Skip to Content
author's profile photo Former Member
Former Member

Firefighter role built from SAP_ALL - proof of fraudulent changes

SAP colleagues - if a firefighter role, built manually from SAP_ALL, allows all access EXCEPT SAP security related authorizations (including global auth check switch) can a user during firefighting activities:

- delete security / transaction logs to hide fraudulent acts?

Would the database tables or any other system tables retain proofs of some or any of the fraudulent changes. Would there be any other proofs of what was done?

Is it true that SAP does not allow deletion of security / audit logs less then 3 days old? Also, if someone deletes logs (what are the diffierent ways to do it?) would tables on the db side record some of these actions that could be used as a proof of tempering?

Thank You!

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

1 Answer

  • Best Answer
    Posted on Jan 17, 2012 at 04:39 PM

    Hi Ivan,

    I hope that you are asking this from a control perspective and not trying to find out how to cover your tracks??!!!!

    The Firefighter Log reports are based on a defined set of criteria; namely the STAD / STAT transaction logs and the change document logs held within CDHDR.

    In version 10.0 this is enhanced significantly with the inclusion of the OS Command logs, Audit logs and System logs but still table logs are not included.

    If the Firefighter ID has the authorisations to go in and delete the source data which runs these logs and the firefighter User knows how to do it then, of course, there is a risk that the logs can be deleted.

    it is good practice to ensure that the authorisations provided to Firefighter IDs is carefully considered to minimise this risk and that if they do indeed have this ability, that the Controllers and Owners fully understand the risks involved with assigning it and take appropriate controlling actions.


    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hello Ivan

      This point has been discussed in the security forum Protection of SAP Log Files

      I think that SAP_ALL Firefighters is a bad idea. Only one SAP_ALL user should be used. This is the "admin" user (replace the use of DDIC and SAP*). I think that this admin user shouldn't be a firefighter user. What if there's a problem with the firefighter module and you cannot log-on via firefighter?...then I think you should have a admin user in production system and grant access to this user in specific circumstances. There should be well defined a procedure to enable this user.



Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.