Use of Role Based AIS for Technical System Auditing at DuPont Chris Leeder DuPontChris Carr SAP
Session: 509
Introduction
• DuPont Company Overview
• DSAP Project Overview
• DSAP Architecture
• AIS Background
• Role Based AIS
• Benefits and Next Steps
The DuPont Company
Based in Wilmington, Delaware: operates in more than 70 countries
• 2002 Sales were $24 Billion• Total Assets are $35 Billion• 79,000 Employees, about half are outside of the United States• 200+ years • Consists of 5 business platforms
– Agriculture & Nutrition
– Coatings & Color Technology
– Electronic & Communication Technologies
– Performance Materials
– Safety & Protection
What is DSAP?
The Organization put in place to successfully complete the
SAP implementation and eventually support the
application run activities.
DSAP Leverages ASAP
0Discovery & Evaluation
1Project
Preparation
2Business Blueprint
34 5
RealizationFinal
Preparation Go Live & Support
Deliverables:………………………………….
Prepare
Plan Train Kickoff
ExecuteQC
NextPhase
Monitor progress against deliverables
DSAP Architecture
DSAP provides a Transactional Backbone for Business Growth
DuPont Confidential
Home Cluster(SAP Version 4.0B)
GD1 GB1 GP1
GDD GB2
GD2
TP1
C Cluster(SAP Version 4.6C)
Q Cluster(SAP Version 4.6C)
UDR
TD1 TB1
TD2
DSAP Current and Future Core SAP R/3 Landscape
CP1CD1
CD2
CB1
CDD CB2
TDD TB2
QD1 QB1 QP1
QDD QB2
QD2
T Cluster(SAP Version 4.6C)
Created by an SAP user group for internal and eternal auditors. Auditing firms provided the initiative for creating audit-supporting tools for the R/3 environment.
AIS Background
Arthur Andersen Bansbach Schübel Brösztl & Partner
KPMG Deutsche Treuhand-Gesellschaft
Price Waterhouse Coopers
Ernst & Young Deutsche Allgemeine Treuhand AG
Internal auditors from various companies
SAP User Groups
AIS Overview
AIS is the Toolbox for . . .AIS is the Toolbox for . . .
Internal Auditors
External Auditors
System Auditors
Data Security Officers
AIS Overview
Audit guideline ---------- User group
Security guide ----------- SAP
System Audit Business Audit
SAP SAP
AuditIS
Development AuditIS
G/L ISCustomer IS
Vendor ISAssets IS
User/Security
BC940 AC900BC680
System Admin
AIS Overview
Checklist for system Checklist for system auditaudit
InformationInformationretrieval using retrieval using
Existing R/3Existing R/3programsprograms
FAQFAQFrequently asked questionsFrequently asked questions
Who is permittedWho is permittedto ...?to ...?
Why AIS ?
To ensure compliance with project standards created by DSAP for:
• System Administration
• Design and Configuration
• Security and Controls
• Monitor Progress against deliverables
Role Based AIS
The role based AIS “Audit Information System” consists of several single end user roles.
In order to work with the AIS, the auditor needs a user in the SAP System with the relevant single roles assigned to his user master
record.
Note: The menus do not have authorization values. The authorization roles contain authorization values but no menu.
Role Based AIS Until SAP Release 4.6C, AIS was realized using a menu technique (transaction SECR).
As of SAP Release 4.6, AIS is part of the SAP Standard System
As of SAP Release 4.6C (Support Package SAPKH46C27), the technical implementation of AIS in the program has been changed to a role-based maintenance environment (transaction PFCG).Additional development of AIS will only be carried out in this new environment.
Role Based AIS
SAPSAP
To facilitate working with the AIS, the auditor needs a user in the SAP System. This user master record requires a wide range of display authorizations.
Several single roles have been defined for the AIS. These single roles are divided into two groups:- Transaction roles (SAP_AUDITOR*)
- Authorization roles (SAP_CA_AUDITOR*)
Installation recommendation:SAP Note 0 451 960
Auditor
Role Based AIS The authorization roles required for these menus are documented in PFCG. (Pull
up the menu role and read the info in the description tab)
Role Based AIS
AIS – Single roles
SAP_AUDITOR_ADMIN
SAP_AUDITOR_BA_ORGA
SAP_AUDITOR_BA_FI_GL
SAP_AUDITOR_BA_FI_AA
SAP_AUDITOR_BA_FI_AR
SAP_AUDITOR_BA_FI_AP
. . .
SAP_CA_AUDITOR_APPL_ADMIN
SAP_CA_AUDITOR_APPL
SAP_CA_AUDITOR_HR
SAP_CA_AUDITOR_SYSTEM
Copy / Modification
Y_AUDITOR_BA_ORGA
Y_AUDITOR_BA_FI_GL
Y_AUDITOR_BA_FI_AR
Y_AUDITOR_BA_FI_AP
Y_CA_AUDITOR_SYSTEM
Role Based AIS - Data Collection
Data Collection Strategy using MS Excel:
The transaction roles contain a menu tree, from which the data collection XLS worksheets will be derived. This menu will occupy the leftmost column of the spreadsheet and will be a copy of the
AIS menu being executed in the SAP system.
Example: Run menu item, report or transaction ,check against inputs column, then record results in the
Results/Observations column on the data collection worksheet.
Role Based AIS - Data Collection Worksheets
AIS - System Audit Tree (System Audit) Inputs Results/Observations Owner/Action Resolutions
| (This Column contains the AIS menu)
(This column defines what document and/or standards should be referenced.)
(This column is for recording the results of the AIS transaction or report against the documents or standards)
(The column is for assignment of action item to an owner) (This column records the resolution)
|-- Top 10 Security Reports
| |
| |-----RSPFPAR Display profile parametersCheck against Dupont standard settings as defined in PP00776
Security parameters are set per Dupont standards, login/multi_login_users is not set, additional standards should be created and distributed to all DSAP systems.
Rod Grisin w ill review against DSAP documentation
Update parameter settings in KP1 per DSAP documentation
| |-----SM20 Security Audit Log Assessment
Check if security log is active, if the log is active review the contents of the log and document f indings
Security Log is NOT active in KP1
Chris Leeder, Chis Carr and Reenie w ill discuss w hether or not the audit log is necessary Activate audit log in KP1
| |-----RZ27_SECURITY CCMS Security Alerts
Check if security alerts are active, if active review the contents of the log and document f indings
Security Alerts are NOT active in KP1
Chris Leeder, Chis Carr and Reenie w ill discuss w hether or not the audit log is necessary Activate CCMS security alerts in KP1
| |-----SUIM User Information System Check SAP_ALL,SAP_NEW usage
SAP_ALL and SAP_NEW are still assigned to certain users see SAP_ALL_KP1.rtf
Chris Carr w ill w ork w ith the security team to have sap_all and sap_new removed from all users in KP1 Remove profiles from all users in KP1
Role Based AIS- Supporting Documentation
Reference(s):
The following sources are used for reference:
1-DSAP- Documentation, and Position Papers
2-SAP Security Guide and Checklist
3-AIS System Audit Guide
4-SAP Online Service System (OSS)
Role Based AIS- Summary
Summary:
The auditor will execute the transactions in the SAP provided role based AIS menus, and compare findings with the standards defined in the "inputs" field on the data collection spreadsheet.
Additional documents such as the output list of a report or transaction are saved on a network directory or a lotus notes
database.
Role Based AIS –Benefits
The use of role based AIS has provided benefits in the following areas
• Standardized audit format
• Easy to create and maintain security access/privileges for audit team
• Shorter audit time frames with custom front end
• Ease of customization
• Preventative Maintenance
• Identify gaps across systems via the data collection worksheets
Role Based AIS –Benefits , cont
AIS - System Audit Tree (System Audit) InputsResults/Observations (KP1)
Results/Observations (CP1)
Results/Observations (TP1)
| | | --- Trusted Systems
| | | |-----SMT1 Trusted Systems (Display <-> Maint.)
A RFC client, which is registered as a trusted system, is able to access the RFC server without any password check
No Errors (Position on Trusted Systems may be needed)
No Errors (Position on Trusted Systems may be needed)
No Errors (Position on Trusted Systems may be needed)
| | | |-----SMT2 Trusting systems (Display <->Maint.)
A RFC client, which is registered as a trusted system, is able to access the RFC server without any password check
No Errors (Position on Trusted Systems may be needed)
No Errors (Position on Trusted Systems may be needed)
No Errors (Position on Trusted Systems may be needed)
| | |-- CPIC / SAP Gateway
| | | |-----SM54 CPIC DestinationsReview CPIC destinations
No Errors (Position on Gateway Use may be needed)
No Errors (Position on Gateway Use may be needed)
No Errors (Position on Gateway Use may be needed)
| | | |-----SMGW Gateway MonitorReview active connections
No Errors (Position on Gateway Use may be needed)
No Errors (Position on Gateway Use may be needed)
No Errors (Position on Gateway Use may be needed)
| | | |-----RSGWLST Accessible GatewaysReview accessable gateways Secinfo not active Secinfo not active Secinfo not active
| | | ------S_ALR_87101250 ParametersReview gateway parameters
Parameter : gw/monitor set to - 2 : Monitor commands from local and remote gateway are accepted
Parameter : gw/monitor set to - 2 : Monitor commands from local and remote gateway are accepted
Parameter : gw/monitor set to - 1 : Monitor commands from local accepted
Role Based AIS –Next Steps
The repository auditor role will be used to review compliance with DSAP standards for development and maintenance of technical objects.
The repository audit will focus on the following areas:
• Table Authorization Groups
• Table logging for critical tables
• Changes Repository Objects
• Repairs
Role Based AIS –Next Steps
The Users and Authorizations auditor role will be used to review compliance with DSAP standards for development and maintenance of SAP users and security objects.
The User and Authorization audit will focus on the following areas:
• Users and Authorizations
• Role Administration
• Central User Administration
• Security Profile Parameters
Role Based AIS –Next Steps
Data Collection Worksheets in Lotus Notes:
• Shared Access to Audit Findings
• Links to Supporting Documentation
• Workflow
• Permanent record of audit results
• “Real time AIS”
• Collaboration
Role Based AIS - Next Steps
Audit guideline ---------- User group
Security guide ----------- SAP
System Audit Business Audit
SAP SAP
AuditIS
Development IS AuditIS
G/L ISCustomer IS
Vendor ISAssets IS
User IS
BC940 AC900BC680
Top Related