cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MaxDB & SOX

Former Member

on ‎03-16-2007 12:33 PM

0 Kudos

Hi,

I need some information about SOX Certification and MaxDB. Does anybody know, what have to be implemented, or customized that MaxDB is SOX conform.

As I know, there is no auditing within the MaxDB as it is known within Oracle. On the other hand the User SAP<SID> is the only user which is able to make changes in the database. How is it possible to personalize this User. Is there a change to audit the activities of this User?

Is MaxDB a Database which can be used, if a company has to be SOX accredited?

Would be great, if somebody would be able to give me a hand.

Best Regards,

Fabian Reutter

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

lbreddemann
Active Contributor
‎03-18-2007 12:30 PM
0 Kudos

Hi Fabian,

basically SOX requires that business data is properly used and that the system that keeps that data is also handled properly. (a short list of SOX requirements can be found <a href="http://www.dbazine.com/ofinterest/oi-articles/mcquade2">here</a>)

In SAP landscapes all this is (regardless what database system is used) ensured by what is called the BASIS component of NetWeaver platform (ABAP dictionary, 3-system landscape, Security, CCMS etc). It also features things as table logging, with which changes to business data are logged.

On the database layer of the SAP system there is a very simple but strict security setup: all application data can only be changed by the DB User that owns the SAP Schema (thats SAP<SID> for ABAP stacks and SAP<SID>DB for JAVA stacks).

It's not allowed to logon as this DB User to access or change the data. Technically this is hindered by the encryption of the logon password.

Anyhow, it's still possible to gain knowledge about these logon data and violate the data acess permissions.

To do so would be what is called: hacking into the system. A illegal activity. It requires DBA access to the database, network access to the database server, a malicious intend and in-depth knowledge about how to access the SAP data.

As SOX is not specifically about preventing system hacks at any means, but about the correct handling of business data, there is no reason why DBMS used for SAP systems should be a problem for a company that tries to get SOX certified.

MaxDB has no special auditing feature, that's correct. But in the default setup the SAP user is the ONLY user that can access it's data at all. Even DBA Users as control or superdba have no access to the data via the database interface. (that's even more locked up as in Oracle Installations where the SYSDBA user by default can access any table in the system!).

So with the right measures in place (access control to the database server, the dba tools, the db interface tools at all, organisational measures to doublecheck administrative access to the database etc.) there is no reason to see MaxDB weaker or more exposed to hacks than any other DBMS supported by SAP.

So, yes: among the other DBs supported by SAP, MaxDB can be used by companies that are SOX certified. In fact - SAP widely uses MaxDB itself. This portal is running on it.

Hope that helps a bit,

KR Lars

Show replies
Show replies
Ask a Question