on 04-28-2009 10:30 AM
Hello Team,
We have implemented and testing the fuctionality of Virsa FF Super user
Mgmt.
We have few questions regarding Virsa FF logs,
As we understand all changes are logged by FF. But this is not the
case. Please find the few case by case
1. Client modifications
Case 1. I run SCC4 to open system for customizing, then SPRO for
customizing and SCC4 to close client.
Case 2. I run SCC4 to open system for customizing, then SPRO for
customizing and forget to run SCC4 again to close client.
In both cases FF log will show the same information, because changes to
client status are not logged by FF and sequence of activities is not
reflected.
2. Table entries
We understood that all table entries are logged and it is one of the
strongest advantage of FF.
I can change bank account of vendor few different ways:
- Transaction XK01, which will seen in FF log
- Transaction XK99 through batch input, which according your answer
(point B.3.b) won't be capture in FF log.
- Transaction SE16N through direct modification of table, which won't
be captured by FF log.
3. "TRX logged"
I'm under impression that certain items in certain conditions are not
capture by log. We must know full logic and all exceptions. Could you
elaborate why mass updates in background are not capture, especially
all those information are CDHDR table, as per my understading is one of
the source of FF log.
(It is nothing about background processing. Instead of running specific
transaction like SU01, I ran program, which is behind it and change
password, lock/unlock user. It generate entry in CDHDR table, but FF
log has not pick up those activity. )
4.Other findings
There is a chanceof risk to accept compensating control (from the
understanding) in the super user management area. This compensating
control is generating heavy workload, because as per current situation
someone has to review about 150 firefighter assignments per month and
reconcile with SD4 (Internal change management process). It is monthly
effort.
SoD must be enforced by user exit. SAP_ALL or any specific
authorizations should not grant access rights to assign to one user id
all those functions. Last year, we had cases of "firefighters"
assigning SAP_ALL to the regular users.
- FF logging functionality is not sufficient.
- FF does not provide sufficient segregation of duties in super user
management.
Similar logs (FF logs) we getting from other reports in SAP like SM20,
SUIM,SM37 etc. In such case please help me to understand the value
additions that we are getting through VIRSA FF Super user Mgmt.
As per the analysis, these issues are still an open point. and SAP looking as an enhancement points.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
94 | |
11 | |
11 | |
6 | |
6 | |
4 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.