SAP Security Online - R/3 Security- Audit Check


	R/3 Security
		Tips n Tricks
		Tables
		Tcodes
		Audit Check
	BW Security
	Enterprise Portal
	CUA
	Single Sign On
	SOX/ SoD
	OSS
	HR Security
	Other SAP Apps
	Solution Manager
	Interview Questions

R/3 Security- Audit Check

SAP R/3 user ID SAP* and other system user id has been adequately secured.

Performed the following steps to confirm that user ID SAP* has been adequately secured:

Verified whether default password of SAP* was changed in all production clients:
Execute transaction code SA38, and run report RSUSR003.
Reviewed RSUSR003 report to verify that the parameter login/no_automatic_user_sapstar is set (value =0).

Who has sap_all andsap_new

Execute transaction code SUIM
Click on “User”
Click on “List of users according to complex selection criteria”.
Click on “By user profiles”.
Enter SAP_ALL in the Profile field and click Execution button

Execute transaction code SUIM
Click on “User”
Click on “List of users according to complex selection criteria”.
Click on “By user profiles”.
Enter SAP_NEW in the Profile field and click on the Execution button

Risk: The SAP_ALL profile grants a user full/complete access to all functions in the SAP system and has the potential to be misused. The SAP_ALL profile should only be assigned to a minimal number of users on the system.

The default SAP R/3 passwords for DDIC, SAPCPIC and EarlyWatch (in client 066) have been changed and access restricted to the super user.
Performed the following procedures to verify that the default SAP R/3 passwords for DDIC, SAPCPIC and EarlyWatch have been changed and access restricted to the super user ID:

Execute transaction: SA38
Program: RSUSR003
Default passwords that should be changed:
SAP* - PASS
DDIC - 19920706
SAPCPIC - ADMIN
EarlyWatch - SUPPORT

Risk: SAP comes supplied with a number of default user IDs, all of which have default passwords. The passwords to these IDs are well known, and therefore if they are not changed, the IDs could potentially be misused

To review any passwords which are not allowed for users to use:
Execute transaction code: SE16
Table name: USR40
Risk: Table USR40 is used to prevent users from using a list of commonly guessed passwords. If it is not used it increases the possibility that users could select trivial passwords or you can use profile parameter to do this

The SAP R/3 system profile parameters have been set to appropriate values.
Performed the following procedures to determine whether the SAP R/3 system profile parameters have been set to appropriate values: click here for more deail on profile parameter

SAP Help | SAP Service Market Place | SAP SDN