on 10-18-2006 6:01 PM
Hello....
We are going through our first SAP ERP implementation and had few questions about the SIDADM user and audit. We are running the SAP system in a Windows server with Oracle Database. SIDADM user is currently shared by the basis team to maintain the SAP servers. The basis team logs into the server using the SIDADM account to start/stop the SAP system, run any command based utilities (i.e. sappfpar or tp) when needed and creating/executing batch scripts for backups/exports/etc. However, since the password for this user is shared by the whole team, we are concerned about SOX audit compliance.
1. How does other customers on Windows environment control the SIDADM account to satisfy audit requirements? Audit doesn't normally allow shared accounts on SAP servers. When someone directly logs into the SAP server with SIDADM, we can't trace who logged on and made changes to the system.
2. If the password for SIDADM is not shared by the basis team, how does the basis team maintain the SAP servers (i.e. start/stop instance)?
3. Can the SAP systems be maintained by individual users without using SIDADM? If so, how?
We are looking for recommendations on how to control the super users in the SAP environments (SIDADM, DB users, etc) to satisfy SOX audit requirements.
Thanks for all your help. Any recommendations will be appreciated~~
Janet
Hi ,
Please send the same document to me as well.
I am in the same sistuation now. Please share the document and suggest how to control sidadm account access as per SOX recommendations.
a.vasunag@gmail.com
Cheers,
AVN
Edited by: vasu nag on Sep 21, 2008 8:57 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For info:
SOX (Sarbanes Oxley Act, in particular Section 404) is a high level auditable requirement.
BASIS activities are lower down and are subject to some slack in the actual implementation of the interpretation.
The SAP administration (BASIS) area comes under its own audit(s) of particular variations, all of which are usually underneath SOX or another higher level requirement.
Regards
Ashley
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've seen two methods of administration in Windows environments. The first is the one you're using (everyone shares the sidadm password). The other is to put individual Basis team members into the Administrators group on the local servers (or make them domain admins). This way they have complete control over the servers, and there is an audit trail in the event log when something is changed, rebooted, etc. You can copy the shortcut from the sidadm user's desktop to the other people's, or create a new one (e.g. to C:\WINDOWS\system32\MMC.EXE "C:\WINDOWS\SAPMMC.MSC").
Rich
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Rich's way to do this is very good. At smaller sites that I have worked with the number of Basis admins was small so they all shared the SIDADM password but protected it with a shorter more restrictive password policy (such as changing it every 60 days and making it at least 10 characters long with mixed case and character types [a good password generator can help]).
J. Haynes
Denver
One other thing to keep in mind is audit requirements will be different from audit firm to audit firm. At some sites I have worked at they have asked for information on who has access to the sidadm accounts and how often the password is changed. Other firms barely know what the sidadm account is for and never ask for access info nor make recommendations on how to further secure these admin type accounts.
J. Haynes
Denver
Could you please send me a copy as well. My mail id is <email address deleted by moderator>
ravi
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Janet,
could you please forward this document ??
Thanks in advance!!!
Simos
email: <email address deleted by moderator>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
I have one SOX PPT related to SAP BASIS parameters and requirement for SOX audit...
if u require then i will forward it to u....give me u r email id to forward it....
or u will mail me on <email address deleted by moderator>
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Google for 'SOX' or 'Sarbanes-Oxley'. You can get the complete text of the act online; there's a good overview at http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act.
Rich
SOX is an Financial regulatory which every publicly traded company has to comply with.
As an Basic administrator you will help the enterprise in managing the Internal Controls and providing the level of security which is needed by SOX.
As a basic administrator you will see that two important role are not share bu one entity.
SAY buying a Product and paying for that product cannot be shared by one entity within the company......
User | Count |
---|---|
87 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.