Hi Kumar,
You can do all the following actions.
Recommendation Resp.
47. The parameter ‘rsau/enable’ should be set to one and appropriate audit profiles should be defined through transaction code SM19. BASIS
48. The parameter ‘Login/min_password_lng’ should be aligned with enterprise wide policy and should be set to ‘8’ characters. BASIS
49. The parameter ‘Login/password_expiration_time’ should be set to at least ’90’ days. BASIS
50. User account SAP* should be deactivated and a different super user should be defined by taking the following steps:
§ Assign a new trivial password to SAP*;
§ Delete all profiles from the SAP* profile list so that SAP* has no authorizations;
§ Lock the user account SAP*;
§ Assign SAP* to the user group SUPER to prevent easy deletion or modification of its user master record; and
§ Define a new user with the SAP_ALL profile to make it a super user. BASIS
51. The parameter ‘Login/failed_user_auto_unlock’ should be set to at least ‘0’. This implies that the locked user accounts can be unlocked only by the system administrator. BASIS
52. To evaluate the requirement for user accounts to have access to these transactions and the access should be revoked, if not required.
§ PFCG (Role Maintenance)
§ RZ10 (Maintain Profile Parameters)
§ SCC4 (Client Administration)
§ SE01 (Transport Organizer (Extended))
§ SE38 (ABAP Editor)
§ SM04 (User List)
§ SM30 (Call View Maintenance)
§ SM50 (Work Process Overview)
§ SU01 (User Maintenance) BASIS
53. revoke ‘SAP_ALL’ access from all additional users. Also, the management should formalize a periodic review process of all users defined on SAP to identify additional users and disable these user accounts. BASIS
54. review the users with SAP_NEW in their profile and restrict the number of users who have access to this critical profile BASIS
55. The configuration parameters for expiry of new/reset passwords should be configured appropriately in the production system as mentioned below:
login/password_max_new_valid (=< 30) login/password_max_reset_valid (=< 30) BASIS
57. Company code T001 should be defined as ‘productive’ BASIS
58. The management should identify critical data or master tables, which needs to be logged. The parameter ‘rec/client’ should be set to ‘ON’ to enable logging for important fields within these tables. BASIS
59. If the table auditing is enabled, images of the table before and after are logged; rather than just the changes. Therefore, TCB should identify the tables that are to be logged so as to arrive at an optimum and manageable log volume before using this as part of a control solution. The management should also constitute a periodic archiving process for these logs. BASIS
60. The parameter ‘Login/fails_to_user_lock’ should be set to at most ‘5’ invalid attempts BASIS
61. T001 should identify commonly used passwords and populate the table USR40. BASIS
62. The parameter ‘Rdisp/gui_logout’ should be set to ‘900’ seconds. BASIS
63. The default passwords for the standard user account should be changed.
User account SAPCPIC
§ User account SAP*
§ User account DDIC
§ User account EARLYWATCH BASIS
64. Client copier protection should be set to level ‘1: No overwriting’, to ensure that the production client cannot be overwritten by the client copy program. BASIS
65. review all customized tables and ensure that they have been assigned to appropriate authorization groups. BASIS
66. To identify all sensitive transactions in SAP and based on their usage, the transactions, which are not used on a regular basis, should be blocked using SM01. BASIS
67. The user creation and authorizations procedures should be modified to include reviewing the user authorization against the segregation of duties matrix to ensure that the users do not have any identified conflicts. If a conflicting combination of transactions is required due to business constraints, the same should be documented and approved by the management. Further, for such approved conflicts, mitigating detective controls should be developed. BASIS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.