10-07-2008 3:05 PM
Good Morning,
I have a question for anyone in regards to SAP Audit books and the list of tables it supplies. I recently took a job as Internal Controls. I was asked to find out if we are loggin the following list of tables:
Table Name Description
X-DD02V List of tables and descriptions
SREPOATH ABAP program and authorization groups
X-T000 Clients
T001 Company codes
T001B Fiscal periods for company codes
TACT Activities that can be protected
TACTT Activities that can be protected, with descriptions
X-TACTZ Authorization objects and valid activities
X-TBRG Authorization objects and authorization groups
X-TBRGT Authorization objects and authorization groups, with descriptions
TCURR Foreign currency exchange rates
X-TDDAT Table authorization groups
X-TOBJ Authorization objects
X-TOBJT Authorization objects and descriptions
X-TOBC Authorization object class
X-TOBCT Authorization object class, with description
TPGP ABAP program authorization groups
X-TRDIR ABAP program and authorization group
X-TSTC Transaction listing
X-TSTCA Values for transaction code authorizations
X-TSTCT Transactions with description
X-TCESYST Correction and transport system configuration tables
X-TASYS Correction and transport system configuration tables
X-TDEVC Correction and transport system configuration tables
USR01 User Master Records
USR02 User ID and passwords
USR03 User address data
USR04 User master authorizations
USR05 User master parameter ID
USR06 Additional data per user
USR07 Objects/values of last failed authority check
USR08 Table for user menu entries
USR09 Entries for user menus (work areas)
USR10 User master authorization profiles
USR11 User master profiles and descriptions (for USR10)
USR12 User master authorization values
USR13 Authorization descriptions
USR30 Additional information for user menu
X-USR040 Impermissible passwords
USH02 Change history for logon data
USH04 Change history for authorizations
USH10 Change history for authorization profiles
USH12 Change history for authorization values
USOBT Transaction codes and authorization object, with value fields
USOBX Transaction codes and authorization object, with value fields
I know many of these but my question is... why does an audit book tell you to log some of these. I don't get it. I do searches on many of these tables looking for a good reason to log some of these tables and find nothing but this is how to run an audit. Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.
I have put an "X-" in front of the ones that make some sense to me but why the others... and what are the SAP people suppose to review in the tables... Like the USR01, if a person changes there name we need to see that... why? Or the USOBT and USOBX tables... these are only used upon profile generator and no one should be generating a profile in PRD...
Any help would be greatly appreciated.
Kind Regards,
Paul
10-07-2008 3:28 PM
There are different types of logging.
Table change logging => SE13.
USR* change documents => USH* tables (similar to master data change documents).
Business Change Doucments => SU8* tcodes which have user as well as Archived USH* data.
Auditors often only know about the 1st one and mistake it for the others.
Typically, you can only influence the first one (SE13, log data changes).
> Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.
That sounds like a recipe for misunderstandings, as interpreting SAP tables and single fields of them can be confusing (when it differs from the program's use of them), or even obsolete in some cases...
Hope that helps you define the question and concepts better..
Cheers,
Julius
10-07-2008 3:28 PM
There are different types of logging.
Table change logging => SE13.
USR* change documents => USH* tables (similar to master data change documents).
Business Change Doucments => SU8* tcodes which have user as well as Archived USH* data.
Auditors often only know about the 1st one and mistake it for the others.
Typically, you can only influence the first one (SE13, log data changes).
> Why is the USR01 relievent? many auditors use this list since most follow an SAP audit books since they are not SAP people doing the audit.
That sounds like a recipe for misunderstandings, as interpreting SAP tables and single fields of them can be confusing (when it differs from the program's use of them), or even obsolete in some cases...
Hope that helps you define the question and concepts better..
Cheers,
Julius
10-17-2008 4:12 PM
Julius,
Thank you for your assistance. I appologize for not getting back to you more quickly. This helps me explain to others the flaws that I see in there current monitoring of tables.
Have a Great Weekend!
Paul
10-18-2008 8:02 PM
User data resides in table usr01-usr31. This can be used as a quick and dirty way to obtain any user data. All these tables basically shows the current user related details.
USH* data shows all the changes made with the existing user records. For ex: if you one user gets changed with
reseting passwords
roles/profile changes
lock status and etc.
To know more details about why these tables are mainly used for SAP Security, please visit http://sap.service.com/security.
Regards
Anandm
10-21-2008 7:55 PM
Anand,
Thank you for your response. I actually understand SAP security, I have the SAP Security certification. My questions revolves around why they would be monitored and why they would be a Audit concerns. I have been looking at some SAP Audit books and I keep seeing these tables listed as ones needed to be monitored, but not one of the books actually explain how or why. From my Basis and Security background I found that Audit does this a lot, throwing a question or a request out there but not explaining what they mean or what they want. Now that I am in the position to request this information I want to still know why. I dont want to ask some poor SAP Basis/Security person without being able to explain to him/her what I actually want or mean.
I do understand the USH are the logs and the USR tables hold user data. I have looked at them both in the past. but my question as just stated is WHY. Can you give me an example of how this could be of financial impact? Also how would a Auditor look at these tables. do they want to know who is making changes to the tables... direct access to edit these tables...
I am sorry to say but I can still see no need to monitor the USR tables. As the changes to the user information that is most relevant is logged in the USH tables. and as for access to the USH tables that can just be monitored by S_TABU_DIS and the ush tables (or auth group).
Have a great day and thank you again for responding.
Kind Regards,
Paul