Solved: SAP Best Practices on assigning roles for Auditors

Former Member · ‎01-23-2011

Dear Gurus,

We need to set up SAP roles for auditors in or system for SRM ECC & BI.

Could you please suggest on wich roles should be granted to the auditors as best practice to follow on?

I will really apprecciate your help.

Best Regards,

Valentino

Former Member · ‎02-04-2011

Hi Valentino,

You can refer the SAP Composite Role for Auditor - SAP_AUDITOR : AIS - Audit Information System.

- Proceed creating similar Single roles/Composite roles (starting with Z_* or Y_*) as within the composite role SAP_AUDITOR.

- Secondly, modify the activities within each individual role. Maintain the "Display Activities" (ACTVT = 03, 08) for each auth. obj.,

wherever applicable and as far as possible. For the list of activities, you can refer the table TACT.

- Have these (Z* or Y*) single roles added to the Composite role (suppose you create Z_SAP_AUDITOR).

- Now you can use this Composite Role to assign to the "Auditors" whenever required.

Lakshmipathi · ‎01-24-2011

Ideally all transactions related to display would be given to Auditors. But this will vary from client to client due to the fact they dont want to disclose all the data from SAP to Auditors

thanks

G. Lakshmipathi

Former Member · ‎02-04-2011

Hi Valentino,

You can refer the SAP Composite Role for Auditor - SAP_AUDITOR : AIS - Audit Information System.

- Proceed creating similar Single roles/Composite roles (starting with Z_* or Y_*) as within the composite role SAP_AUDITOR.

- Secondly, modify the activities within each individual role. Maintain the "Display Activities" (ACTVT = 03, 08) for each auth. obj.,

wherever applicable and as far as possible. For the list of activities, you can refer the table TACT.

- Have these (Z* or Y*) single roles added to the Composite role (suppose you create Z_SAP_AUDITOR).

- Now you can use this Composite Role to assign to the "Auditors" whenever required.

Former Member · ‎02-04-2011

What you grant them depends on what they need to perform their review work.

Ask them what functionality and data they need to be able to perform their audit. If they cannot provide a detailed list of requirements then do not let them have access to your systems. This request is bread-and-butter for any auditor.

When they have provided a list then go through it and make sure you are happy with it. It may be that there are areas where a badged employee has to get the info - it depends very much on company policy, sensitivity of data etc. I prefer not to work in that way but sometimes you have to.

arpan_paik · ‎02-04-2011

Once I got to met one auditor in a SAP training. He says one experience. Asked for access to system so he can go with system audit. The guy gave access to him tried to be nice with him and gave him SAP_ALL. Auditor says one word DEAD. Anyway it was story and I could not stop myself to share it. As others told already it depends

Regards,

Arpan Paik

Former Member · ‎02-04-2011

For some time I have been thinking about an "open configuration project" to provide such roles, as what is to be found "in the wild" is terrible. The AIS is not all bad but not a best practice in my books either because the menüs are divorced from S_TCODE and proposals are not used. They also don't work for SPRO display access.

"open source projects" on the coding side are generally miles better than isolated programs which developers are ashamed of, so why not the same for roles?

SDN does unfortunately not offer a medium to version management files and .zip is not supported as extension

I will put something together in the wiki and find a workaround for the file management, if anyone else is interested then we can improve them as we go along and make them available for free download.

I will contribute my own display roles I have been tuning over the years to start off with.

Cheers,

Julius

mvoros · ‎02-04-2011

What about github or other provider who offers VCS service?

Cheers

Former Member · ‎02-04-2011

Hi Martin,

Thanks for your interest. I would be very happy to work with folks like you to slowly improve such roles as we find improvement possibilities for them, and all benefit from the joint knowledge and cool features which go into them. I have been filing away at a set of them for years now - they are not evil but still usefull and I give them to an auditor without being concerned as long as they can tell me approximately what they have been tasked to look into.

I then also show them the corresponding user menu of my role for these tasks and then leave them alone for a while...

Anyway... SAP told me that if we host the content on SDN for the collaboration and documentation to the changes in the files, then version management of the files can be hosted externally for downloading them (actually, SAP does not have an option because their software does not support it...).

I will rather host them on my own site and add the link in the SDN wiki and a sticky forum post link to it than use a generic download service, at least to start with. Via change management to the wiki, we can easily map this to version management of the files on a monthly periodic update cycle once there are enough changes to the wiki.

How about "Update Tuesday" as a maintenance cycle --> config updates each second Tuesday of the month... to remove authorizations to access backdoors which are more than "just display"...

Cheers,

Julius

mvoros · ‎02-07-2011

Hi,

I meant just using some kind of VCS such as github for files and keep rest such as wiki keep here. I heard some good feedback for github but all users were developers so maybe you don't get too much benefits from using git for files with SAP roles.

Cheers