Audit Question - Access to SU01

I have a question in regards to access to SU01.  We currently have a team to setup users and assign roles.  We are SOx regulated and have been questioned about having individual having this access.
Does it make sense to have one user setting up the ID without any authorizations assigned and then another person add the roles?  We have compliance calibrator installed and no issues from that, but I am aware sometimes it is a business process decision from our auditors.
To me this does not make sense to me at all.  Not sure if this would be the same for all our other applications either at this point including BW, IPC, XI, network access etc. etc. etc.

Chris,
This causes a lot of confusion and consternation across the industry. Having been on both sides of the fence from an audit perspective, I tend to take a pragmatic approach.
The key issue is about being able to amend roles and assign to users. Wherever possible, this should be avoided. It is up to you how you manage that but if you have a situation whereby a single person can create a role / profile and assign it to a user they control, then you have a potential audit issue.
You can split it in any way you like but you are basically trying to stop that SoD.
Some choose to have a dedicated team who are able to create users but not create or assign authorisations, a separate team who can assign authorisations and not create users or roles and a third team who can only create roles but not create or assign to users.
While that is ideal, it is not always practical so it is often somewhere in the middle.
As long as your central team cannot amend the roles and authorisations that they are assigning (or assign super user access like SAP_ALL) without appropriate controls in place, then you can generally have a fairly reasonable discussion with your auditors.
Simon

Similar Messages

  • Auditing failed access to files and folders in Windows Storage Server 2008 R2

    Hello,
    I've been trying to figure out why I cannot audit the failed access to files and folders on my server.  I'm trying to replace a unix-based NAS with a Windows Storage Server 2008 R2 solution so I can use my current audit tools (the 'nix NAS
    has basically none).  I'm looking for a solution for a small remote office with 5-10 users and am looking at Windows Storage Server 2008 R2 (no props yet, but on a Buffalo appliance).  I specifically need to audit the failure of a user to access
    folders and files they are not supposed to view, but on this appliance it never shows.  I have:
    Enabled audit Object access for File system, File share and Detailed file share
    Set the security of the top-level share to everyone full control
    Used NTFS file permissions to set who can/cannot see particular folders
    On those folders (and letting those permissions flow down) I've set the auditing tab to "Fail - Everyone - Full Control - This folder, subfolders and files"
    On the audit log I only see "Audit Success" messages for items like "A network share object was checked to see whether client can be granted desired access (Event 5145) - but never a failure audit (because this user was not allowed access by NTFS permissions).
    I've done this successfully with Windows Server 2008 R2 x64 w/SP1 and am wondering if anybody has tried this with the Windows Storage Server version (with success of course).  My customer wants an inexpensive "appliance" and I thought this new
    variant of 2008 was the ticket, but I can't if it won't provide this audit.
    Any thoughts? Any of you have luck with this?  I am (due to the fact I bought this appliance out of my own pocket) using the WSS "Workgroup" flavor and am wondering if this feature has been stripped from the workgroup edition of WSS.
    TIA,
    --Jeffrey

    Hi Jeffrey,
    The steps to setup Audit on a WSS system should be the same as a standard version of Windows Server. So please redo the steps listed below to see if issue still exists:
    Enabling file auditing is a 2-step process.
    [1] Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing
    for "Audit object access."
    [2] Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit
    - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file, or you can just audit for Delete operations.
    A similar thread:
    http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/da689e43-d51d-4005-bc48-26d3c387e859
    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

  • Simple auditing question...

    Hello,
    We are running 11.2.0.2 on AIX 7.1.
    I'm trying to understand why our auditing is not behaving the way I think it should.
    First, we have the default auditing turned on as part of 11GR2.
    It seems to be capturing some things, but not always everything.
    In some cases, it captures the creation of a table by a user, but in other cases, it may not.
    Even though the same user created a table, or dropped a table.
    Today, trying to figure this out, I created a test user and logged in as that test user (in SQL*Plus) and created a simple table, then inserted a record into it and did a commit. I then logged out.
    But when I check the audit views, I don't see the audit actions, or even the session logon information.
    I've checked using both Toad and by selecting from the dba_audit_objects and dba_audit_session views in SQL*Plus.
    What am I missing?
    That last DDL statement I see that was captured in the audit records was on July 20th.
    In this case, it captured the drop and creation of a public synonym, but not of the underlying table that was also dropped.
    I don't believe anyone has changed any of the audit settings.
    First, let's confirm everything:
    sho parameter audit
    NAME                                 TYPE        VALUE
    audit_file_dest                      string      /u01/app/oracle/admin/xxxxxxxx
                                                     /adump
    audit_sys_operations                 boolean     FALSE
    audit_syslog_level                   string
    audit_trail                          string      DB
    SQL> SELECT privilege from dba_priv_audit_opts where user_name is NULL;
    PRIVILEGE
    ALTER SYSTEM
    AUDIT SYSTEM
    CREATE SESSION
    CREATE USER
    ALTER USER
    DROP USER
    CREATE ANY TABLE
    ALTER ANY TABLE
    DROP ANY TABLE
    CREATE PUBLIC DATABASE LINK
    GRANT ANY ROLE
    ALTER DATABASE
    CREATE ANY PROCEDURE
    ALTER ANY PROCEDURE
    DROP ANY PROCEDURE
    ALTER PROFILE
    DROP PROFILE
    GRANT ANY PRIVILEGE
    CREATE ANY LIBRARY
    EXEMPT ACCESS POLICY
    GRANT ANY OBJECT PRIVILEGE
    CREATE ANY JOB
    CREATE EXTERNAL JOB
    23 rows selected.
    SQL> select object_name, object_type, owner, created from dba_objects where object_name = 'EXPENDABLE_USE';
    OBJECT_NAME                      OBJECT_TYPE         OWNER                    CREATED
    EXPENDABLE_USE                   SYNONYM             PUBLIC                   20-JUL-11
    EXPENDABLE_USE                   TABLE               SISI                     20-JUL-11
    2 rows selected.
    Now, view the dba_audit_objects view:
      1   select os_username, username, timestamp, action_name from dba_audit_object where timestamp > sysdate-9
      2* order by timestamp desc
    SQL> /
    OS_USERNAME          USERNAME                 TIMESTAMP         ACTION_NAME
    scmsrvacct           SISI                     20-JUL-2011 11:44 CREATE PUBLIC SYNONYM
    scmsrvacct           SISI                     19-JUL-2011 19:40 DROP PUBLIC SYNONYM
    scmsrvacct           SISI                     19-JUL-2011 19:40 DROP PUBLIC SYNONYM
    3 rows selected.Notice that the table created on 20-JUL-2011 is not included above.
    why not?
    Any why isn't my test user shown, or the creation of the simple table created by the test user?

    Well, I can't exactly do what you asked because 'privilege' is not a column.
    But I'm guessing this is what you are asking for:
      1* select * from dba_stmt_audit_opts where user_name is NULL
    SQL> /
    USER_NAME PROXY_NAME AUDIT_OPTION                             SUCCESS    FAILURE
                         ALTER ANY TABLE                          BY ACCESS  BY ACCESS
                         SYSTEM GRANT                             BY ACCESS  BY ACCESS
                         DROP ANY TABLE                           BY ACCESS  BY ACCESS
                         CREATE ANY PROCEDURE                     BY ACCESS  BY ACCESS
                         DROP ANY PROCEDURE                       BY ACCESS  BY ACCESS
                         ALTER ANY PROCEDURE                      BY ACCESS  BY ACCESS
                         GRANT ANY PRIVILEGE                      BY ACCESS  BY ACCESS
                         GRANT ANY OBJECT PRIVILEGE               BY ACCESS  BY ACCESS
                         GRANT ANY ROLE                           BY ACCESS  BY ACCESS
                         SYSTEM AUDIT                             BY ACCESS  BY ACCESS
                         CREATE EXTERNAL JOB                      BY ACCESS  BY ACCESS
                         CREATE ANY JOB                           BY ACCESS  BY ACCESS
                         CREATE ANY LIBRARY                       BY ACCESS  BY ACCESS
                         CREATE PUBLIC DATABASE LINK              BY ACCESS  BY ACCESS
                         EXEMPT ACCESS POLICY                     BY ACCESS  BY ACCESS
                         ALTER USER                               BY ACCESS  BY ACCESS
                         CREATE USER                              BY ACCESS  BY ACCESS
                         ROLE                                     BY ACCESS  BY ACCESS
                         CREATE SESSION                           BY ACCESS  BY ACCESS
                         DROP USER                                BY ACCESS  BY ACCESS
                         ALTER DATABASE                           BY ACCESS  BY ACCESS
                         ALTER SYSTEM                             BY ACCESS  BY ACCESS
                         ALTER PROFILE                            BY ACCESS  BY ACCESS
                         DROP PROFILE                             BY ACCESS  BY ACCESS
                         DATABASE LINK                            BY ACCESS  BY ACCESS
                         PROFILE                                  BY ACCESS  BY ACCESS
                         PUBLIC SYNONYM                           BY ACCESS  BY ACCESS
                         CREATE ANY TABLE                         BY ACCESS  BY ACCESS
    28 rows selected.also
    SQL> select distinct(user_name) from dba_stmt_audit_opts;
    USER_NAME
    1 row selected.

  • EHS- Audit question and findings table?

    Hi Gurus
    I wanted to know what is the table for Audit questions and findings and also wanted to know where do these corresponding texts are getting stored in SAP.
    Thanks
    Murali

    Hello Murali,
    please check the following tables
    PLMM_AUDIT - for Audit results
    For questions:
    PLMM_QUEST_H
    PLMM_QUEST_I
    PLMM_QUEST_RES
    for text
    CGPL_TEXT
    CGPL _ PROJECT
    Regards
    gajesh

  • UPLOAD AUDIT QUESTIONS

    kindly  guide me  how to upload  audit questions  in sap system my query is sap also provide one temple in that templet what is contents to be  filled i cont understood any body work that temple  kindly  guide me in that  templet  we have filed like that external id description ext position   hierarchy level  task level assessm entsug desc

    Please check the sap note: 597982. You can find the SAP supplied XL template as a zip atatchment in the note and step by step guidance on how to upload audit questions using import/export functionality of audit management.
    Thanks,
    Ram

  • Read attachment details of Audit Question (PLMD_AUDIT)

    Hi Experts,
    Kindly request you to assist me on the below.
    I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
    For example, please see the attached:
    Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
    Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
    Appreciate your valuable inputs.
    Thank you
    Mahendra

    Hi Experts,
    Kindly request you to assist me on the below.
    I'm trying to build a solution using ABAP for a requirement, where the logic has to find the attachment details of an audit question or action on the audit transaction (PLMD_AUDIT).
    For example, please see the attached:
    Screen shot 1.--> I'm not able to build the solution to check whether an audit question/action is having an attachment.
    Screen shot 2.--> If the attachment exists, then how to get the attachment and send an email.
    Appreciate your valuable inputs.
    Thank you
    Mahendra

  • Access to SU01 with no authorization to the transaction

    Hello,
    I hava a user that was able to execute transaction SU01 even though he has no authorization to it, at least not directly, I do not know how he did it, this are the entries from sm20:
    01.06.2011   16:10:36   UserX   userxlaptop   SU01   SAPLSMTR_NAVIGATION   Start of transaction SU01 failed (Reason=6)
    01.06.2011   16:10:42   UserX   userxlaptop   SE37   SAPLSMTR_NAVIGATION   Transaction SE37 Started
    01.06.2011   16:10:42   UserX   userxlaptop   SE37   RSFUNCTIONBUILDER     Report RSFUNCTIONBUILDER Started
    01.06.2011   16:10:47   UserX   userxlaptop   SE37   RS_TESTFRAME_CALL     Report RS_TESTFRAME_CALL Started
    01.06.2011   16:10:53   UserX   userxlaptop   SU01   RS_TESTFRAME_CALL     Transaction SU01 Started
    I executed program RS_TESTFRAME_CALL but was not able to go to SU01 from there, does anybody know how was the access to SU01 possible?
    Regards,
    Ayax

    There are many other ways to break into initial txn screen. Developer play these magic and some times they assign themselves profile (not to mention the name). However for these if your developer does not have access to objects like S_USER* so they won't be able to do any further activity there.
    But if he is too smart then may be there are other ways to break that as well (like change RC in runtime). That may have solution in terms of authorization restriction or some SNOTE implementation (lots of bug). And specifically in old systems.
    Regards,
    Arpan Paik

  • Audit object access

    Hello,  I am trying to understand "Audit object access",  I have it turned on and I am capturing all Success and Failures of every file share I have on our File Server.  
    However,  that is my issue.  I am capturing everything.   Is there a way to only capture certain file shares. I noticed that under the auditing tab,   its has "include inheritable auditing........"
    Example:
    In this example,  I want to capture successes and failures for all users who access Events and Images folders. 
    \\Server1\Share1\Data1\Common\Reports\Events
    \\Server1\Share1\Data1\Common\Apps
    \\Server1\Share1\Data1\Images
    Thank you for your help. . 

    Simply disable the current auditing on the root of your folders. Once done, enable it only on the folders you would like to audit.
    Reading such logs is usually a difficult task and time consuming. For that, it is recommended to use a third party tool with a UI for auditing. The one I usually recommend is Lepide Auditor for File Server: http://www.lepide.com/file-server-audit/
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • ABS quirks / auditing question / kernel request

    My original post is below but it's wrong. All I'm asking now is if someone can enable CONFIG_AUDIT in the kernel or tell me a program that lets you spy on files just as well as auditd.
    Today when I was making packages, something I haven't done in awhile and badly needed to do again, I noticed exclamation marks appearing beside the filenames in the medit tabs. Those exclamation marks mean that since I last saved the text file in medit, another process edited the file on the disk. Subsequent saving required me to click "yes I'm sure I want to overwrite" in this popup window. This was responsive to my saves. Every time I saved something (a PKGBUILD, a patch, anyting under the /var/abs tree) it was changed half a second later.
    I tried to find out what was going on. Inotify-tools told me when the PKGBUILD was being modified but not by what process. Lsof and Glsof had no hope because they don't watch a specific file in real time, they only tell you things that are currently open so I'd need inhuman reflexes to get useful information out of them.
    One thing that looks perfect for me is auditd. This page http://www.cyberciti.biz/tips/linux-aud … -file.html says how you can use it to see what process edited what file. I spent a couple hours fine tuning the PKGBUILD of it only to hit the error where auditd says "Connection refused." Every other poster reporting this did so because his or her kernel did not have audit support and sure enough in the kernel26 package, CONFIG_AUDIT is not set.
    So I need to ask three things:
    1. Does anyone know why my files are being accessed this way in /var/abs?
    2. Does anyone know a program compatible with the default kernel26 that could help me investigate?
    3. If it's not too much trouble, would the kernel26 maintainers consider adding CONFIG_AUDIT so I don't have to start using a custom kernel over this one triviality?
    Thanks alot.
    Last edited by ConnorBehan (2008-12-27 00:13:11)

    ConnorBehan wrote:
    Oh thanks monster, Thunar was open for me too. And it happened again today in /home so it's nothing to do with ABS. I guess my question now is:
    Could someone enable CONFIG_AUDIT in kernel26 or tell me a way to audit with the kernel I have out of curiosity?
    No problem, I'm glad I could help.  I was a little unsure of what was going on myself until I stumbled on to the connection.  If you figure out what is going on could you try and pass that along?  I am curious to know the answer but not knowledgeable enough to dig into kernel audits to figure it out

  • How to audit database access by IP address?

    Hello,
    In SQL 2008 R2 Enterprise is there a built-in mechanism to be able to audit and log the SQL loginname along with their IP addresses when they access a particular database? Most of the logins only have the role for db_datareader so I need to audit basically
    everyone that is connecting to the database and whether they are running select statements or not.
    Thank you.

    Dear Forum and All,
    I have working with Audit in SQL Server 2008. But my result cannot have HOST_NAME and IPADDRESS of Client.
    This is my code:
    Create Audit
    USE [master]
    GO
    CREATE
    SERVER AUDIT [Audit-20141206-090946_ControlEven]
    TO
    FILE
    FILEPATH = N'C:\Audit'
    ,MAXSIZE = 0 MB
    ,MAX_ROLLOVER_FILES
    = 2147483647
    ,RESERVE_DISK_SPACE
    = OFF
    WITH
    QUEUE_DELAY = 1000
    ,ON_FAILURE =
    CONTINUE
    GO
    Create Database Audit Specification
    USE [TESTAUDIT]
    GO
    CREATE
    DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-20141222-082141_Control]
    FOR SERVER AUDIT [Audit-20141206-090946_ControlEven]
    ADD (SELECT
    ON OBJECT::[dbo].[tblTesting]
    BY [public])
    GO
    This my result
    Event_Time|Session_ID|Server_Principal_Name|Statement|.......|.........
    But I need column HOST_NAME and IPADDRESS of Client in my result.
    Thank you for your cooperation and support.
    Best Regards,
    Mr. Pann Matak

  • Audit Questions

    Our VOIP enviroment raised some flags on the latest audit scan and I am trying to resolve the items:
    A few items have me confused:
    The following showed up on 3 of the devices:
    remote network time service has denial of service (123/udp)...Upgrade to NTP 4.2.4p8 or later.
    1 callmanager had this and it running the latest revision 7.1.3.32900-4 and is supposed to be resolved. (Another CCM running the same version didn't have the vulernability).
    Our 2 UCCX servers running Cisco Application Administration - 7.0(1)_Build168 had the same vulerability.  From what I can tell Cisco has fixed for most products but not the UCCX platform.  I know this is going to a linux based version soon but is there a patch or ugrade that can reslove this?
    Also Weak Ciphers appear on almost all of the Linux based servers...is there a way to disable this?
    Thanks,
    Joe

    Dear Laxmi
    You can upload the questions through excel , XML template. The template and details is available in the SAP note 597982
    Regards
    Gajesh

  • Re: Auditing Document Access?

    Hi guys,
    I know you can subscribe to a document to see who has checked out and checked in a document but is there a way to see who has read the document?
    Is there an audit trail for user access or other similar events?
    I have a requirement from a client to do the above for their procedures to make sure it is being read.
    Thanks in advance.

    Content Tracker component does track user access as well as many other types of information.
    Thanks sapan.

  • Audit file access

    I want to audit file and folder access auditing on a windows 2008 server. I need to enable audit log all file activity by user such as read, copy, create, rename, deleted .
    Is there a way to see if an user access a specific file ?
    Thanks

    Hey please have a look at these link for the reference.
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring
    Moreover, you can start from the several links from here also
    http://technet.microsoft.com/en-us/library/dd408940%28v...
    http://technet.microsoft.com/en-us/sysinternals/bb89664...
    http://technet.microsoft.com/en-us/library/cc721946.asp...
    And the other option is you can opt for a third party tool such as Lepide Auditor For File Server. A file Server monitoring tool that would help you in case for a real time monitoring.Test the tool from the given link below.
    http://www.lepide.com/file-server-audit/
    Thanks.

  • Oracle Auditing question.

    Hi All,
    I have a application schema called SPRE. I want to audit insert/update/delete/alter on any SPRE objects by any database user but I dont want to audit any action performed by "SPRE" user itself.
    I know how to setup this.....like run below as system
    audit inser,update,delete on SPRE.table1;
    audit inser,update,delete on SPRE.table2;
    audit inser,update,delete on SPRE.table3;
    but questions I have is...
    1. How to audit if sys user perform any insert,update,delete?
    2. How to stop audit entry if SPRE user performed insert,update,delete
    Thanks,
    Anuj

    sys.aud$, dba_audit_trail
    OR
    SELECT view_name FROM   dba_views WHERE  view_name LIKE 'DBA%AUDIT%' ORDER BY view_name;
    SELECT view_name
    FROM   dba_views
    WHERE  view_name LIKE 'DBA%AUDIT%'
    ORDER BY view_name;
    VIEW_NAME
    DBA_AUDIT_EXISTS
    DBA_AUDIT_OBJECT
    DBA_AUDIT_POLICIES
    DBA_AUDIT_POLICY_COLUMNS
    DBA_AUDIT_SESSION
    DBA_AUDIT_STATEMENT
    DBA_AUDIT_TRAIL
    DBA_COMMON_AUDIT_TRAIL
    DBA_FGA_AUDIT_TRAIL
    DBA_OBJ_AUDIT_OPTS
    DBA_PRIV_AUDIT_OPTS
    DBA_REPAUDIT_ATTRIBUTE
    DBA_REPAUDIT_COLUMN
    DBA_STMT_AUDIT_OPTSHTH
    -Anantha
    Edited by: Anantha R on Mar 29, 2010 3:23 PM

  • OID audit question

    Hello, people!
    I have question about auditing in Oracle Internet Directory.
    1. I turn audit on in my OID.
    2. Restart OID.
    3. Searching for Audit Log Entries by Using ldapsearch. The DN for the audit log container is cn=auditlog. To search for audit log entries, perform a subtree or one-level search, with the container object cn=auditlog as the base of the search. Work fine.
    4. But when i add some user to some group, i get record like:
    orclSequence=348,cn=auditlog
    objectclass=top
    objectclass=orclauditoc
    orcluserdn=cn=orcladmin
    orcleventtype=Modify
    orclauditmessage=Modifying entry cn=XMLP_ADMIN,cn=Groups,dc=rd,dc=local
    orclsequence=348
    orclopresult=Success
    orcleventtime=20091125141137z
    Did any one knows, how determine what changes done?
    Thanks,
    Jeff.

    it will be good if you are adding HR as OU , in case if you have IT or someother Organization Unit it will can be easily added and identified.
    Once you add it as OU autimatically all required class will be added automatically , further if you have any custom attribute you can add your own custom class

Maybe you are looking for

  • How do you uninstall a program from mountain lion osx

    Hi first time on mac forum my question is being new to imacs how do you uninstal a program from an imac running osx mountain lion. And of course get rid of the icon for that program from launchpad thanks

  • Multiday event should span days in month view

    Hi all, I have an event that spans multiple days (begin is Dec 3 @ 12 AM, end is Dec 6 @ 12 AM), but it only appears in one day on iCal's month view. In week view, the event spans all three days. How can I ensure that an event that spans days +actual

  • Nokia N9: Restoring NBU backup

    Hello good people, My Nokia N9 was experiencing strange behaviour lately, so i decided to back it up using Nokia Suite. The backup was full; contacts, meassages, documents, songs,.... Now trying to restore, the only options it's giving me is to resto

  • How to the Welcome Mail window

    I'm pretty new with Apple and I have been unavailable to resolve the follow issue. Every time I sign-in in my macbook I got the message window inviting me to setup my email with apple mail app. How can I stop that window to show up every time? Do any

  • 1 sales order= 1 invoice

    Hi, This is the requirement. we have 1 sales order with 10 line items. All are delivery based line items. 5 are shipped and PGIed today and hence it comes in the Billing due list. The customer wants only 1 invoice per sales order. so he wants the inv