Skip to Content
avatar image
Former Member

Oracle Audit : Direct Access

Hi all,

I would like to ask this question concerning auditing changes on Oracle Database and specially sensitive data. I have seen in SAP Notes that direct access to Oracle Database is not recommended or let's say illegal by SAP. But, the question for me is :

1/ Is it technically possible? Is it possible to connect to the DB using a third client like sqldeveloper?

2/ If it's the case, is it (I insist) technically possible to alter data even with administrator users?

3/ Are changes auditable and how to check this?

We are running a SAP ECC 6.0 EHP5 on Oracle 11G.

Many thanks

Amin

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Feb 22, 2013 at 02:51 PM

    Hi Amin,

    Please find the answers for your query.

    1/ Is it technically possible? Is it possible to connect to the DB using a third client like sqldeveloper?

    Yes . It is possible. There are many third party tools that can be used to fetch data from Oracle... Provided your ODBC is configured correctly.

    2/ If it's the case, is it (I insist) technically possible to alter data even with administrator users?

    Yes. IT is possible... There won't be any impact if we change the Data also... But it is STRONGLY RECOMMENDED by SAP not to update the DB access directly in DB level.. Reasons could be many... One is we are not sure whether the changes also needs to be cascaded to other tables as well.. In Simple, you can just connect to your SAP DB just to view the data not to modify it without 100% sure of the impact.


    3/ Are changes auditable and how to check this?

    All DB changes can be traced... DBA team will be able to help to find out an way for this... But I am sure there should  be an way... If you change any data in SAP level, corresponding log table will also be updated with the changes.

    I hope it helps.

    Please check and provide your feedback.

    Thanks and Regards,

    Vimal


    Add comment
    10|10000 characters needed characters exceeded

    • Go to SE11 -> Technical Settings

      There is a protocol-flag

      You can check for Table T000

      BUT: This is NOT an auditing tool (in contradiction to what auditors think it is)

      It is a helping hand to track customizing changes.

      The changes go to table DBTABLOG and can be viewed with report RSTBHIST.

      Once you have the first (bad) development consultent in house, who sets this

      flag for a highly frequented Z-Application table, DBATBLOG will be spammed

      soon and you will not be able to evaluate it at all.

      If you want change documents for application tables, you need to program them(!).

      Volker

  • Feb 22, 2013 at 05:02 PM

    Hi,

    Answers are : YES, YES, and

    YES, but useless when incomplete.

    And "How to check this" is a brilliant question, which nobody can answer up to now.

    Auditing the DBA can be done with Oracle Vault.

    Well, at least you can do quite a couple of things.

    But data can be stolen / changes by SAP-Admins as well.

    You would not think what funny things you can do with TP and R3trans.

    Auditing SAP-admins is even harder, as there are no tools for this, and all

    they do looks like applikation access first, because they use the schema owner.

    Volker

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 22, 2013 at 08:34 PM

    To limit access for administrative users one can use products such as Oracle Data Vault (extra $ for license) - see Oracle documentation or note https://service.sap.com/sap/support/notes/1355140

    Auditing access - succesful ones or not -  on oracle level is quite straight forward, if desired, and very powerful. Even without 3rd party tools you can achieve a lot with the audit syntax - see documentation at http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#i2059073 for example. As with any auditing, be very selective of what you want to enable, as auditing can cause overhead and too much data to go through is less likely to be actually of any real use.

    Add comment
    10|10000 characters needed characters exceeded