This website is not affiliated with, sponsored by, or approved by SAP AG.

Accessing Data in SAP from UNIX AIX

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Wed Dec 08, 2010 3:44 pm

thx4allthefish wrote:Last, not least - I hope, you did not take offense with my raving!


Not at all - I very much agree and wish my fellow auditors felt as strongly about this as we do.
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby Al. » Thu Dec 09, 2010 3:34 am

Really good descriptions Fish.

bbdude, are you Big4 or one of the others? I did my audit stint at PwC back in the day.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Thu Dec 09, 2010 8:40 am

Al. wrote:Really good descriptions Fish.

bbdude, are you Big4 or one of the others? I did my audit stint at PwC back in the day.


I am Big4, but took the road less traveled. Did systems administration in industry first then went to a pure consulting firm where I did Oracle advisory and then off to the Big4 where I am today.
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby Al. » Thu Dec 09, 2010 9:53 am

It's the way to go I reckon. My POV is that the contextual info you get from time in industry really adds value to clients when helping them understand their audit problems.
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Accessing Data in SAP from UNIX AIX

Postby gregir » Tue Dec 14, 2010 10:13 am

Having run projects in both Oracle Apps and SAP, I was shocked by the ability to make changes at the varying levels in the Oracle system that directly affected both the code that processes data and the data itself. The setup of the DB and the Oracle apps seem (to me anyway) to have few controls. Coming from the SAP world and knowing some BASIS and good but of security, Orcle Apps was a very open system wioth few change controls on the abiltiy to change code and move it to production.
There is no standard equivalent to the transport process with its controls and release mechanisms. My understanding is that this functionality is provided by a third party product that is purchased separately.
Tuly Idiot
http://www.bluedragonfishing.com

Greg Robinette, CISM
757-407-7683 or 434-263-6942
Lovingston, Va. 22949
grobinette@lentechinc.com
gregir
 
Posts: 453
Joined: Mon Oct 21, 2002 3:35 am
Location: Lovingston, Va.

Re: Accessing Data in SAP from UNIX AIX

Postby bbdude » Fri Jul 15, 2011 11:27 am

Hey! I'm back 8)

I thought of another questions regarding SAP and the supporting infrastructure.

Say I have root access to the OS and root access to the Database. When I log into the database, what does the schema look like? Is it complex or would it be somewhat easy to navigate (like in Oracle DB/ERP environments)? Would someone have to be an expert to manipulate financial data at the database level?
bbdude
 
Posts: 21
Joined: Wed Nov 03, 2010 8:16 am

Re: Accessing Data in SAP from UNIX AIX

Postby henrik » Sun Jul 17, 2011 8:28 pm

The schema is somewhat complex - will have to be with 300.000+ tables in the system.
So yes, you would need to know what you are doing, but that being said, if you know enough to get onto the db as root, you can probably figure out how to manipulate it as well... But making sure everything is updated so it looks genuine from SAP side would probably be fairly tricky. So yes, you can change/manipulate data quite easily, but I doubt you could hide it from someone who knows what to look for.
Does that make sense?

/henrik
www.turnkeyconsulting.com.au
henrik
 
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Previous

Return to SAP Security

Who is online

Users browsing this forum: No registered users and 4 guests





This website is not affiliated with, sponsored by, or approved by SAP AG.