cancel
Showing results for 
Search instead for 
Did you mean: 

Controlling SIDADM access per SOX audit compliance

Former Member
0 Kudos

Hello....

We are going through our first SAP ERP implementation and had few questions about the SIDADM user and audit. We are running the SAP system in a Windows server with Oracle Database. SIDADM user is currently shared by the basis team to maintain the SAP servers. The basis team logs into the server using the SIDADM account to start/stop the SAP system, run any command based utilities (i.e. sappfpar or tp) when needed and creating/executing batch scripts for backups/exports/etc. However, since the password for this user is shared by the whole team, we are concerned about SOX audit compliance.

1. How does other customers on Windows environment control the SIDADM account to satisfy audit requirements? Audit doesn't normally allow shared accounts on SAP servers. When someone directly logs into the SAP server with SIDADM, we can't trace who logged on and made changes to the system.

2. If the password for SIDADM is not shared by the basis team, how does the basis team maintain the SAP servers (i.e. start/stop instance)?

3. Can the SAP systems be maintained by individual users without using SIDADM? If so, how?

We are looking for recommendations on how to control the super users in the SAP environments (SIDADM, DB users, etc) to satisfy SOX audit requirements.

Thanks for all your help. Any recommendations will be appreciated~~

Janet

Accepted Solutions (0)

Answers (6)

Answers (6)

Former Member
0 Kudos

Hi ,

Please send the same document to me as well.

I am in the same sistuation now. Please share the document and suggest how to control sidadm account access as per SOX recommendations.

a.vasunag@gmail.com

Cheers,

AVN

Edited by: vasu nag on Sep 21, 2008 8:57 PM

Former Member
0 Kudos

For info:

SOX (Sarbanes Oxley Act, in particular Section 404) is a high level auditable requirement.

BASIS activities are lower down and are subject to some slack in the actual implementation of the interpretation.

The SAP administration (BASIS) area comes under its own audit(s) of particular variations, all of which are usually underneath SOX or another higher level requirement.

Regards

Ashley

former_member192350
Active Participant
0 Kudos

I've seen two methods of administration in Windows environments. The first is the one you're using (everyone shares the sidadm password). The other is to put individual Basis team members into the Administrators group on the local servers (or make them domain admins). This way they have complete control over the servers, and there is an audit trail in the event log when something is changed, rebooted, etc. You can copy the shortcut from the sidadm user's desktop to the other people's, or create a new one (e.g. to C:\WINDOWS\system32\MMC.EXE "C:\WINDOWS\SAPMMC.MSC").

Rich

Former Member
0 Kudos

Rich's way to do this is very good. At smaller sites that I have worked with the number of Basis admins was small so they all shared the SIDADM password but protected it with a shorter more restrictive password policy (such as changing it every 60 days and making it at least 10 characters long with mixed case and character types [a good password generator can help]).

J. Haynes

Denver

Former Member
0 Kudos

One other thing to keep in mind is audit requirements will be different from audit firm to audit firm. At some sites I have worked at they have asked for information on who has access to the sidadm accounts and how often the password is changed. Other firms barely know what the sidadm account is for and never ask for access info nor make recommendations on how to further secure these admin type accounts.

J. Haynes

Denver

Former Member
0 Kudos

Do you think it a good practice??

Don't you think it is questionalable by external auditor???as SOX and PACOB does not allow you to do this this is

a gross misconduct....

keyur

Former Member
0 Kudos

Could you please send me a copy as well. My mail id is <email address deleted by moderator>

ravi

Former Member
0 Kudos

Ravi could you please fwd me the copy of the PPT as well.

I want to know all about SOX and BASIS .

My email ID is <email address deleted by moderator>

I would appreciate any information.

Former Member
0 Kudos

pl mail the ppts to my mail id

<email address deleted by moderator>

Thanks

Arun

Former Member
0 Kudos

The Forums are for the public sharing of information. Please do not share documents through private email. It is illeagal to share propietary documents.

If a procedure, etc. is good, then it should be submitted as SDN Content for all to share.

Best Regards,

Matt

Former Member
0 Kudos

Hi Janet,

could you please forward this document ??

Thanks in advance!!!

Simos

email: <email address deleted by moderator>

Former Member
0 Kudos

Can you also forward the ptt to my e-mail account.

<email address deleted by moderator>

Thanks in advance,

Harry.

Former Member
0 Kudos

Hello,

I have one SOX PPT related to SAP BASIS parameters and requirement for SOX audit...

if u require then i will forward it to u....give me u r email id to forward it....

or u will mail me on <email address deleted by moderator>

Thanks

Former Member
0 Kudos

Hello..

thanks for the reply..

I would really appreciate the PPT.

My email address is <email address deleted by moderator>

thanks for your help~

Janet

Former Member
0 Kudos

dear janet,

would you mind forwarding that ppt file to me as well. i'm just eager to understand as much about sox as possible.

my email address is <email address deleted by moderator>

thanks & regards,

sri srirangam

Former Member
0 Kudos

Hi.

I need some help from you. Do you have any ideas about SOX or what is the role of SOX in SAP Basis ?

If you can provide me any documentation on SOX it will really helpful for me.

Please treat this email as an urgent requirement.

u cam mail me at <email address deleted by moderator>

former_member192350
Active Participant
0 Kudos

Google for 'SOX' or 'Sarbanes-Oxley'. You can get the complete text of the act online; there's a good overview at http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act.

Rich

Former Member
0 Kudos

SOX is an Financial regulatory which every publicly traded company has to comply with.

As an Basic administrator you will help the enterprise in managing the Internal Controls and providing the level of security which is needed by SOX.

As a basic administrator you will see that two important role are not share bu one entity.

SAY buying a Product and paying for that product cannot be shared by one entity within the company......