Question:
To comply with Audit controls, we as Security Administarors have to remove SE16/SE17/SM31 from our role so we can't view sensitive tables such as Payroll. We will have to use Query or SQVI instead.
Can any of the many SAP gurus out suggest any alternative as I like being able to view tables. It's very convenient
Thanks
Stephen
Answer:
Put authorisation groups on all the tables that you want to protect & make sure that the security team don't have those auth groups in S_TABU_DIS object in any of their roles. It's not foolproof, but will shut audit up.
Answer:
Thanks AL
Sounds like good advice.
Answer:
Depends on the sophistication of the auditor... S_TABU_DIS alone is not enough and I would fail you in an audit... But then again I am not your auditor.
There are several other steps you must take to ensure 100% compliance if your auditors are not "check list" auditors and under stand SAP security.
S_TABU_DIS alone will give you the appearance of secutiy only.
_________________
John A. Jarboe
Answer:
This is a classic example of what I call "security by ignorance". What makes auditors believe that restricting access to SE16/SE17 is an effective way of controlling access to sensitive data but on the other hand they allow SQVI or query use?
If your intention is to shut audit up, do what Al suggests. However, if you really want to ensure proper control is exercised, I suggest you try breaking into your own systems. After all, it takes a thief to catch a thief!