topic Re: SAP authorization auditing in Application Development and Automation Discussions

SAP authorization auditing

Former Member — Mon, 29 Sep 2008 14:35:09 GMT

hi friends,

i wanted do SAP authorization auditing for a organization. they have already implemented SAP in there organization but there is proper procedure for it. I want to find out conflicting roles for all user and compare users roles with the standard roles which would be standard roles as per the roles matrix for them.

how could i find out all this data and how i should i proceed for this.

Regards,

Koushal

Re: SAP authorization auditing

jurjen_heeck — Mon, 29 Sep 2008 15:36:08 GMT

Hi koshal,

Have you checked the auditing section of our "sticky" thread: ?

In there are links to some nice discussions including this one:

That should get you started. The question you've asked today is very general and I do not expect anyone to deliver an answer that completely covers it. So please read along, expand your knowledge and feel free to come back with more specific questions.

Jurjen

Re: SAP authorization auditing

Former Member — Tue, 30 Sep 2008 09:15:24 GMT

Hi Koushal,

Check out the following link [http://www.auditnet.org/docs/SAP_AP2.doc] which is a bit comprehensive but will definitely be of help to you.

Thanks,

Saby..

Re: SAP authorization auditing

Former Member — Tue, 30 Sep 2008 10:35:28 GMT

thanx for your reply Jurjen and saby.. i will check the links given by you ppl and try to follow it.

i want to know is there any tool for SAP auditing which could help to find conflicting roles.

Regards,

Koushal Solanki

Re: SAP authorization auditing

jurjen_heeck — Tue, 30 Sep 2008 11:17:42 GMT

> i want to know is there any tool for SAP auditing which could help to find conflicting roles.

Once you've defined the conflicts have a look at (or search on) reports RSUSR008 and RSUSR009, or RSUSR008_009_NEW. Another usefull keyword may be GRC.

Re: SAP authorization auditing

Former Member — Tue, 30 Sep 2008 11:20:16 GMT

Hi Koushal,

SAP has a tool called GRC which can be used for SOD analysis and auditing.Earlier, it used to be known as VIRSA.

Of course, there are other tools ........also available in the market like APPROVA and so on.

You can also take a look at Axis - Risk Management Software for SAP R/3 at the website http://axxiominfo.com.

Each one claims that they are better than others.

Thanks,

Saby..

Re: SAP authorization auditing

Former Member — Tue, 30 Sep 2008 11:57:22 GMT

Hello friends,

i found that SAP also provide a tool called Audit Information System (AIS) for auditors. The SAP Audit Information System (AIS) provides a centralized repository for reports, queries, and views of data that have a control implication.

Transaction code SECR is used to access the AIS.

Regards,

koushal

Re: SAP authorization auditing

jurjen_heeck — Tue, 30 Sep 2008 12:13:37 GMT

SECR is/was a menu as far as I know but that's been replaced in newer versions.

Nowadays the menus and authorizations for audit tools are to be found in a set of standard SAP roles.

Look for roles with names like "SAPAUD"

I'll have a look for relevant notes.

Found:

Note 705197 - Audit Information System (AIS) 5.00 - Composite note

That should get you up to speed

Edited by: Jurjen Heeck on Sep 30, 2008 2:16 PM Note added