SOX Auditing on BPC 7.0

Similar Messages

• Print "Confidential" mark on all docs (required for SOX audit)

  Hi All.
  Problem: In order to comply with Sarbanes-Oxley Act I need to implement possibility to print "Confidential" mark for any user chosen document (on every page).
  Partially this was implemented by setting footnote in SAP printer driver. But this isn't usable all the time (especially with ALV-lists).
  There are 3 SAP notes:
  895029 - Let MIC report output watermark
  371854 - SAP Query: Printing in the SAP List Viewer (ALV)
  756650 - Footer in the print dialog
  But first one is about standard header. Second one looks is what I need, but it also does not cover all documents. Third is for future releases.
  I found that there is special Sarbanes-Oxley Compliance Software for SAP ERP. And I wonder if it covers also print issue:
  680615 - Installing SAP CM SOA Release 1.0
  Best solution would be to have a checkbox, which user can check while printing confidential documents.
  I do not believe that nobody faced with the same problem while preparing to SOX audit. Is there a standard solution?
  Thanks to all.
  Message was edited by:
          Andrei Balashchanka

  If someone interested here is SAPs reply for my problem:
  "Setting a footline for printing in the ALV lists is not possible.
  However as a workaround you are able to design the areas above and
  below the ALV output with various elements. In your business case (if I
  understood your business requirements correctly) you need to output a
  text/a mark at the top/at the bottom of every printed page -> in order
  to implement this you would have to implement handling for either the
  TOP_OF_PAGE or the END_OF_PAGE events as in ALV the page headers and
  footers are events.
  If ALV determines that there is a page break when generating the
  printout, the END_OF_PAGE or TOP_OF_PAGE event is triggered. ALV checks
  whether a design object is defined for this event and inserts at the
  correct position e.g. when you use the event print_end_of_page to output
  text with the WRITE statement during print output. The text is inserted
  at the end of each page. During print output, the ALV Grid Control goes
  to the list output of the classic ALV. In the print preview (classic
  ALV), the text for this event is not displayed. Demo program
  BCALV_GRID_01 in development class SLIS illustrates how the
  print_end_of_page is used. To allow output at the end of each page, you
  must reserve several lines for these pages. To do this, use field
  reservelns of a structure of type lvc_s_prnt and pass this structure
  with method set_table_for_first_display.
  For an overview see also the documentation for the events of class
  CL_GUI_ALV_GRID."

• Controlling SIDADM access per SOX audit compliance

  Hello....
  We are going through our first SAP ERP implementation and had few questions about the SIDADM user and audit.  We are running the SAP system in a Windows server with Oracle Database.  SIDADM user is currently shared by the basis team to maintain the SAP servers.  The basis team logs into the server using the SIDADM account to start/stop the SAP system, run any command based utilities (i.e. sappfpar or tp) when needed and creating/executing batch scripts for backups/exports/etc.  However, since the password for this user is shared by the whole team, we are concerned about SOX audit compliance.
  1.  How does other customers on Windows environment control the SIDADM account to satisfy audit requirements?  Audit doesn't normally allow shared accounts on SAP servers.  When someone directly logs into the SAP server with SIDADM, we can't trace who logged on and made changes to the system.
  2.  If the password for SIDADM is not shared by the basis team, how does the basis team maintain the SAP servers (i.e. start/stop instance)?
  3.  Can the SAP systems be maintained by individual users without using SIDADM?  If so, how?
  We are looking for recommendations on how to control the super users in the SAP environments (SIDADM, DB users, etc) to satisfy SOX audit requirements. 
  Thanks for all your help.  Any recommendations will be appreciated~~
  Janet

  For info:
  SOX (Sarbanes Oxley Act, in particular Section 404) is a high level auditable requirement.
  BASIS activities are lower down and are subject to some slack in the actual implementation of the interpretation.
  The SAP administration (BASIS) area comes under its own audit(s) of particular variations, all of which are usually underneath SOX or another higher level requirement.
  Regards
  Ashley

• Sox compliance and BPC

  Hi Gurus
  In our project a user is doing admin job of BPC as well.He is the sole user.Now auditor has objected to him maintaining the server and being user at same time. I am giving production support to BPC . Now I am  supposed to make sox  document  and make a list of task which he should not do. Security/access  is being maintained by me. Can some one give me some ideas or direction on this issue please ?
  Thanks
  Satya

  It is very specific to client so withdrawing.

• Server Shares for SOX audit

  Would someone be able to assist in setting this script up for a multi domain environment?  Thank you.
  $computers = Get-Content $loc\list.txt;
  function Get-AllSharePermissions
  param (
  [parameter(Mandatory=$true,ValueFromPipeline=$true)]
  [string]$computername
  $ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername
  $myCol = @()
  foreach ($ShareS in $ShareSec)
  $SecurityDescriptor = $ShareS.GetSecurityDescriptor()
  ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
  $myObj = “” | select Computername, Name, Domain, ID, AccessMask, AceType
  $myObj.Computername = $Computername
  $myObj.Name = $ShareS.Name
  $myObj.Domain = $DACL.Trustee.Domain
  $myObj.ID = $DACL.Trustee.Name
  Switch ($DACL.AccessMask)
  2032127 {$AccessMask = “FullControl”}
  1179785 {$AccessMask = “Read”}
  1180063 {$AccessMask = “Read, Write”}
  1179817 {$AccessMask = “ReadAndExecute”}
  -1610612736 {$AccessMask = “ReadAndExecuteExtended”}
  1245631 {$AccessMask = “ReadAndExecute, Modify, Write”}
  1180095 {$AccessMask = “ReadAndExecute, Write”}
  268435456 {$AccessMask = “FullControl (Sub Only)”}
  default {$AccessMask = $DACL.AccessMask}
  $myObj.AccessMask = $AccessMask
  Switch ($DACL.AceType)
  0 {$AceType = “Allow”}
  1 {$AceType = “Deny”}
  2 {$AceType = “Audit”}
  $myObj.AceType = $AceType
  Clear-Variable AccessMask -ErrorAction SilentlyContinue
  Clear-Variable AceType -ErrorAction SilentlyContinue
  $myCol += $myObj
  Return $myCol
  foreach($computer in $computers) {$computer | Get-AllSharePermissions | Export-Csv “$loc\1.csv” -Append -NoTypeInformation -force}

  This does seem to work now. Although, how can I sort the out put as before:
  $myObj = “” |
  select Computername,
  Name, Domain, ID,
  AccessMask, AceType
  I recommend taking time to learn PowerShell before just blasting along with no idea.
  Get-Content
  $loc\list.txt
  |
      Get-AllSharePermissions
  |   
       select
  Computername,
  Name, Domain,ID,
  AccessMask,
  AceType  |  
       Export-Csv
  “$loc\1.csv”
  -Append
  -NoTypeInformation
  ¯\_(ツ)_/¯

• Activating audit for Dimension Members in BPC 7.5 NW

  Hi,
  Is it possible to activate dimension member audit in BPC 7.5 NW. Meaning, can we trace changes to master data (dimension members) in BPC 7.5 NW?
  Best regard
  SSC

  Hi,
  The Activity Auditing tracks Administrative and User tasks at the Appset level.
  This will be controlled by the Administrators to check whether activity auditing is enabled or not.
  To enable this future go to -> Administration for the Web, choose Manage Activity Audit -> then choose one or both types of activities to audit.
  Please check the help file for the same.
  http://help.sap.com/saphelp_bpc75_nw/helpdata/en/a0/2d2e0ec3da472c82a3f0ff5a96d9ce/content.htm
  Regards,
  Raghu

• Activity Audit Space Error

  Hi,
  I was enabling "Activity Auditing" in BPC 5.1, after which i gave the specs in Manage Data Audit.
  When I clicked on Save Audit Data Now link to run the synchronization process right away it threw an error
  Run Error: There is insufficient disk space to complete operation. , Pkg=AuditLoader, File=D:\SAP BPC\Data\Webfolders\OLAMDEVELOP\SystemLibrary\Library\AuditLoader.dnt Microsoft Data Transformation Services (DTS) Package
  Could you please let me know what needs to be done to solve this and see the audit trail, as I tried loading as minimum as one category just for Admin Activity and for just one Task
  Thanks in anticipation.
  Rgds,
  Rizwan

  Hi Sorin,
  I checked the Server size and it says 65 GB free space available !!!!!!!!!!!!!!!!!!!!
  I just dont know where exactly the space constraint is coming up as I see a table created with the name of the database AuditActivity\detail\Budget.dbo in application name\extra folder
  Its only that the table has no data............ and it throws the space error
  Its just a 3 months old server with real minimum data load in it as of now [approx 3 GB only!]
  Could you please help me with this Sorin,
  Thanks
  Rizwan

• SAP user license & audit

  Hi all,
        I am a starter in SAP.
        If i suppose procure 10 user license and installed the SAP package, can i create more than 10 user id's. Will the system allows me to do it? If yes how can SAP AG will check it.
        Also can anyone tell me when SAP will conduct the audit in an implementation project. i have heard something like 'sox' audit. I am not even clear about the terminology used. Pls give some inputs.
  Thanks in advance,
  Raj.

  hi,
  as it follows the independent concept so an audit team can represent the internal organization or external.
  actually it is performed to identify and evaluate complex business and technology risks and related opportunities for internal control improvement to reduce the risk and enhance the quality, assurance and security of information systems and business processes.
  so the organization needs to perform it either by using its internal team who are aware of the concept of SOX std. or the organization can give this job to external unit to do the same.
  below is the link which shows diff types of SOX :
  http://soxmadeeasy.com/SAP_Audit.html
  hope this will help you!!!
  Thanks & Regards,
  punit raval.

• Audits of Dumps ST22

  Hello to all!
  For reasons of SOX audits, in our production system we have the job SAP_REORG_ABAPDUMPS that eliminates dumps generated in the system, to run every 3 months.
  But we are realizing that there must be another process that eliminates the dumps without this job that runs.
  The questions is, there is an additional process in SAP to remove the dumps from time to time? apart from the Job SAP_REORG_ABAPDUMPS  ???
  Thanks a lot.
  Desirée C.

  Hi kaushal, thanks for the replay.
  The problem is that by SOX audits can not run this job every day, but every three months. We want to preserve the Dumps generated in a period of time.
  What I want to know whether there is an automatic process sap to me what this erasing or eliminating, because when I want to see the dumps a month earlier by the transaction are no longer st22.
  Thanks

• "Use my Microsoft Windows user ID and password" is grayed out

  Hello Experts,
  I've disabled "SOX Auditing" option in Server Manager in BPC 5.1 SP03, but "Use my Microsoft Windows user ID and password" is still grayed out. The only option I unlocked is saving password.
  How do I enable Windows Authentication in BPC?
  Thanks in advance,
  Akim

  Enabling/Disabling SOX Compliance does not take effect until the 2nd time you go through the Connection Wizard.
  Your problem could also be within Internet Explorer.
  Go to:
  1.  Internet Explorer>Tools>Internet Options>Security Tab
  2.  Click on Local Intranet zone>Custom Level
  3.  Scroll down to User Authentication>Logon.  Ensure that Automatic Logon with Current UN and PW is checked.
  4.  Do the same for the Internet zone.
  Try on multiple machines.
  Also on the client machine, look at the value for BASICAUTHENTICATION in:
  hkeycurrentuser>software>vb and vba program settings>outlooksoft 5>latest

• Role creation and modification report

  Hello everybody!
  The SOX Audit requested this information:
  A list from all roles, with creation and modifications date (not when a user is added, but when the role was changed).
  How can I find this? I tried on SUIM / modification docs, but could not found.
  Thanks in advanced!

  Check this table AGR_DEFINE has the details, but you may need to write some kind of coding  or use function module  /ISDFPS/GET_AGR_DETAILS to pull the data. If I come across any standard report I'll pass on.
  rgds,
  asok

• OS and DB Security patches and updates

  Dear Experts,
  We are going through SOX audits. Auditor is asking me about applied latest OS and Oracle patches to secure SAP systems from threats and attacks.
  I told them that we are running on Solaris 9 with Oracle 9.2.0.5
  and our severs are behind CHECKPOINT Firewall, and also we have never faced any security breaches and threats and also not facing any performance and efficiency problems in our system.
  However, they still persist me about critical security patches for Solaris and Oracle.
  Please tell me should I go for applying security patches of Solaris or Oracle if any. I am very worried about possible problems after applying of those security patches.
  Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5
  Best Regards
  Waqas Ahmad

  > I told them that we are running on Solaris 9 with Oracle 9.2.0.5
  First I would like to tell you that your current Oracle version is out of extended support (see SAP on Oracle and the notes the first chapter points to). To get actual (security) patches I would highly recommend upgrading to 10.2.0.4.
  > However, they still persist me about critical security patches for Solaris and Oracle.
  They do that because most of the "attacks" to server come from internal users, not from external.
  > Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5
  For the operating system I would use pca (Patch Check Advanced) - a free too to download and install patches - works like charm (http://www.par.univie.ac.at/solaris/pca/). It can be configured to only download and install security relevant patches.
  For Oracle you should install the latest patchset (for 9.2 it's 9.2.0.8 and all the necessary interim patches) and the critical patch updates. However, those CPUs may conflict with necessary other patches so you can either use CPU or the necessary interim patches.
  Check note 938986 - Oracle Database 9.2: Patches for 9.2.0
  Markus

• OIM 11g SOA archive

  We recently discovered that approver information is only kept in soainfra tables and not in OIM request tables. For example, I use the following query to get the specific approver for a request:
  select
  req.request_id,
  usr.usr_login Beneficiary,
  wfassign.assignee,
  rbe.rbe_entity_name,
  req.request_model_name,
  wfprod.outcome,
  wfprod.username Approved_Rejected_By,
  req.request_creation_date,
  req.request_status
  from
  lab_oim.request req,lab_oim.request_approvals,lab_oim.request_beneficiary rb,lab_oim.request_beneficiary_entities rbe,
  lab_soainfra.wfproductivity_view wfprod,
  lab_soainfra.wfassignee wfassign, lab_oim.usr usr
  where
  usr.usr_key = rb.beneficiary_key
  and req.request_key = wfprod.identificationkey
  and wfprod.taskid = wfassign.taskid
  and req.request_key = rb.request_key
  and req.request_key = request_approvals.request_approvals_key(+)
  and req.request_key = rbe.rbe_request_key
  and req.request_creation_date >= to_date('02/11/2013 09:30:00','MM/dd/yyyy HH24:MI:SS')
  order by req.request_id
  We also need to archive this information but it appears that oim_request_archival only archives the OIM request tables and not anything from soainfra.
  Do we need to develop a custom archiving solution to include the soainfra tables?
  This seems to be a big hole in the archiving tool because SOX audits require information about the specific person who approved the request.

  Weblogic username and password

• Restrict Table in SE16 Transaction Code

  Hi All,
  Can we restrict some standard table(eg. Mara, mseg, mkpf) in SE16 trsanction code so that they can not browse the restricted tables.
  Couple of days before SOX Audit was carried on and they send some conflicts. I am not able to make it what is these statrements, which i have mentioned in below.
  SE16_CHANGE (Change SAP tables)     
  SE16_CHANGE_CURRENCIES (Change currency table)
  SE16_CLIENT_TABLE (Change client table T000)          
  Thanks & Regards,
  Krushna

  Hello,
  You can restrict access to tables with authorisation object S_TABU_DIS.
  If a query accesses a certain table when it is run, the user needs display authorization for authorization object S_TABU_DIS. Field DICBERCLS must contain the table’s authorization groups.
  This authorization object protects all tables from unauthorized access. If you are accessing tables that are part of a logical database, authorization for data access can be set up using the logical database.
  This is the same authorization that you need in order to be able to display tables using either the Data Browser (transaction SE16) or the initial table maintenance screen (transaction SM31).
  Hope this helps.

• Purpose of extracting the metadata after loading the metadata

  Hi Hyperion experts,
  AFTER loading the metadata in File what is the reason to go for extracting and where we will use

  I keep the XML files around after every load for a variety of reasons :
  - Loading to other applications : I'll generally make changes in dev / test and move to production. I guess I could probably get LCM to do the moving around; however, we're not big users of it at this point. I just load the file into the next app. It's pretty easy to open the client and hit load metadata. ;)
  - Historical Records : Since I keep a copy of every 'major' load into the system, I can easily 'roll back' or tell you when a change was made as far back as I want.
  - SOX Audits : Part of our controls is to ensure that changes loaded to production are approved through our documentation process. Having the files allows them to confirm what changes were made when.
  - Point in Time comparisons : Pretty much just like the SOX Audit, I will periodically review two points in time to see what has changed. For instance, every year when I roll out our budget Smartview template, I compared the current metadata to the prior year to do a quick check to see what accounts have changed. Depending on what has changed during hte last year, I may need to update my template accordingly, etc. [I use an XML differencing tool to do the comparisons]
  - Insurance : ' I'm not paranoid, I just know everyone is after me ' While I keep backups of my databases, etc, etc, I like having the file versions 'just in case'. If any of my other tools malfunction or I lose a backup, I can always grab my trusty files and reload.