SAP S/4HANA® migration audit
Customise evaluation paths in SAP CRM for indirect role mapping
If such information is available from the past, it should be checked whether all topics have been implemented in accordance with the comments. If one or the other recommendation has not been implemented, this circumstance should in any case be documented in a comprehensible manner, or it should be possible to provide a comprehensible justification. However, it is not sufficient to focus only on the improvement potentials that have been presented, because it must be ensured that all those points that have not been criticized in the past will continue to fit. Preparation is made much more difficult if there are no helpful comments or reports from the previous fiscal year, or if it is a first-time audit or a change of auditor. What all does the IT auditor look at during the annual audit? There are topics that every auditor looks at because there are standards for doing so, however it is common for the auditor to perform additional audit procedures in the IT audit depending on the strategy of the overall audit. In this newsletter we want to focus on the most important standard audit topics on the process level and the IT controls defined therein in the context of the SAP® system.
Reference users are not intended to access an SAP system, but are used for authorisation administration and therefore always have a disabled password. Reference users inherit the permissions assigned to them to the users with whom the reference user is registered. For this purpose, the user buffer of the reference user is also created at login and these entries are also checked during permission checks of the inheriting user.
ACCESS CONTROL | AUTHORIZATION MANAGEMENT FOR SAP®
Depending on the transaction invoked, the application can be more granular checked by this additional permission check. Therefore, transactions that are called with additional parameters might require more than one authorization object and must be protected programmatically. The following listing shows an example of a permission check that ensures that the logged-in user has the permission to start the SU24 transaction.
Transactions: Transactions in the audit structure start the necessary evaluations for the audit. You can recognise transactions by the clock symbol ( ). Double-clicking on the icon opens the transaction in a new window and allows you to start the evaluation. In addition, the SAIS transaction log entries for this audit activity are displayed in the upper right pane of the display. These include the current date of execution, the verifier's user ID, a check status that you assign yourself, a weighting, and a justification for the check status that you also enter into a text box. Below is an overview of the audit activities performed so far, also with a time stamp, the user ID of the verifier, the weighting of the status of the audit activity and a justification. In order not to manipulate the scanning activities, it is not possible to modify data stored once.
For the assignment of existing roles, regular authorization workflows require a certain minimum of turnaround time, and not every approver is available at every go-live. With "Shortcut for SAP systems" you have options to assign urgently needed authorizations anyway and to additionally secure your go-live.
Understanding the structure and functioning of the system is especially important for IT administration. It is not for nothing that "SAP Basis Administrator" is a separate professional field. On the page www.sap-corner.de you will find useful information on this topic.
Here, too, you can take advantage of the values of the permission trace.
The freeware Scribble Papers puts an end to the confusing paper chaos. The tool is also suitable for storing, structuring and quickly finding text documents and text snippets of all kinds in addition to notes.
SAPCPIC: SAPCPIC is not a dialogue user, but is used for EDI usage in older releases (EDI = Electronic Data Interchange); in default, SAPCPIC has permissions for RFC access.