Thanks very much everyone!

I am performing a BASIS audit of an SAP 4.7 environment. There are 5 BASIS admins who each have "Special ID's" with SAP_ALL. Each BASIS member has access to SU01 and is unlocking their ID's on a regular basis. Since they do not retain transactional history after the system is recycled, I want to know if they are doing anything fishy.

Do you need Information about the setps about how to do it??

or do you need to check who has deleted to those ?

I would appreciate any info.

> Since they do not retain transactional history after the system is recycled

What does this mean?

It sounds like you have some "emergency user" procedure in place (good idea) and are relying on STAD to "log" the user for reporting (less good idea...).

You are using the STAD for a purpose it was not really designed for - so you don't need to be surprized.

The SM19 log is the correct tool. Activate the generic ID profile and log the 5 user ID's that way. At the application layer, the logs cannot be deleted if they are younger than 3 days, and when they are - then a syslog message is written.

Those admins will likely have access to the OS file system and the DB anyway, so I would recommend a completely different approach.

=> Systematically look for an inconsistency.

> Each BASIS member has access to SU01 and is unlocking their ID's on a regular basis.

Also, whatever you have done or what the basis folks are doing is not really "living" the concept of an emergency user. If you have an emergency almost everyday then you might want to ask yourself whether the concept has addressed the risk it set out to.

Here again, the SM19 log is the correct tool, combined with checking some other basis and application tables - to be able to sample the use and compare it to what was the intended justification for accessing the emrgency user.

If you monitor it and report on it's use, then it will often correct itself. You will also get feedback (and some complaints...) to be able to improve the process.

The best emergency user solutions in my opinion are those which only add the "delta access". This forces the admin to request the correct authorizations for their normal day to day activities, and if they pull the emergency user on it's own (e.g. SU01 access) then it cannot do anything. You have to pass through the code which requests both access at the same time.

Cheers,

Julius

How can I tell if someone has deleted a change doc record? Thanks!

If they were archived and you are relying on that, then via the archive log: Transaction ARCH_PROT.

Cheers,

Julius