Frequency: Daily

The report lists for each client within the system, all users with invalid login attempts and those users locked either by Security Administrators or too many invalid password attempts. Review the report to identify any inconsistencies or patterns and see if there user who are trying to hack the system.

Objective: Ensure changes to passwords are properly approved before making the new password available the users.

Report: SUIM Change logs Frequency: Weekly

Review the password change documents for key users, including SAP*, EARLYWATCH, DDIC, SAPCPIC, Basis and Security Administrators. These users usually have high excessive privileges in the system. If the hacker should get into the system he will try to change password for one of these user. The ability to reset passwords should be limited to Basis and Security Administrators, and Help Desk users.

Objective: Ensure SAP System Profile Parameters are properly configured based on companies Standard Operating Procedures.

Report: RSPARAM Frequency: Bi-weekly

Objective: Ensure user level changes are properly approved by the supervisor.

Reports: RSUSR100 RSUSR101 RSUSR102 Frequency Bi-weekly

For selected key users, including Basis and Security Administrators and execute the report and review change history. Review the date of changes and who made the changes. Changes should be limited to other Basis or Security Administrators. If you see changes were made by someone outside the basis and system administrator group than that will indicate a serious violation in security.

Objective: Ensure SAP*, EARLYWATCH, DDIC and SAPCPIC are properly secured.

Report: RSUSR003 Frequency: Monthly

Review the report and verify that the passwords for SAP*, EARLYWATCH, DDIC and SAPCPIC have been changed for all clients. The report shows all of the clients defined to the system. SAP*, EARLYWATCH, DDIC and SAPCPIC passwords should be consistently maintained on all clients. Since these passwords are known, the hacker could easily compromise the user and get full control of the sap system. 

Objective: Ensure master addresses are populated according to standard operating procedures.

Report: RSUSR007 Frequency: Monthly

Execute the ABAP/4 program and select the address fields: first name, name field 1, building name, street, city, location, department, phone, extension and country key (not currently on Access Form but can be maintained by each user). Review the user master records to ensure all users have the required address information properly formatted. This activity should be completed for each system; the report analyzes all of the clients within a system.

Original Post