Disclaimer: This article only represents the views of the original author, and is only used for the application and learning of SAP software, and does not represent SAP. (Note: The screenshots shown in the text are from SAP software, and the corresponding copyright belongs to SAP.)
In this article, we will provide necessary tips and practical suggestions to help you better understand the compliance process and focus of the SAP system. The compliance audit of the SAP system is mainly divided into account permissions, system security, and system inspections. Inspection, etc., are introduced as follows.
1. General account permission control
The SAP system is mainly based on ROLE and PROFILE for user account authority control. It should be noted that the parameter files used are as follows:
1) SAP_ALL: all permissions of SAP
2) SAP_NEW: SAP all newly generated object permissions
3) S_A.SYSTEM: SAP system management authority
4) S_A.ADMIN: SAP system operation authority
5) S_A.DEVELOP: Unlimited level development account permissions
6) S_A.USER: Operation authority for all SAP business applications
7) S_A.CUSTOMIZ: SAP all background configuration permissions
The principle of setting the minimum number of administrators and super users, and avoiding the control loopholes caused by the use of original parameter files (refer to copy new parameter files for control adjustment); account types are classified according to management, business, and development permissions to avoid Mix authority roles and parameter files to avoid SOD (incompatibility of duties) authority.
2. Special user account check
During the implementation of the SAP system, accounts with special functions need to be properly managed and handled after the system setup phase ends. The main accounts are as follows:
1) SAP*: The system initializes the account and has all the permissions of the SAP system
2) DDIC: The account used for system initialization for configuration, has all the permissions of the SAP system
3) SAPCPIC: Super account for SAP system communication
4) EarlyWatch: Super account used for SAP system analysis
3. SAP system security control
For the SAP system security level, it is recommended to refer to general IT compliance management for settings. The main control points are as follows:
1) Independent setting of SAP system administrator account, database administrator account, and operating system administrator account should be held by different people, and the management authority should be granted to different users.
2) SAP system and related system administrator account must change account password every 90 days. The password policy should be set to "letter + number, length greater than 8 digits". The new password cannot be the same as the previous five passwords.
3) Set the end user account to be automatically locked after 5 failed logins. The user needs to apply for unlocking through the permission or account application process.
4) Set the end user account session timeout time. If no operation is performed on the system within 20 minutes, the current session account will be automatically terminated.
5) Under normal circumstances, super accounts such as SAP* and DDIC should be frozen, and even the user names and passwords of such super accounts should be managed by the custodian.
Under normal circumstances, SAP_ALL, SAP_NEW and other parameters with greater authority cannot be assigned to any ordinary account. If authorization is required, the user needs to submit the compensation control record through the authority application process.
4. SAP system application level control
The SAP system administrator regularly checks and sets the following parameters in RZ10 according to audit invitations or general IT compliance management.
1)login/min_password_letters
2)login/min_password_digits
3) login / min_password_lng
4)login/fails_to_user_lock
5)login/password_history_size
6)login/password_expiration_time
5. SAP system database level control
The SAP system administrator logs in to the database through HANA Studio for configuration, and the configured parameters can be viewed through transaction code DB13. The path for DB13 to view the data password policy is: INIFILE PARAMETER LIST -> indexserver.ini -> password policy.
The parameters involved in the database password policy mainly include the following:
1)detailed_error_on_connect
2)force_first_password_change
3)last_used_passwords
4)maximum_invalid_connect_attempts
5)maximum_password_lifetime
X)....
X1)password_layout
X2)password_lock_for_system_user
X3)password_lock_time
6. SAP application operating system level control
It mainly includes the password policy of SAP application and database server. The configuration parameters are in the /etc/login.defs file of the operating system.
7. SAP system development control
Under the SAP system PRD group, set all codes to the "production" type, and program and configuration changes are not allowed (you can check whether the settings are correct by executing OBR3, and set by executing SCC4 and SE06); under the SAP system PRD group, all The change strategy of the DQP system must be completed around the transmission mechanism of the DQP system, and the implementation of STMS control upload related requests.
8. SAP system inspection strategy
SAP system administrators regularly perform SAP system inspections (once a day is recommended). The main inspection items are as follows:
1) Execute ST22, SM21, OY18, ST02, ST04 to check the operation status of the SAP system, and check the daily operation status of the SAP system.
2) Execute STAT to monitor users' operations within 48 hours, execute SM20 monitoring to obtain more detailed logs, and execute SUIM to complete specific user operation monitoring.
3) The operation log of Basis can be queried through SM20. It is recommended to issue a list of system operation reports of Basis regularly.