SAP colleagues - if a firefighter role, built manually from SAP_ALL, allows all access EXCEPT SAP security related authorizations (including global auth check switch) can a user during firefighting activities:
- delete security / transaction logs to hide fraudulent acts?
Would the database tables or any other system tables retain proofs of some or any of the fraudulent changes. Would there be any other proofs of what was done?
Is it true that SAP does not allow deletion of security / audit logs less then 3 days old? Also, if someone deletes logs (what are the diffierent ways to do it?) would tables on the db side record some of these actions that could be used as a proof of tempering?
Thank You!