11-06-2014 2:59 PM
So we recently got audit concern about users being able to access certain functions. However I seem to be at a loss in trying to figure out how I would find out where these are setup to give access to the users. Maybe someone can point me in the right direction.
1. Perform maintenance of client dependent configuration tables
2. Access to change client settings(open/close client)
3. Access to make data dictionary object changes
Any help would be appreciated. Thanks!
11-06-2014 3:20 PM
11-06-2014 3:31 PM
The users who came up on the audit don't have access to either of those. Could it be something else?
11-06-2014 3:48 PM
Your auditor needs to tell you how they think that those folks are going to be able to change a DD object. My response would be that the only way that I know of to change that is using those transactions and that they are fully controlled. They don't just get to make up stuff as they go along. They have to have evidence to prove their assertions.
Neal
11-10-2014 10:17 AM
Hi,
Ask your auditors to provide their tests - they should be able to provide this and don't take no as an answer.
Generally the tests for maintenance of config tables are SE16, SM30 or similar with S_TABU_DIS in change mode.
The same applies for change client protection settings but usually the check is specified against table auth group SS.
Different auditors have different levels of check but these are the basic specs