cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Oracle Audit : Direct Access

Go to solution
Former Member

on ‎02-22-2013 2:42 PM

0 Kudos

Hi all,

I would like to ask this question concerning auditing changes on Oracle Database and specially sensitive data. I have seen in SAP Notes that direct access to Oracle Database is not recommended or let's say illegal by SAP. But, the question for me is :

1/ Is it technically possible? Is it possible to connect to the DB using a third client like sqldeveloper?

2/ If it's the case, is it (I insist) technically possible to alter data even with administrator users?

3/ Are changes auditable and how to check this?

We are running a SAP ECC 6.0 EHP5 on Oracle 11G.

Many thanks

Amin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-22-2013 2:51 PM
0 Kudos

Hi Amin,

Please find the answers for your query.

1/ Is it technically possible? Is it possible to connect to the DB using a third client like sqldeveloper?

Yes . It is possible. There are many third party tools that can be used to fetch data from Oracle... Provided your ODBC is configured correctly.

2/ If it's the case, is it (I insist) technically possible to alter data even with administrator users?

Yes. IT is possible... There won't be any impact if we change the Data also... But it is STRONGLY RECOMMENDED by SAP not to update the DB access directly in DB level.. Reasons could be many... One is we are not sure whether the changes also needs to be cascaded to other tables as well.. In Simple, you can just connect to your SAP DB just to view the data not to modify it without 100% sure of the impact.


3/ Are changes auditable and how to check this?

All DB changes can be traced... DBA team will be able to help to find out an way for this... But I am sure there should  be an way... If you change any data in SAP level, corresponding log table will also be updated with the changes.

I hope it helps.

Please check and provide your feedback.

Thanks and Regards,

Vimal


Show replies
Show replies
Former Member
‎02-22-2013 5:14 PM
0 Kudos

Hi Maria Joseph,

Thanks for the reply, very helpful but I would like to go in deep in auditing changes on tables from Oracle and/or SAP pint of view.


From SAP, I have checked that auditing tables is activated (parm rec/client put to ALL) but I couldn't find what are the tables audited on the system; lokking for a kind of transaction to display the tables that are being Audited on the system.

Thanks in advance if you have ideas on those two points.

Amin

volker_borowski2
Active Contributor
‎02-22-2013 5:20 PM
0 Kudos

Go to SE11 -> Technical Settings

There is a protocol-flag

You can check for Table T000

BUT: This is NOT an auditing tool (in contradiction to what auditors think it is)

It is a helping hand to track customizing changes.

The changes go to table DBTABLOG and can be viewed with report RSTBHIST.

Once you have the first (bad) development consultent in house, who sets this

flag for a highly frequented Z-Application table, DBATBLOG will be spammed

soon and you will not be able to evaluate it at all.

If you want change documents for application tables, you need to program them(!).

Volker

Answers (2)

Answers (2)

Former Member
‎02-22-2013 8:34 PM
0 Kudos

To limit access for administrative users one can use products such as Oracle Data Vault (extra $ for license) - see Oracle documentation or note https://service.sap.com/sap/support/notes/1355140

Auditing access - succesful ones or not -  on oracle level is quite straight forward, if desired, and very powerful. Even without 3rd party tools you can achieve a lot with the audit syntax - see documentation at http://docs.oracle.com/cd/E11882_01/server.112/e26088/statements_4007.htm#i2059073 for example. As with any auditing, be very selective of what you want to enable, as auditing can cause overhead and too much data to go through is less likely to be actually of any real use.

Show replies
Show replies
volker_borowski2
Active Contributor
‎02-22-2013 5:02 PM
0 Kudos

Hi,

Answers are : YES, YES, and

YES, but useless when incomplete.

And "How to check this" is a brilliant question, which nobody can answer up to now.

Auditing the DBA can be done with Oracle Vault.

Well, at least you can do quite a couple of things.

But data can be stolen / changes by SAP-Admins as well.

You would not think what funny things you can do with TP and R3trans.

Auditing SAP-admins is even harder, as there are no tools for this, and all

they do looks like applikation access first, because they use the schema owner.

Volker

Show replies
Show replies
Ask a Question