Search found 21 matches

by bbdude
Sat Apr 12, 2014 5:00 am
Forum: SAP Security
Topic: Truth about Table Maintenance / DEBUG
Replies: 3
Views: 4550

Re: Truth about Table Maintenance / DEBUG

Thanks all for the replies. If table maintenance is needed restrict with a parameterized transaction that access only that table. Restrict by table groups. You can also restrict by S_TABU_NAM and grant access only to one table. You did not say whether people are using SM30 / SM31, SE11, etc. So I am...
by bbdude
Thu Apr 10, 2014 6:16 pm
Forum: SAP Security
Topic: Truth about Table Maintenance / DEBUG
Replies: 3
Views: 4550

Truth about Table Maintenance / DEBUG

I am working in a production environment and noticed there are 100's (yes 100's, not a typo) of individuals with table maintenance. As I understand, table maintenance access can be used to modify transaction data when the client is closed and can be used to modify configuration/master data when the ...
by bbdude
Fri Jul 15, 2011 11:27 am
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

Hey! I'm back 8) I thought of another questions regarding SAP and the supporting infrastructure. Say I have root access to the OS and root access to the Database. When I log into the database, what does the schema look like? Is it complex or would it be somewhat easy to navigate (like in Oracle DB/E...
by bbdude
Wed May 18, 2011 8:11 am
Forum: SAP Security
Topic: How many of you use Reference users ?
Replies: 7
Views: 4222

Re: How many of you use Reference users ?

Well - I guess a few of you know about the user type of reference user and that it can be used to assign roles to a user by association. I'm personally not too keen on it as it's seems like security by the back door and is not very transparent. So - my question is : How many of you out there make u...
by bbdude
Wed May 18, 2011 8:06 am
Forum: SAP Security
Topic: Can a report be run to view a user's activity logs?
Replies: 7
Views: 5531

Re: Can a report be run to view a user's activity logs?

I realize that any changes, etc., are recorded in the system, but can the system generate a report to view a user's navigation activities? Thanks Gurus, Cheers, I've seen reports which show if a user has used a certain transaction code (e.g. who has been access the screen to generate/print checks)....
by bbdude
Wed May 18, 2011 8:01 am
Forum: SAP Security
Topic: Transports from OS to Production
Replies: 4
Views: 3224

Re: Transports from OS to Production

I don't see how one would bypass the transport system. You could bypass the gui and the stms transactions but the tools you need from the OS level to import a transport are still SAP tools. I hope they leave traceable logfiles. Best search SAP service marketplace for notes and documentation on the ...
by bbdude
Tue May 17, 2011 10:26 am
Forum: SAP Security
Topic: Transports from OS to Production
Replies: 4
Views: 3224

Transports from OS to Production

Yes another Auditor question 8)

How would one transport a change through the OS (in this case AIX) and bypass SAP STMS? If my understanding is correct - this type of change wouldn't show up in the STMS change log (E070), right?

Thoughts and comments are welcome!

-E
by bbdude
Mon Mar 07, 2011 3:59 pm
Forum: SAP Security
Topic: Auditor has another question! Changes to tables
Replies: 1
Views: 1913

Auditor has another question! Changes to tables

No, I'm not being audited - rather I AM the auditor (as thx4allthefish is aware) 8) I'm trying to help my client save money and reduce their interaction with the audit team (me). In order to do this we're trying to benchmark some of the client's SAP application controls. For example, one control is ...
by bbdude
Thu Dec 16, 2010 10:53 am
Forum: Human Resources
Topic: High-Level Questions around HR/HTR
Replies: 0
Views: 1166

High-Level Questions around HR/HTR

Hi All, Everyone has been helpful over in the BASIS/Security forum so I thought I'd ask a few more questions I am curious about. Is the SAP HR module the only module included in the Hire-to-Retire (HTR) process? I know payroll is also handled within HTR ... The reason I ask is I am trying to identif...
by bbdude
Thu Dec 09, 2010 8:40 am
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

Really good descriptions Fish. bbdude, are you Big4 or one of the others? I did my audit stint at PwC back in the day. I am Big4, but took the road less traveled. Did systems administration in industry first then went to a pure consulting firm where I did Oracle advisory and then off to the Big4 wh...
by bbdude
Wed Dec 08, 2010 3:44 pm
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

thx4allthefish wrote:Last, not least - I hope, you did not take offense with my raving!
Not at all - I very much agree and wish my fellow auditors felt as strongly about this as we do.
by bbdude
Wed Dec 08, 2010 3:04 pm
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

Ah, okay. In an Oracle ERP environment - changes are often done directly in the DB and this is actually tracked. For example, if you wanted to set-up/configure a program to be used in Oracle ERP ... you would first add the packages to the Oracle DB and then register them at the application level. D...
by bbdude
Wed Dec 08, 2010 2:44 pm
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

I can't see how you were to accomplish this - there's no recording of changes active on that level (usually not, for performance reasons), so your primal goal would be to evaluate WHO has that access that enables her/him to change data on that level. I'll go farther: there can never be an approval ...
by bbdude
Wed Dec 08, 2010 11:02 am
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

Very helpful! Thank you so much for the explanation - very clear. Going back to my original question to make sure I understand what you have explained ... it seems someone with direct access to the DB supporting SAP could impact financial data by executing update/modify commands? Furthermore, someon...
by bbdude
Wed Dec 08, 2010 9:31 am
Forum: SAP Security
Topic: Accessing Data in SAP from UNIX AIX
Replies: 21
Views: 13607

Re: Accessing Data in SAP from UNIX AIX

If there is such a thing as the small4/small5 I am probably working for them - I am the basis-girl - the one using root to destroy databases. But I also have been doing SAP security for more than a decade now, and that is where my fondness for auditors comes from. Very interesting and good to know....