05-12-2015 2:39 AM
Hello Security Team,
One of our user has downloaded roles from PFCG and we need to find out who has done that.
Are there any change logs or report Where I can see who has downloaded and uploaded roles in PFCG?
Regards,
Deepak M
05-12-2015 4:41 AM
Hi Deepak
Why do you need to know? I'd be more concerned about uploading.
Downloading won't write any change logs. At best you might find who went to PFCG in STAD or SM20 logs.
If you want to restrict downloading roles then restrict ACTVT within S_USER_AGR for DL (Download) or UL (upload). If you have Firefighter (and it's important to restrict) then you could allow it there.
Regards
Colleen
05-12-2015 4:41 AM
Hi Deepak
Why do you need to know? I'd be more concerned about uploading.
Downloading won't write any change logs. At best you might find who went to PFCG in STAD or SM20 logs.
If you want to restrict downloading roles then restrict ACTVT within S_USER_AGR for DL (Download) or UL (upload). If you have Firefighter (and it's important to restrict) then you could allow it there.
Regards
Colleen
05-12-2015 5:49 AM
Hello Colleen,
More than who has downloaded, I am just wondering since its something important,
My doubt is: Whether there are any change logs for download and upload of roles?
If it is there, How to look into Change Logs and
If it is not there: Why didn't SAP not come with change logs for downloading and uploading in roles?
Regards,
Deepak M
P.S : @Colleen: Missing you lot on the GRC Space in Documents and Blogs...Please be more Active
05-12-2015 6:43 AM
Hi Deepak
Change logs aren't written for download as you are effectively downloading a file. You can prevent access which is valid to do to limit who is allowed to download security. Why is downloading a problem in your system?
For upload, change documents should exist but they won't show that you uploaded. If you see changes directly in a client then they weren't transport. Again, limit who is allowed to upload. If you have firefighter shift the authorisation there.
Regards
Colleen
P.S. I haven't had access to a GRC system for over a year. I am less active in the space as quite a few others have stepped up. I read the posts but there is no value in me contributing outdated knowledge - it is far better to let the newer members with current experience jump in and answer/produce content. GRC space is a lot more active than it was 2 years ago
05-12-2015 3:30 PM
Deepak,
As long as you have security audit log enabled in the client, you should be able to see who downloaded the role or just the profile. Good luck!
Pawan.