SM20 Reports
Geetings,
We run the SM20 audit log reports each month for DDIC activity when its associated with a terminal name. I understand best practice says to lock DDIC but because it is used for so many automated jobs the Basis group has not had the time to evaluate and simply pulling the plug could have downstream implications that they are affraid of. But I digress.
We run this report for all audit classes/events and all security levels. In the output I get hundreds if not thousands of audit log messages related to the RFC call audit class within the "Severe and Critical" security level:
RFC call Successful RFC Call BDL_DDIF_TABL_GET (Function Group = BDL5)
RFC call Successful RFC Call SALC_UTIL_MT_GET_TREE_LOCAL (Function Group = SALC)
RFC call Successful RFC Call /SDF/EWA_GET_PARAMETER (Function Group = /SDF/EWA)
RFC Call RFC_PING (Function Group = SRFC)
What are the security implications of these types of events? What is so Severe and Critical about these actions? I am trying to filter out as many meaningless or low security events to make the output somewhat reasonable otherwise I have thousands of records to sift through. How accurate is SAP in the assessment of these security levels? Are they being too conservative?
I appreciate whatever guidance you can offer related to this.
Thanks
Mark
Julius,
I bow in deference to your knowledge of this area. It’s extremely helpful to
get a thorough understanding on the nuances surrounding DDIC and SM20.
Some background on me. I am an IT auditor and I inherited this process.
Apparently way before I started here (4 years ago) this discussion must have come up
as a result of SOX testing and the Basis group must have successfully defended
against locking DDIC for the very same reasons you note. The IT Audit Director at the
time understood the situation but PWC wanted some assurances that this activity
was at least being reviewed and it became one of the ITGC’s to run the SM20 log
report each month in each instance and have the Basis group review and sign off on all activity
related to DDIC. If the SM20 output showed that DDIC signed in with reference to
a terminal name or ip address they needed to explain why this was necessary.
They were always able to explain the reasons behind this and the occurrences
seemed minimal considering all the events logged related to that ID. Up until a
few months ago I ran for all audit classes excluding user master changes with
events of Severe and Critical.
Fast forward to 2015 and PWC runs an independent SM20 report from our system
and ran it for all audit classes and events = All. As you can imagine even for
one month worth of activity the number of records was astronomical compared to
running it the way I did. That was when I started taking a closer look at the
log message text and the security levels associated. It didn’t make sense which
brought me here.
I will take you up on your offer to post a blog or wiki on the minimum
authorizations required by user DDIC so that I can confirm we are truly looking
at high risk events and filter out some of the noise to make this report
readable and more accurate. It appears that we probably won’t be able to lock
the ID and for valid reasons.
PS
Is there an OSS note or other governing document that refutes the security
best practice of locking DDIC in production? Every SAP system security related manual
I have read recommends locking this ID in production right after go live as if it’s one of those check the box and be done with it. It really is misleading to do this as you suggest as it could have
greater implications that impact the business. Can I just tell the external auditors that you said it was ok?
Thank you very much for your time.
Regards,
Mark
Similar Messages
-
SM20 report shows empty result
Hi All,
Issue in Audit sm20:
one of the account with special privileges which was set open for doing changes directly in production for a limited time.
When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
Findings:
1.Able to identify transaction used in st03 for that user.
2, logs were returned on that particular date.
3.cheked in sm19 all activities were active.
4.all related parameters were set accordingly.
PLease help me out in finding out the result and to solve the issue> When i tried to run an SM20 report to list the actions I did but I get an empty result.Where as able to get other information except that particular user.
>
--> I believe you were able to view other users' activities during the same time, but specifically not for one user ?
In case there are many instances in your SAP system, could you check for all instances individually from SM20 ?
Also Security Audit logs cease to write when the audit log max size is achieved / quota for the day is done. Even this is instance specific and hence you need to verify this for the instance to which user logged on.
There are also occurances of Audit logs not being written owing to product error. Could you go through the following SAP Notes , in case the SAP release mentioned in the notes match with that of yours ?
SAP Note 763159 - Security Audit Log: some transaction starts not audited
SAP Note 710138 - Security Audit Log: Transactions are not recorded (3)
SAP Note 317883 - SecAudit: Transactions are not recorded
SAP Note 483953 - Security Audit Log: AU9 and AUA events are not recorded
SAP Note 840798 - SecAudit: Transaction code sometimes missing
cheers !
PRADi -
Run SM20 in background with variant
I need to supply SM20 report of a particular user and trying to schedule it as a batch job. I am unable to do so in 46C environment.
Has anyone able to achieve something like this?<b>RSAU_READ_AUDITLOG_EXTERNAL</b>
It looks like it runs on the application server which the system user is logged into. This is default local:
PARAMETERS:
RFCDEST LIKE RFCDES-RFCDEST DEFAULT 'NONE',
... until you go outside of the system by changing the destination or explicitly to a different application server.
<b>RSAU_SELECT_EVENTS</b>
Here you can choose which application server you want to read from:
SELECT-OPTIONS server FOR rsauentr-slginst. "Instanzen"
SELECT-OPTIONS client FOR rsauentr-slgmand. "Mandanten"
SELECT-OPTIONS user FOR rsauentr-slguser. "Benutzer"
SELECT-OPTIONS terminal FOR rsauentr2-slgltrm2."Terminals"
SELECT-OPTIONS tcode FOR rsauentr-slgtc. "Transaktionen"
SELECT-OPTIONS report FOR rsauentr-slgrepna. "Programme
... so you can choose 1, or more (select single values or ranges), or all application servers from within the same SID.
call function 'TH_SERVER_LIST'
tables
list = sys_tabl
exceptions
others = 1.
if sy-subrc = 1.
raise not_available.
endif. -
SM20/SM20N audit report analysis - in background
Hi,
I would like to create an audit log / audit report analysis in background.
I've found an article bu interested to understand if it is the only way to do that ?
article: http://sap.ittoolbox.com/groups/technical-functional/sap-security/security-audit-reports-using-sm20-1019745?cv=expanded
Any idea ?
Dimitry Haritonovi have not tried it but yes thats what mentioned in the Note 838847
Instructions for Releases 4.6C and 6.20
Creating the RSAU_SELECT_EVENTS program:
Title: "Selection of audit events from the audit files (background variant)"
Type: Executable program
Application: Basis
Package: SECU
Logical database:
See the correction instructions for the source code.
if your question is answered , mark it answered and award the points ..
Regards
dEE -
I have been asked to get a report of all transactions started by all users since the beginning of the month. I believe I should use SM20 to get this report. For selection criteria I have the date range of 07/01/2009 / 00:00:00 through 07/27/2009 / 23:59:59 selected. Under audit classes I only have "transaction start" checked. All events is checked as well.
Underneath Format it is set to Output to Screen and No. pages for individual display is set to 80. I am only getting results for 07/01/2009. What is "No. pages for individual entries for?"
Also we are in a clustered environment. Is this report only reading audit logs for the server I am currently logged on to?
Many thanks,
MichaelHi,
"No. pages for individual entries" is for how many pages of the system log you want to display.
Yes if you do not choose Security Audit Logs --> All Audit Logs, It will provide you the logs of the local servers only.
Regards,
Sandip -
How can i get report no of user login in system
Hello
how can i get report no of user login in system
means user license login per day in system
what is strategy of SAP against licenses audit
how can i manage my license users ??????????
JayeshHi Jayesh
You can use the Audit Transactions. Set the Audit Profile with Tx SM19 and then report with Tx SM20.
You can also use the programs CCUINIT and CCUEVAL. Report CCUINIT initialises the measurement of current users and report CCUEVAL will provide the report and the logs for you to download.
Also regarding the licensing of users,
Refer to http://www.sap-img.com/sap-overview/help-to-understand-sap-licenses.htm
and https://websmp104.sap-ag.de/licenseauditing
You will get everything you need
Rohit -
Logs vary in sm20 and RSAU_SELECT_EVENTS
Hi,
Logs which appear in sm20 do not appear in RSAU_SELECT_EVENTS. why is this happeneing?
Regards
DivyaHello Annie,
It is simple. You need a create a dynamic variant for it.
If you want is step by step here it is:
Execute the report in SE38. In the selection screen you will have the date auto populated. Ignore it. Just press the save option. You will come to the screen:
ABAP:Save as variant.
Give the variant a name and a description.
Under the section FELD NAME you will find two entries for current date. Also there will be lots of check boxes infront of the fields. For both the entries of current data select the check boxes which are under the column marked "L" (Selection variable).
After this press the pushbutton selection variables.
In the next screen you will find two tabular entries for current date .Adjacent to them you will havethe choice to have the kind of selection you want. You will notice that color under column D(Dynamic date calculation) is yellow. Click on the yellow icon to select dynamic date selection. It will turn green. However the adjacent one under column T will turn yellow.
Repeat this for second entry for Current date as well.
Now we will come to part where you cando dynamic date selection.
For the first entry for current data you will notice a downward arrow under column T(yellow light).
Click on that arrow a pop up would come which would allow you to choose the date you want. Choose first day on the current month.
Repeat the second entry the same only difference being thatthe date you will choose is the last day of the current month.
Save the changes for selction variable screen as well Abap variant screen and test your variant.
I hope it works. Please award points accordingly.
Regards.
Ruchit. -
Problem in Transaction Usage report in Virsa toolbox in virsa FF
We have recently installed virsa firefighter.
When we run Transaction Usage report in Virsa toolbox,selection by " Transaction",it gives all the transaction run in the particular client till date and not just the tcode for which we want the report.
For can be the reason for such a result?Hi,
This may be possible if the trace is activated in the TA ST01. But it is not advisable to keep this trace for a prolonged period as it has an adverse effect in the system performance.
For a smaller user base, u can enable the security log in TA SM19, The report can be pulled from TA SM20.
Hope this helps.
Regards,
Varadharajan M -
Hi,
Iam getting stad report for last one week,iam not getting the stad report for last month.i want to get stad report for particular day in last month.how to rectify the same.
ThankuHi,
rsau/local/file /usr/sap/LID/DVEBMGS00/log/
you will have to set DIR_AUDIT parameter instead of it.
Set the following parameter with reference value:
Parameter Description Reference Value
DIR_AUDIT Directory for security audit files S:\ECP-AUDIT\ECP\DVEBMGS00\ECP_security_audit_log
FN_AUDIT Name of security audit file ECP_AUDIT_++++++++.AUD
rsau/enable Enable the Security Audit Log 1
rsau/max_diskspace/local Maximum space for security audit file 2147483647
rsau/max_diskspace/per_day Maximum size of all security audit files per day (If you wish, otherwise let it be default '0')
rsau/max_diskspace/per_file Maximum size of one single security audit file (If you wish, otherwise let it be default '0')
rsau/selection_slots Number of filters to allow for the Security Audit Log (If you wish, otherwise let it be default '2')
rsau/user_selection Defines the user selection method used inside kernel functions (If you wish, otherwise let it be default '0')
activated profile in sm19,still iam not getting audit log for last week in sm20.
After Proper setting of Security Audit log parameters, the Application Server needs to be restarted to make the changes effective. You will only get the Audit Data since the activation of valid Security Audit parameter.
Regards,
Bhavik G. Shroff -
Change History in Fire Fighter Log Report.
Hi Experts,
Changes made by fire fighters were not recorded in the fire fighter log reports.I have gone thru a thread in the forum,there was mentioned that the issue had been reported to the SAP.Please let me know, if there is any update on the issue from SAP.
Thanks,
MukeshFF Logs can be recorded when the changes done with FF id. Without FF id no Support / IT user should be allowed.
If you want to change the configuration it has to be done via FireFigher only. Otherwise you get the log from SM20, if its been configured. -
Getting message : The result set for this selection was empty on sm20
Hi,
I assigned below parameters in rz10 :
rsau/user_selection 1
rsau/max_diskspace/per_day 1950M
rsau/max_diskspace/per_file 650M
rsau/enable 1
I activated security audit profile in sm19 also.But when iam going to sm20 for analysis of security audit log iam not getting report iam getting this message : The result set for this selection was empty.
Gudie me for the same.
ThankuHi,
The result set for this selection was empty.
I think your configuration is OK except one thing...
Check in SM19, if you have selected "Filter Active" check box in "Filter 1 and Filter 2" screen and Also "Audit Classess".
Even though security audit is enabled in SM19, without selecting filter it will not log the events and give you the above message.
Regards.
Rajesh Narkhede -
Hi Experts,
I have question regarding ABAP Reports, SAP Query, and Transaction with variant. How are we securing one the above reports that we assign them through pfcg. We can secure custom program by custom transaction or define the auth group in S_PROGRAM auth object but in this case we have to assign SA38 in production. is that correct?
Please help me understand difference between the ABAP reports and SAP query. Is the ABAP reports same as Program or they are different.
Thanks in advance
Faisal
Edited by: Faisal on Jun 30, 2009 11:06 PMHi,
1) End user security (role matrix coordinate with process team)
This role Matrix design is most important where we can put restrictions and use SoD.
2) Secure Table (by auth group)
Table TDDAT and use of transaction se54 for security tables to right auth Groups. Secure s_tabu_dis, s_tabu_cli.
3) Secure program (as you said ABAP reports are referred to Program)
Use of table TPGP and program RSCSAUTH for assignment of groups to Program. SA38 Running of SA38 requires a minimum SUBMIT in user Action. A user having SA38 is dangerous as he/she is now enabled to run any report. Hence protection in Auth Group is needed. Verify each and every program is having authority check statement and Auth Group or not before assigning sa38. As you mentioned its best to avoid SA38 and create CUSTOM TXN for each report.
(We should also SECURE S_DEVELOP in Production properly along with ur points. Please Note).
4) Secure some batch jobs roles for batch job
Secure by s_btch* objects and less access to se36.
5) Create support roles for cutover activity during Go-live
That is always needed. Go ahead.
6) Emergency roles & IT roles for support
This is very much needed as a role of Mitigation and Fire Fighting for Temporary access. Ensure to enable ur audit parameters in RZ10 (rsau* sm20,RSLG* for sm21). Give emergency access but enable audit via sm19 and get audit reports from sm20 and sm21 immediately after the use of emergency access.
There are also other auth objects we need to be care ful which is a long list and hope every body ensures that (s_cts,a_admi,s_trans, tables ssm_cust, prgn,t000) etc and a host of others. Besh wishes. Let us know if any issue.
Regards
Aveek. -
Problem in generating User Login Report on System Usage
We want a daily shift-wise(3 shifts of 8 hours each) report with following information
1. User-ID
2. Login Time-Stamp
3. Transaction Code
4. Transaction Code Start Time-Stamp
5. Transaction Code End Time-Stamp
6. Logout Time-Stamp
At present we are extracting the usage data with STAD transaction & processing in batch mode to generate a report which is not fulfilling our requirement as it is not having Transaction Code End Time-Stamp. One problem is same transaction code is having multiple Time-Stamps. If time-stamp is considered up to hour & minute, multiple records for same transaction code as well as different transaction codes are appearing. We are unable to generate MIS as per our requirement.
Thanks in advance.
KajalHi,
This may be possible if the trace is activated in the TA ST01. But it is not advisable to keep this trace for a prolonged period as it has an adverse effect in the system performance.
For a smaller user base, u can enable the security log in TA SM19, The report can be pulled from TA SM20.
Hope this helps.
Regards,
Varadharajan M -
Is there a way to run an activity report on the exact time a user has logged out of the system?
Also, where would I view "idle" minutes or seconds set in SAP to automatically logs a user out of the system?Hi Camille,
Go to T-code SM20 audit log and you can find the users login and logout time and which t-codes was executed.
STAD is also use for the same, if you want to set ideal time of go to
RZ10 which parameter rdisp/gui_auto_logout and set the time in sec.
Regards
Naveen -
Weu0092d like to get Custom reports. The base of reports is Security Audit Log
Wed like to get Custom reports. The base of reports is Security Audit Log files. This is files for SM20.
What does the file structure look like? What is field of it?
Thanks!Hello Marina
The data written to the security audit log correspond to the DDIC structures RSLGENTR (up to release 4.6) and RSAUENTR2 (in newer releases). DDIC structures can be viewed using TA SE11 (data type).
As I can see you have already opened a thread regarding this. Please don't duplicate the threads, as this only widespreads the information.
Regards,
Désiré
Maybe you are looking for
-
Cannot print to Canon MF8380Cdw
I've been trying for a couple of weeks to get my Canon MF8380Cdw to print from my workhorse MacBook Pro running Lion. I've installed the latest version of the driver, repaired permissions, uninstalled/reinstallled, etc. but I can't ever seem to get "
-
How to fix the output length of a field
Hi! I want to 'allocate' the full length of the field while smartform printing even if it is initial. How can I do this? I tried the &field(*)& &field(F<' '>)& output format, but nothing. Thanks
-
I accidentally deleted Candy Crush off my phone, and when I went to reinstall it, it reinstalled but has now disappeared from my screen. I went to the app store and it says there that it is still installed. How do I get it back?
-
Dear all, I am purging the old data, after that the tablespace seems to not re-claim the tablespace size (remain the same) ? Please advice, Amy
-
Problems installing 9.2.3 update
Have tried to install from safe mode to no avail, still getting alert that 'current' version of iPhoto installed on this mac must be updated through mac App store? Any simple fix out there? Thanks.