Have you ever run up against a SAP Sox Audit Compliance issue? Working closely with both external and internal auditors to identify areas in SAP Security needing compliance can be time consuming and daunting. Documenting the procedures, controls and policies are important for the company that is being audited and is a substantial effort for both functional and technical SAP resources.
Learn to Love Your Auditors
SAP Auditors can be very helpful with alternatives (yes, learn to love your auditors) for controls that need to be put in place as well as helping upper management understand what the objectives are and why we need to change some risky user access.
Usually, the SAP BASIS/Security Administrators can help with identifying and ‘fixing’ access that is too broad or incorrect. Examples are: an Accounts Payable Clerk has the ability to’ change’ or ‘debug’ an SAP program. This type of example is easily removed and tested. The Auditors will then do a query to see that it has been in fact remediated and everyone is happy.
Who Has SAP_ALL?
The area that is always looked at and is usually the FIRST thing SOX Auditors request in SAP is which users have ‘SAP_ALL’. SAP_ALL is permission to do ALL and anything in SAP. Often, this permission is given during a SAP upgrade or go-live to ensure that business keeps on running as usual without any Security (permission) issues. The intent is to remove this access once a transaction history is established by the users, however the intent is not always executed in a timely manner.
The other areas where ‘SAP_ALL’ is used BATCH user IDs and RFC (remote function calls) IDs. Again, we start with ‘SAP_ALL’ to ensure the functionality is working. The batch jobs run without canceling due to permissions or the RFC can be called to or from another system without failing. Auditors will ask to have SAP_ALL restricted to permissions that are actually used for the process and we are required to narrow down and create that access.
Other ‘unknown’ USER IDS.
There are other examples of access which are ‘unknown’. Let’s say an employee uses his or her user ID to schedule a daily batch job or as the user id for an RFC call. At some point, the employee leaves the company or changes positions. The employee’s user ID is disabled or access is changed per company policy, and the batch jobs or RFC’s start to fail and turns into a nightmare – for example the Invoicing jobs under the employee user id cancel due to lack of permissions or the BI system fails to refresh data because the RFC fails under that user id. The quick fix is to re-instate the user ID, but the Auditors will want to know why this user is still active. The quick fix is to add an id with SAP_ALL to prevent any failures.
SAP has provided a solution.
Here is the tool that SAP has provided to help get ‘rid’ of SAP_ALL’ and unknown user access for processes that should have a user ID that is not a human. It is transaction code STAUTHTRACE. STAUTHTRACE provides a ‘debug’ function that lists what permissions (authorizations) are needed while the ‘RFC’ or Batch job runs. When the RFC or Batch job is done, a report is produced and there are options for consolidation as well as other choices for servers to make the resulting report easy to read. The report is actually a ‘trace’ BUT it leaves out everything except the permissions (authorization objects) and their needed values that are for the process.
Results are listed.
Now that you have the permissions that can replace ‘SAP_ALL’ or the mystery userID, how are you going to create a SAP Role (combined permissions) to replace the current access? If you have the SAP support package SAPKB70211 or SAPKB70210, you can do the following:
- the trace results can be copied into the role using transaction PFCG,
- type in the role name,
- go to the Menu tab,
- Copy Menus-> Import from Trace.
- The alternative is to copy the permissions (auth objects) into the role using the conventional Authorizations tab and manual role entries and you now have a complete user id with the permissions that are needed to replace ‘SAP_ALL’.
Auditors can be your friend by using SAP Security expertise and SAP tools for auditing. SAP Security will give your company a more efficient, compliant SAP environment, and happy auditors.
TriCore Solutions is a SAP Silver Partner and recognized as a subject matter expert in supporting and delivering SAP solutions. Focused on helping our customers realize the best return on their investment in the areas of cost, compliance and quality, we provide industry-specific business solutions through sales, implementation services and support, tools and operational support. Learn more about our SAP Partnership.