SAP Security Auditing

Hi there,
I have set up security audit logging in my R/3 Enterprise system. I am using SM20 to generate reports to monitor logon events but I cannot seem to be able to only report on interactive logon events rather than background logon events, even though I use the 'Dialog Logon' filter. Does anyone have any ideas?

Hi Tony,
Check and configure properly you system in sm19 for download report and check.
also if you can map your system with solution manager the it will give the precise report.
Regards,
Vivekanand Pandey

Similar Messages

  • SAP Security audit log and Profile Parameter rsau/enable

    Does the Profile Parameter rsau/enable have to ="1" for the audit log to be active or is this parameter set to purely allow the maintainance of static profiles. I have been reading into SAP's documentation and they only refer to this parameter in the "Maintaining Static Profiles" section. Therefore I would like to know if the audit log can record when the parameter rsau/enable = "0"?
    Many thanks

    Hi
    I have it running on my NW2004s sneak peak system, whit a dynamic filter and the rsau/enable = 0. So Yes - it's possible to record in the secure audit log with rsau/enable = "0", if your using the dynamic filters
    Regards
    Morten Nielsen

  • Security Audit Log SM19 and Log Management external tool

    Hi all,
    we are connecting a SAP ECC system with a third part product for log management.
    Our SAP system is composed by many application servers.
    We have connected the external tool with the SAP central system.
    The external product gathers data from SAP Security Audit Log (SM19/SM20).
    The problem is that we see, in the external tool,  only the data available in the central system.
    The mandatory parameters have been activated and the system has been restarted.
    The strategy of SAP Security Audit Log is to create many audit log file for each application server. Probably, only when SM20 is started, all audit files from all application servers are read and collected.
    In our scenario, we do not use SM20 since we want read the collected data in the external tool.
    Is there a job to be scheduled (or something else) in order to have all Security Audit Log available (from all application servers) in the central instance ?
    Thanks in advance.
    Andrea Cavalleri

    I am always amazed at these questions...
    For one, SAP provides an example report ( RSAU_READ_AUDITLOG_EXTERNAL ) to use BAPIs for alerts from the audit log yet 3rd party solutions seem to be alergic to using APIs for some reason.
    However, mainly I do not understand why people don't use the CCMS (tcode RZ20) security templates and monitor the log centrally from SolMan. You can do a million cool things in SolMan... but no...
    Cheers,
    Julius

  • SUIM security-audit checklist....

    hello, i found a check list SAP security-auditing in SUIM. i searched some of them in internet but my mind confused.
    i think it can be very helpful checklist for people working in SAP security-auditing.
    if you have time, can you tell me please what these reports mean? with 1-2 sentences.
    ( i know they are a bit much but i think it can be realy good source for people wants to work in SAP security- auditing like me.)
    Thank you very much
    Regards..
    SUIM--->>>>
    1)  S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
    2)  S_TCODE = SM37; Authorization Object 1: S_BTCH_JOB JOBACTION = *; Additional selection criteria – Unlocked users only
    3)  S_TCODE = SM35; Authorization Object 2: S_BDC_MON1=*, Additional selection criteria – Unlocked users only
    4)  S_TCODE = SE18; Additional selection criteria – Unlocked users only
    5)  S_TCODE = SE19; Additional selection criteria – Unlocked users only
    6)  S_TCODE = SM69; Authorization Object 1: S_RZL_ADM= 01; Additional selection criteria – Unlocked users only
    7)  S_TCODE =SM49; Authorization object1: S_LOG_COM, COMMAND Value: #*; POSYSTEM Value: #*; R/3 Value: #* additional selection criteria: unlocked users only
    8)  Authorization object 1: S_RFC; RFC_TYPE: FUGR; RFC_NAME: #*; activity: 08; additional selection criteria: unlocked users only
    9)  S_TCODE = SECR;” “authorization object1: S_IMG_ACTV, Project no: 900; ACTVT = 02; IMG Value = #*” “authorization object2: S_PRO_AUTH Project no: 900 ACTVT: 03” “additional selection criteria: unlocked users only
    10)  S_TCODE=SU01: Additional selection criteria – Unlocked users only
    11)  S_TCODE=SU01; 2: Authorization object 1: S_USER_AUT; ACTVT Value=03 or 08” Additional selection criteria – Unlocked users only
    12)  S_TCODE=SU02; Additional selection criteria – Unlocked users only
    13)  S_TCODE=SU03; Additional selection criteria – Unlocked users only
    14)  S_TCODE=SU10; Additional selection criteria – Unlocked users only
    15)  S_TCODE=RZ10; Authorization object 1: S_DATASET, ACTVT Value = *; Authorization object 2: S_RZL_ADM ACTVT Value = 01 or 03; Additional selection criteria – Unlocked users only.
    16)  S_TCODE =SE16; Authorization object1: S_TABU_DIS, Authorization group = SC, ACTVT =02; Additional selection criteria: unlocked users only
    17)  S_TCODE = SNRO; authorization object1: S_NUMBER, Value = #*, ACTVT = 01, 02, 11; 3: Additional selection criteria – Unlocked users only
    18)  S_TCODE = SCC4; authorization object1: S_TABU_DIS Table Maintenance (via standard tools such as SM30), ACTVT = 01, 02, 03; authorization group = SS; Additional selection criteria – Unlocked users only
    19)  Authorization object 1:S_ADMI_FCD, Value: SP01 or SPOR; authorization object 2: S_SPO_ACT Value = ATTR (change attributes of protected spool request) or BASE (see protected spool requests in the output controller [determine whether the spool request exists], display request attributes) and DELE (delete request manually) or REPR (output protected spool request more than once); authorization object 3: S_TMS_ACT (Actions on TemSe objects); STMSOWNER Value  = GRP (external TemSe objects in own) or OWN (own TemSe objects) authorization object 3 = S_TMS_ACT: Additional selection criteria – Unlocked users only
    20)  S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
    21)  S_TCODE = SCCL; authorization object 1: S_CLNT_IMP, Activity = 21, 60; authorization object 2: S_TABU_CLI, Cross Client Indicator = #*; Additional selection criteria – Unlocked users only
    22)  S_TCODE =SM31;” “authorization object 1: S_TABU_DIS, ACTVY =01,” authorization object 2:  “S_TABU_CLI CLIIDMAINT =x”: “additional selection criteria: unlocked users only
    23)  S_TCODE =SM30;” “authorization object 1: S_TABU_DIS, ACTVY =01 or ACTVY =02,” authorization object 2:  “S_TCODE =S_TABU_CLI, CLIIDMAINT =x”: “additional selection criteria: unlocked users only
    24)  Authorization object 1: “S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only
    25)  S_TCODE =SA38 or SE38;” “2: authorization object S_PROGRAM Value =SUBMIT: “additional selection criteria: unlocked users only.
    26)  Authorization object 1: S_TRANSPRT Value = 43
    27)  S_TCODE = SE01; authorization object 1: S_TRANSPRT Value:1, 2; authorization object 2: S_DATASET Actvt: 06,33,34
    28)  S_TCODE = SE03; authorization object 1: S_TRANSPRT Value: 06,43 ; authorization object 2: S_CTS_ADMI Value: TABL
    29)  S_TCODE = SE10; authorization object 1: S_TRANSPRT Value: 01, 02; authorization object 2: S_DATASET Value: 06, 33, 34.
    30)  S_TCODE = SCC4; authorization object 1: S_CLNT_IMP Value: 21, 60: Additional selection criteria – Unlocked users only
    31)  S_TCODE: SM12; authorization object 1: S_C_FUNCT Value = *; activity value = 16; authorization object 2: S_ENQUE; S_ENQ_ACT Value = *.

    i want to learn what all these authorization objetcs stand for. 1,2,3,4... because each one asks a different report..
    for example, lets talk about first one.
    1)  SUIM---->   S_TCODE = SM36,Authorization Object 1: S_BTCH_ADM = Y; Authorization Object 2: S_BTCH_JOB = * for Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only
    in this report. why does it ask this? what does it mean to to choose S_BTCH_ADM to Y ,S_BTCH_JOB, to * and choosing ..or Job Operations and * for Summary of jobs for a group; Additional selection criteria – Unlocked users only..
    i wonder this. why is this report it important and what does it ask?
    Thank you for your messages.

  • How to schedule a batch job to generate security audit log (SM20)

    May be this is a repeat question for this forum. Apologize, if it is. Is there a way to schedule a batch job to generate security audit log (SM20) automatically and possibly send a message to SAP Inbox or generate a spool request? Release is 4.6C.
    Regards
    Nirmal

    > May be this is a repeat question for this forum. Apologize, if it is.
    You don't need to apologize. You only need to do a very simple search...
    > Total Questions:  18 (16 unresolved) 
    Perhaps 16 of those 18 questions you have not followed up on could have been spared as well?
    Please do the needfull.
    Cheers,
    Julius

  • "logon time" between USR41 and security audit log

    Dear colleagues,
    I got a following question from customer for security audit reason.
    > 'Logon date' and 'Logon time' values stored in table  USR41 are exactly same as
    > logon history of Security Audit Log(Tr-cd:SM20)?
    Table:USR41 saves 'logon date' and 'logon time' when user logs on to SAP System from SAP GUI.
    And the Security Audit Log(Tr-cd:SM20) can save user's logon history;
    at the time when user logged on, the security audit log is recorded .
    I tried to check SAP GUI logon program:SAPMSYST several ways, however,
    I could not check it because the program is protected even for read access.
    I want to know about specification of "logon time" between USR41 and security audit log,
    or about how to look into the program:SAPMSYST and debug it.
    Thank you.
    Best Regards.

    Hi,
    If you configure Security Audit you can achieve your goals...
    1-Audit the employees how access the screens, tables, data...etc
    Answer : Option 1 & 3
    2-Audit all changes by all users to the data
    Answer : Option 1 & 3
    3-Keep the data up to one month
    Answer: No such settings, but you can define maximum log size.
    4-Log retention period can be defined.
    Answer: No !.. but you can define maximum log size.
    SM19/SM20 Options:
    1-Dialog logon
    You can check how many users logged in and at what time
    2-RFC login/call
    Same as above you can check RFC logins
    3-Transaction/report start
    You can see which report or transaction are executed and at what time
    (It will help you to analyise unauthorized data change. Transactions/report can give you an idea, what data has been changed. So you can see who changed the data)
    4-User master change
    (You can see user master changes log with this option)
    5-System/Other events
    (System error can be logged using this option)
    Hope, it clear the things...
    Regards.
    Rajesh Narkhede

  • Advice needed: what does your company log for SAP security role changes?

    My client has a situation where for many years, they never logged changes to SAP security roles.  By that I mean, they never logged even basic details, like who requested a change, tested it, approved it, and what changed!!  Sadly their ticketing system is terrible, completely free-form text and not even searchable. 
    Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details?   What details do you capture?  What about Projects, that involve dozens of changes and testing over several months?
    I plan to recommend, at least, they need to use a unique# (a ticket#, or whatever) for every change and update the same in PFCG role desc tab, plus in CTS description of transports... but what about other details, since they have a bad ticketing system?  I spoke with internal audit and change Mgmnt "manager" about it, and they are clueless and will not make recommendations.  It's really weird but they will get into big trouble eventually without any logs for security changes!

    Does anyone here use Word docs, Excel sheets, or some other way to capture security role change details? What details do you capture? What about Projects, that involve dozens of changes and testing over several months?
    I have questions:
    a) Do you want to make things straight
    b) Do you want to implement a versioning mechanism
    c) You cannot implement anything technical, but you`re asking about best "paper" practise?
    The mentioned scenarios can be well maintained if you use SAP GRC Solutions 10 (Business Role Management)
    Task Based, Approvals, Risk Analysis, SOD and role generation and maintenance in a structured way (Business Role Management). Workflow based, staged process with approvals.
    PFCG transaction usage will be curtailed to minimum if implemented fully.
    Do we really want to do things "outside" PFCG?
    @all:
    a) do you guys use custom approval workflows for roles?
    b) how tight your processes are? how much paperwork, workflow, tickets, requests and incidents you have to go through to change a role?
    c) who is a friend of GRC here, raise your hand
    Cheers Otto
    p.s.: very interesting discussion, I would like to learn something here about how it works out there in the wild

  • Best SAP Security Practices Print,file,job schedule, archiving

    Hello All, i would like to know in your experience which will be the best practices for Security  for this list below:
    - Printer security (especially check printing)
    - File path security for export/import
    - Best Practice for Job Schedule and Spool file
    - Archiving process (I can't think of any specific to security, other than Security Audit Logs)
    Are there any special transactions/system settings/parameters that must be on place in order to hard SAP Systems?
    Do you have any documentation related?
    I mean for example Job, spool i think user must just only run heir own jobs,and se their own works for printing, is there a paremeter to athenticate Prints/user, etc.
    Please let me know your comments about those related issues.
    I appreciate your help.
    Thanks a lot.
    Ahmed

    Hi,
    PFCG_TIME_DEPENDENCY
    This is best to run once a day mostly after 12.01 am as it removes the roles which are invalid for current date. As role assignment is on date basis there is no advantage of running it hourly.
    /VIRSA/ZVFATBAK
    This is for GRC 5.3, and this job is to collect FFID logs from backend to GRC repository, so if you have frequent FFID usage you can schedule it hourly or for every 30 min too, if you have enough bandwidth in your server to get the latest log report. or else you can have it scheduled for twice a day too, so it is purely based on your need.
    Hope this helps.
    BR,
    Mangesh

  • CCMS and Security Audit log

    I have seen a huge number of companies who do not use SM19/SM20 or RZ20. It is not configured. example I worked for 3 clients(user base 14000, 16000,1000) and none of them have this configuration.
    Do you know why is it so if it is not configured at your place.
    Thanks
    Edited by: Pankaj Jain on Sep 26, 2009 7:02 PM

    Performance impact is dependent on the Hardware sizing and the daily monitoring activities together with the back up schedule by the BASIS team.
    My experience is: I have seen maximum of clients using this for logging activities of ALL users in the system. In other few cases, it is restricted to Super and Special users.
    Please go through the document: [Security Audit Log|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/2088d9d4-e011-2a10-bba9-90548dbc2d6a&overridelayout=true] (it's a bit Old)
    Try searching Community with SM20 / SM19 / Security Audit Log search strings.
    Regards,
    Dipanjan

  • SM19 security audit maximum file size is 100MB ?

    Dear all,
    My system security audit log has reached maximum 100MB.
    a.) Is 100MB the default size ?
    b.) Any way to increase it ?
    Comment and advice will be appreciated.
    Thanks.
    Regards,
    Kent

    Hi,
    > a.) Is 100MB the default size ?
    Yes
    > b.) Any way to increase it ?
    >
    Follow SAP note 909734.
    Also link: http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log_1/
    Thanks
    Sunny

  • Security Audit Log for XI IB

    Hello,
    on the ABAP Stack it is possible to activate the security audit log, to log activities on certain objects/functions. Is there also a possibilty to do this for the JAVA-Stack.
    We have for legal reasons to log, want users are doing on the productive XI system. E.g. we wanna log if someone is changing the value mapping or configurating the adapter.
    Regards, Werner

    Hi,
    chk out these links
    Audit Log
    http://help.sap.com/saphelp_me21sp2/helpdata/en/23/c9833b3bb1780fe10000000a11402f/content.htm
    regards
    jithesh

  • Security audit log for the last 30 days?

    Hi,
    My current settings for the security audit log is 20 MB (by default).  I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
    What are the parameters that I would need to maintain?
    Or any additinal config is required?
    Thanks,
    Abdul

    Hi,
    My current configuration is like this:
    Name                Description                                           Current value                                            System default value
    FN_AUDIT     Name of security audit file          audit_++++++++
    DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
    rsau/enable     Enable Security Audit          0
    rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
    rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
    rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
    rsau/selection_slots     Number of selection slots for security audit          2
    rsau/user_selection     Defines the user selection method used inside kernel functions          0
    I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB.  If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
    My requirement is - I want to track users and their activities for the last 30 days (or 45 days).  No log should be overwritten unless it is atleast 30 days old.
    In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
    Other doubts: Do I have to start auditing manually every day?  Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
    Regards
    Abdul
    Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

  • Performance issue of Security Audit log

    Hello,
              My client would like to activate the Security Audit log on his system. However he will like to know whether there could be any performance issue when activating it. Since I do not have any prior experience, can you please give me your general feedback on this subject. Have any of you experience performance issue when implementing security audit log and what can be done to minimize its effect?

    Hai,
    Activating Security Audit logs will not affect the performance of your SAP system. Since SAP Systems maintain their audit logs on a daily basis. The system does not delete or overwrite audit files from previous days; it keeps them until you manually delete them. Due to the amount of information that may accumulate, you should archive these files on a regular basis and delete the originals from the application server. This is the only thing you really need to take care since they might fill up the disk space if you dont archive or delete them on regular basis. Also since the data is very sensitive you should take extra care to protect the data.
    Please follow the below links for more details.....
    http://help.sap.com/saphelp_nw04/helpdata/EN/95/d2a8e36d6611d1a5700000e835363f/frameset.htm
    http://www.saptechies.com/faq-answers-to-questions-about-the-security-audit-log/
    Regards,
    Yoganand.V

  • Security audit log doesn't capture services

    Hello I am posting this on behalf of Carol, Would you please be kind on helping her?
       After the upgrade to ECC the t-codes for the ESS functions were
    changed to services that run via the portal.  We need to find where the
    audit data is logged for these services.  Below are some of the t-codes
    which are now run via the new service name.
    PZ02##sap.com/essusaddr/Per_Address_US
    PZ03##sap.com/essusbank/Per_Bank_US
    PZ10##sap.com/essusw4/Per_W4_US
    PZ11_PDF#sap.com/ess~rem/PaySlip2
    PZ18##Z_WDA_HR_EMRG_CONTACT
    A search of notes with 'security audit log' hasn't turned up any new
    information. 
    Carol

    Hi Ricardo,
    check the notes:
    [544708|https://websmp130.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=544708] - Changed password rules prevent ITS-based logon
    [872773|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=872773] - Changed password rules and ITS-based logon
    Alternatively use the search terms "ESS Scenario PZ02/ Personal data" .. you might get some related notes.
    Regards,
    Srihari

  • Getting started in SAP Security

    Hi guys,
    I've been in the industry working as an ETL developer, designer and DBA for a few years now, although mostly worked in a non-sap environment.
    I'd like to get into SAP Security. I need your input in getting started.
    What's a good place to started. So far, I've started looking at some webcasts at SDN.
    What else can I do?

    Hi Ravi,
    How about this for a suggestion - 2 years each:
    1) - Development (a.k.a. "Techi") - such as ABAP.
    2) - Functional consulting (a.k.a. "Funki") - try to specialize in an area.
    3) - XI (not sure what the "a.k.a" is...)
    4) - then SAP Security...
    (you can also juggle 1 and 2, or combine them to the best possibility... and get informed about the new stuff... but you will often meet chicken-or-the-egg there...)
    (optionally you can either start, or end, with auditing...)
    Much like Ben´s advice, this is just a suggestion for you to take a medium term approach without giving up after a few days.
    Cheers,
    Julius

Maybe you are looking for

  • Report Preview Issues SLM 1.2

    I am having an issue with the connection check completing sucessfully. I have updated all of the jar files in the build directory with the versions from the SLM lib directory. The configuration file exists and is in that location (I have included the

  • IPod causing mega crash (and its not the iPods fault)

    Whenever I plug in an iPod to my new iMac, iTunes freezes. Usually it will take down the entire computer. The variations are, the iPod will not be visible or I will see the iPod and after two or three changes iTunes will lock up. Sometimes if I wait

  • Connect Two 24-inch LED displays to 1 graphics card??

    Hi, Please can someone offer me some advice. I am using a 2.93 Quad Core Mac Pro with 2 GT120 graphics cards and two 24inch LED displays. Is it possible to connect these displays to only 1 Graphics card?.. Kindest Regards.

  • Heat, Fan, and dimming display questions

    I have a hot running MacBook Pro. I've had the unit returned for service and only one of my four issues was resolved. The unit is going back again for service. I seemed to irritate the last tech support person by asking questions about the heat issue

  • Different ways to establish SSO between Portal and ADP

    Hi, We are implementing payroll with the help of ADP. Please let me know different ways of establishing SSO between portal  and ADP Thanks Bala Duvvuri