Q.)Just wondering if someone is aware of tools for auditing SAP R/3 and MySAP.com? I'll probably will be involved in a audit of such systems ---------- Fernando, From what I understand the settings for SAP are customer specific driven by their policies. Some big five accounting firm types have developed their own reporting tools that extract configuration data and present the information in customized reports. I hear that SAP has their own software available for this kind of reporting, tho I have not used it and hence don't know alot about it. Basically, SAP provides transactions and system parameters which it leaves to the user to use or configure, respectively. The transaction RSPARAM displays SAP logon parameters settings, e.g., minimum/maximum password length, permissible # of logon failures, autolock reset parameters, etc. The installation can then determine whether the settings correspond to management's wishes or best practices. By the way, everything in SAP is system independant, and to a lesser extent, client independent. Running RSPARAM for one system does not show what the settings are in the other systems. A typical large deployment of SAP may have both development and production environments, running from 6 to 12 systems, and from 1 to 7 clients in each system. Your systems may be different from those I have had exposure to. As far as the standard SAP reports go there are a large number of the RSUSRnnn which monitor sensitive transactions, authorization objects and other system activity, e.g., who can set up or modify user IDs, who can access tables and which ones, password character strings which are not permitted, who can execute batch jobs or even look at program code. There is a danger in executing any or all of these without thoroughly understanding the ramifications of combinations of these transactions and authorization objects. One could raise a red flag which gives the false impression that things are out of control, or it could raise the green flag that everything is Ok when knowing the consequences of combining certain seemingly innocuous transactions and authorization objects may open up a security exposure to a sensitive table. This is all application level security stuff. The O/S and database security issues may also be very interesting as well. One place to explore would be any "middleware" software used to interface between legacy databases and SAP. These need read/write permissions to access multiple legacy business databases and the SAP system. Account names and passwords for the various systems are sometimes stored within the middleware application files inside an unencrypted text file! If you snag that, you have access to many of their business databases. Good Luck, - Mike __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 14:17:16 PDT