Recommended Settings for the Security Audit Log (SM19 / SM20)
I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).
Here's my proposal:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Filter settings in SM19:
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
- You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
- Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
- If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT
2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user 'SAP*' as well as all users account names starting with 'SAP', e.g. 'SAPSUPPORTx' because of rsau/user_selection = 1
To show log entries in for user 'SAP*' only, filter by 'SAP#*' in SM20 or use report RSAU_SELECT_EVENTS instead.
3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'
4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).
5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).
6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).
7.-10. Filter: free for other project specific purpose
What settings are you using and why?
Active Global Support - Security Services
Frank Buchholz replied
I got a question about "How to track changes on the settings of the Security Audit Log" and as the answer grew and grew during analysis I decided to move away from this "discussion thread" to a "document" to become able to update parts of the text later.
Therefore let's move to this document: Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)