11-22-2006 5:08 PM
Hello gurus,
One of our few remaining open Internal Audit issues is - use of t-code SM01
to lock sensitive t-codes.
The main problem we have with this one is that we do not have any
information on which t-codes are considered 'sensitive' enough to be
locked, or what is considered best practice in this area.
I checked the SAP Notes website but there is no guidance there.
Which ones were considered to be sensitive)
or if you have any guidelines or other information on which-codes should be
locked.
Thank you,
Ricky Orea
11-23-2006 2:46 AM
Hi Ricky,
I would discourage you from just obtaining a list and locking them. If it were as simple as this blanket approach, then the tcodes probably would be locked as a default!
I would suggest that you obtain this information from the Internal Controls Framework to determine the activities, and therefore the tcodes that are of a critical nature as you may find that due to other mitigating controls in place, you may not need to lock many, if any, at all. That is, the inherent risk may be high, but the residual risk may be low due to the control activities already in place according to the Internal Controls framework, such as roles that adequately restrict from executing the critical transactions.
The Internal Audit group is normally the custodians/owners of the Internal Controls documentation, so just ask them for it.
PS. 'Sensitive' normally relates to <b>information</b> that is of a sensitive nature (ie, risk of display) such as HR salary information. 'Critical' normally refers to tcodes that are able to perform an activity that may put the environment at risk (ie, risk of maintain) such as client administration.
11-24-2006 4:46 PM
11-25-2006 3:49 PM
Usually SE* codes are considered critical based on their functionalities especially in PRD system. SM* codes too can be considered critical because it gives accessibility to some critic al tables where information about the operating procedure resides.
Senstive could mean your custom codes that gives access to pulling reports.
12-01-2006 5:55 AM
Hi Ricky,
Main info of the above can be obtained from Tcode SECR.
List of Critical transactions /Critical authorizations can be found.
But they are not specific to Business but generally recommended
by SAP which even auditors refer. Filter and review those which
your require.
regards / Jayaraman Krishnamurthy
Intelligroup.
12-05-2006 8:38 PM
Hi Jayaraman,
Was just looking through this topic and you had mentioned looking at transaction code SECR. Would this be in BW because I'm getting a message saying this transaction does not exist!!
Jayashree
12-06-2006 9:49 AM
Hi Jayashree,
In BIW you may not find the tcode. Here it is auditing is Role based. Certain predefined roles exist which you need to use as template and assign
to the user master record. (note 754273)
Ricky,
critical transaction are many. from technical point of view i would list
some of them below
SCC* transactions
Many of SE* transactions are critical.
SPRO
All basis transactions are critical if assigned to non technical users.
SLICENSE
SM49
SM59
and so on
regards / Jayaraman Krishnamurthy
Intelligroup.
12-07-2006 9:13 PM
Hi Ricky Orea,
The most sensitive t-codes people consider in SAP .
AL01 SAP alert monitor
AL02 Database alert monitor
AL03 Operating system alert monitor
AL04 Monitor call distribution
AL05 Monitor current workload
AL06 Performance: Upload/Download
AL07 EarlyWatch Report
AL08 Users logged on
AL09 Data for database expertise
AL10 Download to Early Watch
AL11 Display SAP Directories
AL12 Display table buffer (Exp. Session)
AL13 Display shared memory (Expert mode)
AL15 Customize SAPOSCOL destination
AL16 Local alert monitor for operating system
AL17 Remote alert monitor for operating system
AL19 Remote file system monitor
AL20 EarlyWatch data collector list
DB01 Analyze exclusive lockwaits
DB02 Analyze tables and indexes
DB03 Parameter changes in database
DB12 Overview of backup logs
DB14 Show SAPDBA action logs
OS01 LAN check with ping
OS02 Operating system configuration
OS03 O/S parameter changes
OS04 Local system configuration
OS05 Remote system configuration
OS06 Local operating system activity
OS07 Remote operating system activity
PFCG Profile Generator
RZ01 Job Scheduling Monitor
RZ02 Network graphics for SAP instances
RZ03 Presentation, Control SAP instances
RZ04 Maintain SAP instance
RZ08 SAP Alert Monitor
RZ10 Profile parameters
RZ11 Dynamic change of parameters
SCC4 Client creation
SCC5 Client deletion
SCC7 Post-Client Import Methods
SCC8 Client Export
SCC9 Remote Client Copy
SDBE Matchcode objects (test)
SE01 old, replaced by Workbench Organizer
SE06 Used to set up and maintain the Workbench Organizer (Dictionary Access)
SE09 - Enables the ABAP/4 Development Workbench
SE10 - Customizing
SE11 ABAP/4 Data Dictionary Maintenance
SE12 ABAP/4 Data Dictionary Display
SE12 ABAP/4 Dictionary Display
SE13 Maintain Technical Settings (Tables)
SE14 Utilities for Dictionary Tables
SE15 ABAP/4 Repository Information System
SE15 ABAP/4 Repository Information System
SE16 Data Browser
SE30 ABAP/4 Runtime Analysis
SE38 ABAP/4 Editor
SM02 System Messages
SM04 User Overview
SM12 Display and delete locks
SM13 Display update records
SM18 Reorganize Security Audit Log
SM19 Security Audit Configuration
SM20 Security Audit Log Assessment
SM21 System log
SM28 Installation check
SM37 Background job overview
SM39 Job analysis
SM50 Work Process Overview
SM51 List of SAP servers
SM52 Unix command line
SM56 Number Range Buffer
SM58 Asynchronous RFC Error log
SM59 RFC Destinations (Display/Maintain)
SM65 Background processing analysis tool
SM66 Systemwide work process overview
SMGW Gateway monitor
SMLG Maintain logon group
SP01 Output controller
ST01 System Trace In file /usr/sap/<SID>/<Instance>/log/Trace000
ST02 Setups/Tune Buffers Contains a list including all authorization objects
ST03 Performance, SAP statistics, workload that were checked and their required values, for
ST04 Select activity of the databases each entered transaction code.
ST05 SQL Trace
ST06 Operating System Monitor
ST07 Application Monitor
ST08 Network Monitor
ST09 Network Alert Monitor
ST10 Table call statistics
ST11 Display developer traces
ST12 Application monitor
ST14 Application analysis
ST22 ABAP/4 Runtime Error Analysis
STAT Local transaction statistics
STUN Menu performance monitor
SU01 Maintain users
SU02 Allocate authorizations to a profile
SU03 Maintenance of Authorizations
SU10 Delete/add a profile for all users
SU12 Delete all users
SU24 Auth. Obj. Check Under Transactions
SU50 Maintain user defaults
SU53 Authorization Trace
TKOF Turn off oracle trace
TKON Turn off oracle trace
TKPR Display trace file
TU01 Call statistics
TU02 Parameter changes
Thanks,
Shyam
12-12-2006 4:19 AM
Be aware however, that many of the above transactions are business critical. That is, if you lock them, your production system will not be administered properly (eg, SU01 is used to maintain users. If you lock it, then you can't create users!). They may have a certain level of risk associated with these tcodes, but they shouldn't all be 'forbidden' to be used in a production system. If you follow fundamental role design (ie, ensure risks are appropriately mitigated), then the more 'risky' tcodes will only be assigned to the appropriate users, under the appropriate conditions, with the appropriate mitigating controls.
I maintain that you should consult the internal audit/compliance/internal controls team for their internal controls framework and from that you can extrapolate the transactions that should be locked (if any).