Question:
I've looked through some posts here and almost understood that one should not provide SAP_ALL role to any user within production system.
But I'm not knowledable enough in order to create the roles which would provide the needed access within the company.
So currently I'm to implement what I've been said to and later on I'd try to make it in a proper way.
The local concept is to have SAP_ALL user only for some Emergency case and the passowrd for this user will be split into two parts and the parts should be kept in two sealed envelopes and so on.
Still I've to monitor SAP_ALL user activities. My intention was to set audit for SAP_ALL user and for creating new (escalating existing ones) users with SAP_ALL rights. My first question is if it is possible to monitor this because after reading several replies by moderators it seems to me that one can overcome my audit precautions.
My second question is how to do this if it is possible. I was going to set audit in Security Audit Log with Filter Audit class for User Master Change. Will it be enough? I've been thinking about setting audit for S_USER_* but did not find a way to do so yet.
What can you recommend me above some reading and\or training?
Excuse me for my naive qestions but I'm really new in SAP.
Answer:
There is a lot to know newbie! Why did you accept the job?
Reading here and taking a look at the documents at www.sapsecurity.org is a good start.
Happy reading and testing!
Ned
Answer:
Enter the name of the user with SAP_ALL profile in SM19 in a filter and select everything and all options. This will log everything (most important things) that the user does. This would be the same method for an FFID (Fire Fighter ID) you are giving to SAP Support people to use in production that has all application authorizations. Set up a CCMS email alert for when the user logs in and when it logs out so that you know when it is being used or not.
If your question is whether you can log a bunch of users with sap_all, forget about it. In such case you have to conclude that you do not have any security and such a policy must be changed or there can never be any security.
_________________
Gary Morris
SAP Security Analyst/Developer
garymorris@sapsecurity.net
Answer:
And over time your security, change controls, system integrity, data quality and auditability will run away from you into a mess!
Ned
Answer:
To Ned: I'm not a SAP Security Adminitsrator but an IT security Manager. My responsibilities are wider than just SAP and I've some experience in IT security but have never worked with SAP. You will not believe but things in IT security here was not good at all and I hope that I'm improving the situation step by step.
To Gary Morris: I'm not going to log a bunch of users with sap_all. I was going to have just one sap_all user and I'm going to monitor when this account was used and what for. The passowrd should become available to the guy only after approval and would be changed immeadiately after its usage. What I was asking about is the way to monitor the apearance of new users with sap_all rights. Let us say that currently we will check that there is just one sap_all but later on sap admin will create another on. I'd like to be alerted if it will happen. Do you have any ideas how such alert could be done?
Answer:
[deleted insults]
Answer:
To Ned : I'm glad that you are much smarter and knowledgable in SAP then me. May be it will permit you to explain what is wrong with idea if it is so obvious?
Answer:
Newbie,
I have been lurking this forum for a few months now, and have noted a tone of rudeness and sort of know-it-all, my-way-or-the-highway manner of communicating.
What Ned is saying rings true, no doubt, but how he is saying it is unacceptable, IMHO.
There are as many ways to implement SAP Security as their are companies using it. Find the way that best suits your business requirements. Read up, attend some classes, and talk to others. It is extremely complex.
Try asug. Their security forum has a different tone.
Answer:
I deleted the insult.
please continue replying with good manners.
Snowy
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
It seemed irresistable at the time.
Sorry newbie!
Ned
Answer:
Honorable gurus!
I'm aware that if I'm going to stay with SAP security I have to learn many things. Currently I need a quick solution. That's why I'm at this forum.
Actualy in the fields where I have some background I don't go to any forums in case of problems - I'm digging through the documentation and find the solution myself. I do know nothing in SAP at the moment and it will take me months to read and experiment before I'd probably find right way. And I need the solution now. That is why I'm posting here and I've said in the original post "above reading and training".
From your replies I can't understand was is the reason you are visiting this forum. I've been thinking that one can ask questions and if someone can help he is posting some advises.
I've proposed some solution and I'm not sure that it will do. You all said that it's crap. That's OK for me but if you are knowledgable can you please explain what is wrong with the idea I've suggested.
At the moment you are either recommending me to visit a hospital or to read more. I'm aware that I'm sap-illiterate and I've been expecting that people will laugh but after the laugh is over I'd like to get an explanaiton where my proposal is wrong or what is missed.