SAP Audit Management for Default users

Written by Selva Kumar CISA CGAP SAP GRC Certified Security Plus in SAP Audit Management,SAP License Audit

SAP Audit Management Objectives for Default SAP users

Determine if users have properly secured system-provided (standard) SAP user  accounts and timely addressed other related critical security vulnerabilities identified

Determine if there has been unauthorized access to SAP through use of the standard user account “SAP*” or other standard accounts.

Determine if the company has an adequate security policy, procedures, and processes to ensure standard SAP user accounts and other accounts with unrestricted access are properly secured and monitored.

Assess the increased risk of fraud and abuse resulting from identified SAP security vulnerabilities.

SAP Audit Management risks

During the installation procedure, SAP systems create a set of standard user accounts including “SAP*,” which should be properly secured and protected from unauthorized use. SAP* has a well-known default password and may provide unrestricted system access.  One more standard user account known as “DDIC” may also provide unrestricted access and should also be properly secured. SAP systems security standards clearly address securing standard user accounts by methods including, but not limited to, changing passwords. Securing these accounts should be the top priority because their usernames and passwords are well-known and could be used by unauthorized users or hackers to access SAP systems. While certain standard user accounts are required for dedicated tasks such as initial system implementation, these accounts should be secured to prevent an unauthorized user from accessing the system.

If not secured. Specifically, the unsecured SAP* account granted access to:

  • Create the user in the System without approval and provide privileged access
  • View and modify sensitive and confidential data, including employee Social Security numbers, payroll records, and customer billing and credit information.
  • Execute high-risk business transactions, such as changes to employee salaries, Changes to rates, and changes to customer billing and credit information.
  • Create vendors and approve invoice payments.
  • Make Mass transaction which like changing payroll, material management to cause great damage to the system
  • Perform powerful basis transaction without approval
  • Modify key system settings, including opening and closing of accounting periods and other changes to financial system settings.

User Report RSUSR003 to identify the user Ids which are not locked

[vc_row css=”.vc_custom_1512575306373{margin-top: 50px !important;}”][vc_column width=”1/3″][vc_cta h2=”Free Step by Step SAP License Optimization Guide” shape=”square” add_button=”bottom” btn_title=”click here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”left-to-right” btn_add_icon=”true” css=”.vc_custom_1512579904776{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #3a80f1 !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Ffree-sap-license-optimization-guide%2F||” el_class=”c_action”]SAP Customer is liable to pay 70 Million additional SAP licensing fees as a result of what is broadly known as Indirect Access.[/vc_cta][/vc_column][vc_column width=”1/3″][vc_cta h2=”Free SAP GRC 10.0 Step by Step Guide” shape=”square” add_button=”bottom” btn_title=”download here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”bottom-to-top” btn_add_icon=”true” css=”.vc_custom_1512579856805{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #f1b500 !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Fsap-grc-10-1-step-step-guide%2F||” el_class=”c_action”]Are you fed up with being not able to get job? Tired of being disappointed in yourself, because you just can’t seem to get started in the career as SAP  GRC Consultant?[/vc_cta][/vc_column][vc_column width=”1/3″][vc_cta h2=”Financial Loss due to Fraud Risk” shape=”square” add_button=”bottom” btn_title=”click here” btn_style=”flat” btn_color=”default” btn_i_icon_fontawesome=”stm-diamond” btn_css_animation=”left-to-right” css_animation=”right-to-left” btn_add_icon=”true” css=”.vc_custom_1512579731433{padding-top: 50px !important;padding-right: 35px !important;padding-bottom: 50px !important;padding-left: 35px !important;background-color: #1d9e3f !important;}” btn_link=”url:http%3A%2F%2Fexpressgrc.com%2Ffree-sap-process-control-step-step-guide%2F||” el_class=”c_action”]Using the right kind of SAP Controls in the right way can be trans formative for any SAP System[/vc_cta][/vc_column][/vc_row]

Recent Posts

Terms and Conditions