SOX Auditing on BPC 7.0
We are in the process of rolling out BPC 7.0 and have run into some SOX auditing issues. The team leveraging the software is not large enough to segment roles in order to fulfill the segregation of duties requirement. Because of this, it looks like we are going to have to use IT resources, to push changes into production, in order to mitigate the finance team being able to make changes and having the ability to move them to production.
All of this can be subverted if we can find a way to implement a robust logging mechanism. From what I have heard, BPC does not have the ability to track changes to logic files.
Does anyone know of a way to track logic changes?
How are other companies meeting SOX logging and segregation of duties requirements?
Are there any third part tools that can handle SOX compliance for us?
Hi EWillie,
you better should post your message into this forum:
SAP Planning and Consolidation, version for SAP NetWeaver
The GRC forum unfortunately does not deal with BPC.
Best,
Frank
Similar Messages
-
Print "Confidential" mark on all docs (required for SOX audit)
Hi All.
Problem: In order to comply with Sarbanes-Oxley Act I need to implement possibility to print "Confidential" mark for any user chosen document (on every page).
Partially this was implemented by setting footnote in SAP printer driver. But this isn't usable all the time (especially with ALV-lists).
There are 3 SAP notes:
895029 - Let MIC report output watermark
371854 - SAP Query: Printing in the SAP List Viewer (ALV)
756650 - Footer in the print dialog
But first one is about standard header. Second one looks is what I need, but it also does not cover all documents. Third is for future releases.
I found that there is special Sarbanes-Oxley Compliance Software for SAP ERP. And I wonder if it covers also print issue:
680615 - Installing SAP CM SOA Release 1.0
Best solution would be to have a checkbox, which user can check while printing confidential documents.
I do not believe that nobody faced with the same problem while preparing to SOX audit. Is there a standard solution?
Thanks to all.
Message was edited by:
Andrei BalashchankaIf someone interested here is SAPs reply for my problem:
"Setting a footline for printing in the ALV lists is not possible.
However as a workaround you are able to design the areas above and
below the ALV output with various elements. In your business case (if I
understood your business requirements correctly) you need to output a
text/a mark at the top/at the bottom of every printed page -> in order
to implement this you would have to implement handling for either the
TOP_OF_PAGE or the END_OF_PAGE events as in ALV the page headers and
footers are events.
If ALV determines that there is a page break when generating the
printout, the END_OF_PAGE or TOP_OF_PAGE event is triggered. ALV checks
whether a design object is defined for this event and inserts at the
correct position e.g. when you use the event print_end_of_page to output
text with the WRITE statement during print output. The text is inserted
at the end of each page. During print output, the ALV Grid Control goes
to the list output of the classic ALV. In the print preview (classic
ALV), the text for this event is not displayed. Demo program
BCALV_GRID_01 in development class SLIS illustrates how the
print_end_of_page is used. To allow output at the end of each page, you
must reserve several lines for these pages. To do this, use field
reservelns of a structure of type lvc_s_prnt and pass this structure
with method set_table_for_first_display.
For an overview see also the documentation for the events of class
CL_GUI_ALV_GRID." -
Controlling SIDADM access per SOX audit compliance
Hello....
We are going through our first SAP ERP implementation and had few questions about the SIDADM user and audit. We are running the SAP system in a Windows server with Oracle Database. SIDADM user is currently shared by the basis team to maintain the SAP servers. The basis team logs into the server using the SIDADM account to start/stop the SAP system, run any command based utilities (i.e. sappfpar or tp) when needed and creating/executing batch scripts for backups/exports/etc. However, since the password for this user is shared by the whole team, we are concerned about SOX audit compliance.
1. How does other customers on Windows environment control the SIDADM account to satisfy audit requirements? Audit doesn't normally allow shared accounts on SAP servers. When someone directly logs into the SAP server with SIDADM, we can't trace who logged on and made changes to the system.
2. If the password for SIDADM is not shared by the basis team, how does the basis team maintain the SAP servers (i.e. start/stop instance)?
3. Can the SAP systems be maintained by individual users without using SIDADM? If so, how?
We are looking for recommendations on how to control the super users in the SAP environments (SIDADM, DB users, etc) to satisfy SOX audit requirements.
Thanks for all your help. Any recommendations will be appreciated~~
JanetFor info:
SOX (Sarbanes Oxley Act, in particular Section 404) is a high level auditable requirement.
BASIS activities are lower down and are subject to some slack in the actual implementation of the interpretation.
The SAP administration (BASIS) area comes under its own audit(s) of particular variations, all of which are usually underneath SOX or another higher level requirement.
Regards
Ashley -
Hi Gurus
In our project a user is doing admin job of BPC as well.He is the sole user.Now auditor has objected to him maintaining the server and being user at same time. I am giving production support to BPC . Now I am supposed to make sox document and make a list of task which he should not do. Security/access is being maintained by me. Can some one give me some ideas or direction on this issue please ?
Thanks
SatyaIt is very specific to client so withdrawing.
-
Would someone be able to assist in setting this script up for a multi domain environment? Thank you.
$computers = Get-Content $loc\list.txt;
function Get-AllSharePermissions
param (
[parameter(Mandatory=$true,ValueFromPipeline=$true)]
[string]$computername
$ShareSec = Get-WmiObject -Class Win32_LogicalShareSecuritySetting -ComputerName $computername
$myCol = @()
foreach ($ShareS in $ShareSec)
$SecurityDescriptor = $ShareS.GetSecurityDescriptor()
ForEach ($DACL in $SecurityDescriptor.Descriptor.DACL)
$myObj = “” | select Computername, Name, Domain, ID, AccessMask, AceType
$myObj.Computername = $Computername
$myObj.Name = $ShareS.Name
$myObj.Domain = $DACL.Trustee.Domain
$myObj.ID = $DACL.Trustee.Name
Switch ($DACL.AccessMask)
2032127 {$AccessMask = “FullControl”}
1179785 {$AccessMask = “Read”}
1180063 {$AccessMask = “Read, Write”}
1179817 {$AccessMask = “ReadAndExecute”}
-1610612736 {$AccessMask = “ReadAndExecuteExtended”}
1245631 {$AccessMask = “ReadAndExecute, Modify, Write”}
1180095 {$AccessMask = “ReadAndExecute, Write”}
268435456 {$AccessMask = “FullControl (Sub Only)”}
default {$AccessMask = $DACL.AccessMask}
$myObj.AccessMask = $AccessMask
Switch ($DACL.AceType)
0 {$AceType = “Allow”}
1 {$AceType = “Deny”}
2 {$AceType = “Audit”}
$myObj.AceType = $AceType
Clear-Variable AccessMask -ErrorAction SilentlyContinue
Clear-Variable AceType -ErrorAction SilentlyContinue
$myCol += $myObj
Return $myCol
foreach($computer in $computers) {$computer | Get-AllSharePermissions | Export-Csv “$loc\1.csv” -Append -NoTypeInformation -force}This does seem to work now. Although, how can I sort the out put as before:
$myObj = “” |
select Computername,
Name, Domain, ID,
AccessMask, AceType
I recommend taking time to learn PowerShell before just blasting along with no idea.
Get-Content
$loc\list.txt
|
Get-AllSharePermissions
|
select
Computername,
Name, Domain,ID,
AccessMask,
AceType |
Export-Csv
“$loc\1.csv”
-Append
-NoTypeInformation
¯\_(ツ)_/¯ -
Activating audit for Dimension Members in BPC 7.5 NW
Hi,
Is it possible to activate dimension member audit in BPC 7.5 NW. Meaning, can we trace changes to master data (dimension members) in BPC 7.5 NW?
Best regard
SSCHi,
The Activity Auditing tracks Administrative and User tasks at the Appset level.
This will be controlled by the Administrators to check whether activity auditing is enabled or not.
To enable this future go to -> Administration for the Web, choose Manage Activity Audit -> then choose one or both types of activities to audit.
Please check the help file for the same.
http://help.sap.com/saphelp_bpc75_nw/helpdata/en/a0/2d2e0ec3da472c82a3f0ff5a96d9ce/content.htm
Regards,
Raghu -
Hi,
I was enabling "Activity Auditing" in BPC 5.1, after which i gave the specs in Manage Data Audit.
When I clicked on Save Audit Data Now link to run the synchronization process right away it threw an error
Run Error: There is insufficient disk space to complete operation. , Pkg=AuditLoader, File=D:\SAP BPC\Data\Webfolders\OLAMDEVELOP\SystemLibrary\Library\AuditLoader.dnt Microsoft Data Transformation Services (DTS) Package
Could you please let me know what needs to be done to solve this and see the audit trail, as I tried loading as minimum as one category just for Admin Activity and for just one Task
Thanks in anticipation.
Rgds,
RizwanHi Sorin,
I checked the Server size and it says 65 GB free space available !!!!!!!!!!!!!!!!!!!!
I just dont know where exactly the space constraint is coming up as I see a table created with the name of the database AuditActivity\detail\Budget.dbo in application name\extra folder
Its only that the table has no data............ and it throws the space error
Its just a 3 months old server with real minimum data load in it as of now [approx 3 GB only!]
Could you please help me with this Sorin,
Thanks
Rizwan -
Hi all,
I am a starter in SAP.
If i suppose procure 10 user license and installed the SAP package, can i create more than 10 user id's. Will the system allows me to do it? If yes how can SAP AG will check it.
Also can anyone tell me when SAP will conduct the audit in an implementation project. i have heard something like 'sox' audit. I am not even clear about the terminology used. Pls give some inputs.
Thanks in advance,
Raj.hi,
as it follows the independent concept so an audit team can represent the internal organization or external.
actually it is performed to identify and evaluate complex business and technology risks and related opportunities for internal control improvement to reduce the risk and enhance the quality, assurance and security of information systems and business processes.
so the organization needs to perform it either by using its internal team who are aware of the concept of SOX std. or the organization can give this job to external unit to do the same.
below is the link which shows diff types of SOX :
http://soxmadeeasy.com/SAP_Audit.html
hope this will help you!!!
Thanks & Regards,
punit raval. -
Hello to all!
For reasons of SOX audits, in our production system we have the job SAP_REORG_ABAPDUMPS that eliminates dumps generated in the system, to run every 3 months.
But we are realizing that there must be another process that eliminates the dumps without this job that runs.
The questions is, there is an additional process in SAP to remove the dumps from time to time? apart from the Job SAP_REORG_ABAPDUMPS ???
Thanks a lot.
Desirée C.Hi kaushal, thanks for the replay.
The problem is that by SOX audits can not run this job every day, but every three months. We want to preserve the Dumps generated in a period of time.
What I want to know whether there is an automatic process sap to me what this erasing or eliminating, because when I want to see the dumps a month earlier by the transaction are no longer st22.
Thanks -
"Use my Microsoft Windows user ID and password" is grayed out
Hello Experts,
I've disabled "SOX Auditing" option in Server Manager in BPC 5.1 SP03, but "Use my Microsoft Windows user ID and password" is still grayed out. The only option I unlocked is saving password.
How do I enable Windows Authentication in BPC?
Thanks in advance,
AkimEnabling/Disabling SOX Compliance does not take effect until the 2nd time you go through the Connection Wizard.
Your problem could also be within Internet Explorer.
Go to:
1. Internet Explorer>Tools>Internet Options>Security Tab
2. Click on Local Intranet zone>Custom Level
3. Scroll down to User Authentication>Logon. Ensure that Automatic Logon with Current UN and PW is checked.
4. Do the same for the Internet zone.
Try on multiple machines.
Also on the client machine, look at the value for BASICAUTHENTICATION in:
hkeycurrentuser>software>vb and vba program settings>outlooksoft 5>latest -
Role creation and modification report
Hello everybody!
The SOX Audit requested this information:
A list from all roles, with creation and modifications date (not when a user is added, but when the role was changed).
How can I find this? I tried on SUIM / modification docs, but could not found.
Thanks in advanced!Check this table AGR_DEFINE has the details, but you may need to write some kind of coding or use function module /ISDFPS/GET_AGR_DETAILS to pull the data. If I come across any standard report I'll pass on.
rgds,
asok -
OS and DB Security patches and updates
Dear Experts,
We are going through SOX audits. Auditor is asking me about applied latest OS and Oracle patches to secure SAP systems from threats and attacks.
I told them that we are running on Solaris 9 with Oracle 9.2.0.5
and our severs are behind CHECKPOINT Firewall, and also we have never faced any security breaches and threats and also not facing any performance and efficiency problems in our system.
However, they still persist me about critical security patches for Solaris and Oracle.
Please tell me should I go for applying security patches of Solaris or Oracle if any. I am very worried about possible problems after applying of those security patches.
Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5
Best Regards
Waqas Ahmad> I told them that we are running on Solaris 9 with Oracle 9.2.0.5
First I would like to tell you that your current Oracle version is out of extended support (see SAP on Oracle and the notes the first chapter points to). To get actual (security) patches I would highly recommend upgrading to 10.2.0.4.
> However, they still persist me about critical security patches for Solaris and Oracle.
They do that because most of the "attacks" to server come from internal users, not from external.
> Please guide me about this issue and tell me about proven and trusted security patches for Solaris 9 and Oracle 9.2.0.5
For the operating system I would use pca (Patch Check Advanced) - a free too to download and install patches - works like charm (http://www.par.univie.ac.at/solaris/pca/). It can be configured to only download and install security relevant patches.
For Oracle you should install the latest patchset (for 9.2 it's 9.2.0.8 and all the necessary interim patches) and the critical patch updates. However, those CPUs may conflict with necessary other patches so you can either use CPU or the necessary interim patches.
Check note 938986 - Oracle Database 9.2: Patches for 9.2.0
Markus -
We recently discovered that approver information is only kept in soainfra tables and not in OIM request tables. For example, I use the following query to get the specific approver for a request:
select
req.request_id,
usr.usr_login Beneficiary,
wfassign.assignee,
rbe.rbe_entity_name,
req.request_model_name,
wfprod.outcome,
wfprod.username Approved_Rejected_By,
req.request_creation_date,
req.request_status
from
lab_oim.request req,lab_oim.request_approvals,lab_oim.request_beneficiary rb,lab_oim.request_beneficiary_entities rbe,
lab_soainfra.wfproductivity_view wfprod,
lab_soainfra.wfassignee wfassign, lab_oim.usr usr
where
usr.usr_key = rb.beneficiary_key
and req.request_key = wfprod.identificationkey
and wfprod.taskid = wfassign.taskid
and req.request_key = rb.request_key
and req.request_key = request_approvals.request_approvals_key(+)
and req.request_key = rbe.rbe_request_key
and req.request_creation_date >= to_date('02/11/2013 09:30:00','MM/dd/yyyy HH24:MI:SS')
order by req.request_id
We also need to archive this information but it appears that oim_request_archival only archives the OIM request tables and not anything from soainfra.
Do we need to develop a custom archiving solution to include the soainfra tables?
This seems to be a big hole in the archiving tool because SOX audits require information about the specific person who approved the request.Weblogic username and password
-
Restrict Table in SE16 Transaction Code
Hi All,
Can we restrict some standard table(eg. Mara, mseg, mkpf) in SE16 trsanction code so that they can not browse the restricted tables.
Couple of days before SOX Audit was carried on and they send some conflicts. I am not able to make it what is these statrements, which i have mentioned in below.
SE16_CHANGE (Change SAP tables)
SE16_CHANGE_CURRENCIES (Change currency table)
SE16_CLIENT_TABLE (Change client table T000)
Thanks & Regards,
KrushnaHello,
You can restrict access to tables with authorisation object S_TABU_DIS.
If a query accesses a certain table when it is run, the user needs display authorization for authorization object S_TABU_DIS. Field DICBERCLS must contain the tables authorization groups.
This authorization object protects all tables from unauthorized access. If you are accessing tables that are part of a logical database, authorization for data access can be set up using the logical database.
This is the same authorization that you need in order to be able to display tables using either the Data Browser (transaction SE16) or the initial table maintenance screen (transaction SM31).
Hope this helps. -
Purpose of extracting the metadata after loading the metadata
Hi Hyperion experts,
AFTER loading the metadata in File what is the reason to go for extracting and where we will useI keep the XML files around after every load for a variety of reasons :
- Loading to other applications : I'll generally make changes in dev / test and move to production. I guess I could probably get LCM to do the moving around; however, we're not big users of it at this point. I just load the file into the next app. It's pretty easy to open the client and hit load metadata. ;)
- Historical Records : Since I keep a copy of every 'major' load into the system, I can easily 'roll back' or tell you when a change was made as far back as I want.
- SOX Audits : Part of our controls is to ensure that changes loaded to production are approved through our documentation process. Having the files allows them to confirm what changes were made when.
- Point in Time comparisons : Pretty much just like the SOX Audit, I will periodically review two points in time to see what has changed. For instance, every year when I roll out our budget Smartview template, I compared the current metadata to the prior year to do a quick check to see what accounts have changed. Depending on what has changed during hte last year, I may need to update my template accordingly, etc. [I use an XML differencing tool to do the comparisons]
- Insurance : ' I'm not paranoid, I just know everyone is after me ' While I keep backups of my databases, etc, etc, I like having the file versions 'just in case'. If any of my other tools malfunction or I lose a backup, I can always grab my trusty files and reload.
Maybe you are looking for
-
User credentials check in the webLogic web service server
Hi, I am having a simple web service deployed in WebLogic server. I need to customize the SOAP header of this webservice to include username, password, session token and session type parameter in the server side code and do further processsing like c
-
The missing tab in nvidia diplay properties
can anyone remind me how to open the missing tab in nvidia display properties (the tab that's used for overclocking). i've done it, several months ago, but now i forgot... how stupid am i right ;(
-
Where do we report bugs?
We're all excited about the development of Flash Catalyst. It would be great if we could report bugs to help Adobe improve the quality and stability of the product. Here are some ideas: Create one thread for reporting all bugs, keep it at the top of
-
What does this mean? I am trying to update my iPod and it gives me this response. What do I do?
-
FI posting not allowed in a specific Plant
Dear Gurus, My senario is : I maintained 5 plants , out of 5 in one plant there will be no financial posting aloowed whicle making GR . Is it possible in SAP ? If so , kindly brief me the procedure . Thanks in advance With best regards Soumen