Mitigate the SAP IT Audit Risk in Custom object
SAP system is helpful in automating the company’s business processes and also improves the productivity of the employees. As part of the SAP system there are multiple tables and programs. These tables and programs are required to manipulate the data in the system. During the process of implementing the SAP system customers have the option of creating their own tables and programs in the system. These tables and programs have to start with Z or Y. These are called as custom development objects.
What is the SAP IT Audit Risk with development objects?
What is the SAP IT Audit Risk with development objects?
The only way to display data in these custom programs in with transaction SE38/ SA38 (Program Execution) and custom table is with (SE11, SE16, SE17, SE16N) transactions. But once you assign these transactions to the user the user is free to look at any table unless there are object restrictions. Typically in most of the clients the end users will be only interact with handful of custom objects. So it is like giving the user access entire public library when he just needs few books.
The only way to display data in these custom programs in with transaction SE38/ SA38 (Program Execution) and custom table is with (SE11, SE16, SE17, SE16N) transactions. But once you assign these transactions to the user the user is free to look at any table unless there are object restrictions. Typically in most of the clients the end users will be only interact with handful of custom objects. So it is like giving the user access entire public library when he just needs few books.
The custom objects created in the system can have sensitive data or just display data. But these objects have to be properly secured. For securing the custom objects following process has to be followed
Created the custom programs or tables with proper naming convention. For example if the object belongs to finance team and accounts payable sub team. Then the object should include abbreviations of finance team and accounts payable sub team in the naming convention.
Assign the custom object to an authorization group which indicates its functional team, sub team and the sensitivity of the data contained in the custom object
Assign the custom object to an authorization group which indicates its functional team, sub team and the sensitivity of the data contained in the custom object
For custom program also include authority check statement in the program so that the data can also further restricted.
For custom program also include authority check statement in the program so that the data can also further restricted.
Now update the SU24 settings in the transactions with authorization object found in your trace
Now update the SU24 settings in the transactions with authorization object found in your trace
Since the custom object are assigned transactions the training and testing can be focused on the transaction
Assigning data browser and program execution transaction to the user will cause performance issues. As the user will be able to execute data with wide open selection criteria
SAP Security errors can be reduced as objects needed for the transaction is automatically populated from the SU24 settings when the administrator creates the role
SAP Security errors can be reduced as objects needed for the transaction is automatically populated from the SU24 settings when the administrator creates the role
Tracking the transaction usage will easier
AuditBot SAP IT Audit Solutions company specializing in automated audit compliance software solutions for risk mitigation and monitoring controls. AuditBot Audit SAP Risk management Solution helps the audit compliance within the finance, internal audit and IT organizations to from being on Monday morning quarter backing situation to winning the audit compliance game
Looking to find the a solution for SAP Audit, then visit www.AuditBots.com to find the best advice on SAP Risk for you.
