Chaper 8

System Administration Made Easy 81
Chapter 8: 8cheduled Annual Tasks

Contents
Checklists ................................................................................................................82
R/3 Tasks .................................................................................................................84
Backups ....................................................................................................................84
Security & Profile Audit .............................................................................................84
Checking that the Production System Is Not Modifiable...........................................88
Verifying that Dangerous Transactions Are Locked .................................................89
Database Tasks.....................................................................................................815
Backups ..................................................................................................................815
Operating System Tasks......................................................................................815
Backups ..................................................................................................................815
Other Tasks ...........................................................................................................815
Disaster Recovery Test...........................................................................................815
Chapter 8: Scheduled Annual Tasks

Checklists
Release 4.0B
82
Checklists
System: __________
Date: ____/____/____
Admin: _____________________
The R/3 8ystem
Task Transaction Procedure Check
off/initial
Archive year-end backup Send year-end backup tapes to long-
term offsite storage.
Audit user security Review users security authorization
forms against assigned profiles.
Can also be done with report
RSUSR100
SU02 Security
Profile Maintenance
Spot check profiles for recent changes.
RSUSR101
Audit profiles and
authorizations
SU03 Security
Authorization
Maintenance
Spot check authorizations for recent
changes.
RSUSR102
Review segregation of
duties
Audit user IDs SAP* and
DDIC
Run SAP user audit
reports
SA38 (or SE38)
Execute ABAP
Program
Run user audit reports:
< RSUSR003
< RSUSR005
< RSUSR006
< RSUSR007
< RSUSR008
< RSUSR009
< RSUSR100
< RSUSR101
< RSUSR102
Checklists
R/3 System Administration Made Easy
83
Task Transaction Procedure Check
off/initial
Check that the system is
set to Not modifiable.
SE03 Workbench
Organizer Tools
Verify that system is set to Not
modifiable.
SCC4 Clients:
Overview
Check changeable status for applicable
client
Check locked transactions SM01 Transaction
codes: Lock/Unlock
Check against your list of locked
transactions.
Database
Task Where Procedure Check
off/initial
term offsite storage
Operating 8ystem
off/initial
term offsite storage
Other
off/initial
Restore entire system to disaster
recovery test system
Perform disaster recovery
test
Test business resumption
Notes
Problem Action Resolution
R/3 Tasks
Release 4.0B
84
R/3 Tasks
Backups
For a year-end backup:
< Make certain to get a usable backup at year-end.
< Send the backup tapes offsite for an extended period.
The length of the extended period should be determined by your legal and finance
departments, external auditors, and others as appropriate in the company.
Be aware that you may have two different year-end backup dates:
< End of the calendar or fiscal year
< After the financial books are closed for the year
8ecurity & Profile Audit
Reviewing Profiles for Accuracy and Permission Creep
What
A permission creep is an incremental increase in permission given to a user over time. If
left unchecked, increased permissions may grant a user more authority in the system than
required or intended.
Why
Users may have undesirable authorization(s) or combinations.
Your external auditors may have an audit step to check for permission creepage.
How
You can conduct a spot audit of:
< Individuals
Review the security forms for a user, and compare these forms to the profiles
assigned to that user, and investigate inconsistencies.
Review the profiles assigned to the individual for reasonableness.
Reasonableness is: Does it make sense?
Review the individual profiles assigned for content and check to see if the profile has
been recently changed.
R/3 Tasks
85
< Profiles (transaction SU02) and authorizations (transaction SU03)
Check to see if the change date is recent.
You can also execute the following audit reports:
< RSUSR100 (user changes)
< RSUSR101 (profile changes)
< RSUSR102 (authorization changes)
For additional information on these reports, see the User Security Audit section on page 87.
Accurate 8egregation of Duties
What
There are standard audit guidelines which cover job/task combinations that are considered
risky or reduce internal controls. Some of these are:
< Accounts Payable and Check Generation
< Accounts Receivable and Cash Receipts
< ABAP development and transport control
Your external auditors should be able to help you define these risky combinations.
For your external auditors, testing for segregation of duties is a standard audit procedure.
How
The review of segregation of duties should be completed with the various user owners (key
users of each functional area).
Out of necessity, smaller companies must assign multiple functions to a single person. Be
aware of the potential security risks in this situation. If you must combine functions,
combine them in a way that you minimize risks.
R/3 Tasks
Release 4.0B
86
Restricting Access to 8AP* or DDC
What
These are system user IDs that have restricted uses for specific purposes.
Why
There are certain functions that can only be performed by SAP* or DDIC.
If an R/3 user requires similar functionality, they should have a copy of the SAP* profile.
These users should be grouped as super users, with the appropriate security approvals.
The security profile for SAP* is SAP_ALL. This profile is extremely because it grants the user
complete access to the system. See further explanation in chapter 9, the section Recommended
Polices and Procedures: System Administration.
A user with user administration rights cannot change the password to gain access to a user
ID and then change the password back to the original password. Passwords are not visible
to the administrators, thus they cannot restore the original password if they do not know it.
At a subsequent logon, the owner of the user ID will know that the password has been
altered because they cannot log in with their old password.
How
1. Log on using SAP* and DDIC to determine if someone has changed the password.
2. Periodically change the password for these users:
In all systems
In all clients in those systems.
This step prevents a person who knew the password from gaining access.
3. Update the secured password list.
R/3 Tasks
87
User 8ecurity Audit
There are several predefined SAP security reports, including:
< RSUSR003 Check for default password on user IDs SAP* and DDIC
< RSUSR005 Lists users with critical authorizations
< RSUSR006 Lists users who are locked due to incorrect logon
This report should be scheduled to run daily, just before midnight.
< RSUSR007 Lists users with incomplete address data
< RSUSR008 Lists users with critical combinations of authorizations or transactions
< RSUSR009 Lists users with critical authorizations
< RSUSR100 Lists change documents for users and shows changes made to a users
security
< RSUSR101 Lists change documents for profiles and shows changes made to security
profiles
< RSUSR102 Lists change documents for authorizations and shows changes made to
security authorizations
Some of these reports have parameter tables that need to be properly maintained to make
best use of them. Review and analyze these reports based on your knowledge of the
company. However, be aware that security issues may exist. If you have a small company,
these issues cannot be avoided because one person often must wear many different hats.
Your external auditors may require some of these reports to be executed as part of the
annual financial audit.
How
1. Enter transaction SA38 or SE38.
2. Enter the report name in Program.
3. Choose Execute.
4. Choose OK.
Notes for 8pecific Reports
< RSUSR008 (lists critical combinations of authorizations or transactions)
These combinations are maintained on table SUKRI.
Dangerous combinations include the following transactions:
- RZ02 (with anything)
- RZ03 (with anything)
- SE14 (with anything)
- SU01 (with security, users, and profiles)
- SU02 (with security, users, and profiles)
R/3 Tasks
Release 4.0B
88
Checking that the Production 8ystem s Not Modifiable
What
Check that the production system is set to Not modifiable. The locks on the system should
be set so that configuration changes (client-independent and client-dependent) cannot be
made directly into the production system.
Why
Configuration changes should not be made directly into the production system.
The goal is to protect the production system from changes, without the changes being
properly tested and to preserve the integrity of the pipeline. A pipeline is defined as the
environment where development is moved from the development system to the quality
assurance system, and finally to the production system.
If changes are made into the production system, the development and testing pipeline
could become out of sync with the production system. When this happens, it becomes
difficult to develop and test with any certainty that things will not be different in the
production system.
All changes should be made in the development system then transported through the
pipeline into production. In this way, all systems get the same changes.
A common excuse to make changes directly into the production system is, it takes too
long to transport the fix.
1. The risk is creating an out of sync landscape, where the change made to the
production system, is not the same as made to the development and/or test systems.
2. Emergency transports can occur at any time, with coordination.
How
See procedure in chapter 11, the section Setting the Production System to Not Modifiable
Exceptions
There are infrequent exceptions to the rule. These occur when:
< There is no mechanism to transport the changes.
< An Online Service System note requires the direct change.
Only in these (and similar) cases, the changes must be made directly into the target systems.
Manual entry always increases the chance that an error will be made.
R/3 Tasks
89
Verifying that Dangerous Transactions Are Locked
What
Dangerous transactions are transactions that could do the following:
< Damage or corrupt the system
< Present a security risk
< Adversely impact performance
Why
If a user accesses these transactions by accident, they could corrupt or destroy the R/3
System.
Access to dangerous transactions is more critical in the production system than the
development or test systems. This is because of live data and the fact that the companys
operations are dependent on the R/3 System.
Certain transactions should be locked in the production system, but not in the development,
test, or training systems.
Standard security normally prevents access to these transactions, but some administrators,
programmers, consultants, and functional key users could have access to them depending
on which system they are on. In these cases, the transaction lock provides a second line of
defense.
There are over 16,000 English transaction codes in the R/3 System. Thus, to make it
manageable, it is only the critical ones that you need to lock. Your functional consultants
should supply you with any additional critical transactions in their modules.
The following table, contributed to by various Basis consultants and users, lists transactions
that we recommend you lock. The transactions are categorized by the risk categories:
dangerous, security-related, and performance impact.
Transaction Description Dangerous Security Performance
FO40 Document Archiving X
FO41 Bank Master Data Archiving X
FO42 G/L Accounts Archiving X
FO43 Customer Archiving X
FO44 Vendor Archiving X
FO45 Document Archiving X
FO46 Transaction Figures Archiving X
GCE2 Profiles: Initial screen X
GCE3 Maintain Authorizations: Object Classes X
R/3 Tasks
Release 4.0B
810
KA10 Archive Cost Centers (all) X
KA11 Archive admin: cost centers (all) X
KA12 Archive cost centers (plan) X
KA13 Archive admin: cost centers (plan) X
KA14 Archive cost centers (actual) X
KA15 Archive admin: cost centers (actual) X
KA16 Archive cost centers (line items) X
KA17 Archive admin: cost centers (line items) X
O001 Maintain Users: Initial Screen X
O002 Profiles: Initial Screen X
O016 Maintain Authorizations: Object Classes X
OBR1 Reset Transaction Data
(delete transaction data)
X
OBZ7 Maintain Users: Initial Screen X
OBZ8 Profiles: Initial screen X
OBZ9 Maintain Authorizations: Object Classes X
OD02 Maintain Authorizations: Object Classes X
OD03 Profiles: Initial screen X
OD04 Maintain Users: Initial Screen X
OIBA Maintain Authorizations: Object Classes X
OIBB Maintain Users: Initial Screen X
OIBP Profiles: Initial Screen X
OMDL Maintain Users: Initial Screen X
OMDM Profiles: Initial Screen X
OMEH Maintain Users: Initial Screen X
OMEI Profiles: Initial Screen X
OMG7 Maintain Authorizations: Object Classes X
OMI6 Maintain Authorizations: Object Classes X
OML0 Maintain Users: Initial Screen X
OMM0 Profiles: Initial Screen X
R/3 Tasks
811
OMNP Maintain Authorizations: Object Classes X
OMSN Maintain Users: Initial Screen X
OMSO Profiles: Initial Screen X
OMSZ Maintain Authorizations: Object Classes X
OMWF Maintain Users: Initial Screen X
OMWG Profiles: Initial Screen X
OMWK Maintain Authorizations: Object Classes X
OOAU Maintain Authorizations: Object Classes X
OOPR Profiles: Initial Screen X
OOSB Change View "User Authorizations":
Overview
X
OOSP Change View "Authorization Profiles":
Overview
X
OOUS Maintain Users: Initial Screen X
OP15 Profiles: Initial Screen X
OP29 Maintain Users: Initial Screen X
OPCA Maintain Users: Initial Screen X
OPCB Profiles: Initial Screen X
OPCC Maintain Authorizations: Object Classes X
OPE9 Profiles: Initial Screen X
OPF0 Maintain Users: Initial Screen X
OPF1 Maintain Authorizations: Object Classes X
OPJ0 Maintain Users: Initial Screen X
OPJ1 Profiles: Initial Screen X
OPJ3 Maintain Authorizations: Object Classes X
OSSZ Maintain Authorizations: Object Classes X
OTZ1 Maintain Users: Initial Screen X
OTZ2 Profiles: Initial Screen X
OTZ3 Maintain Authorizations: Object Classes X
OVZ5 Maintain Users: Initial Screen X
OVZ6 Profiles: Initial Screen X
R/3 Tasks
Release 4.0B
812
OY20 Maintain Authorizations: Object Classes X
OY21 Profiles: Initial Screen X
OY22 Maintain Users: Initial Screen X
SCC5 Client delete X
SE01 Transport Organizer
SE06 System Table maintenance X X
SE09 Workbench Organizer
SE10 Customizing Organizer
SE11 Data Dictionary maintenance X
SE13 Maintain Storage parameters for table X
SE14 Utilities for dictionary tables X
SE15 Data Dictionary Information System
SE16 Data Browser X
SE17 General Table display X
SE38 ABAP workbench X
SM49 External OS commands X
SM69 External OS commands X
ST05 SQL trace X
SU12 Delete All Users X X
R/3 Tasks
813
The following table shows dangerous transactions that probably cannot be locked because they are (or
could be) used regularlyor have other valid reasons for use in a production systembut because of the
potential danger, need to have restricted access.
RZ10 Edit System Profiles X
SA38 ABAP Workbench X
SM04 User Overview X
SM12 System Locks X
SM13 Update Terminates X
SM30 Table Maintenance X
SM31 Table Maintenance X
STMS Transport Management System X
SU01 User Maintenance X
SU02 Profiles: Initial Screen X
SU03 Maintain Authorizations: Object Classes X
Table TSTCT contains the transaction codes and the name of the transaction. The current
content is over 30,000 entries in the table, with over 16,000 in English.
How
Document and keep a list of the following information:
< Which transactions were locked?
< Why are they locked?
< Who locked them?
< When were they locked?
R/3 Tasks
Release 4.0B
814
Guided Tour
1. In the Command field, enter transaction SM01 and choose Enter
(or choose Tools Administration, then Administration Tcode administration).
2. Enter the transaction code you
want to lock (for example, SE14)
in the search field at the bottom of
the TCode column.
3. Choose Enter.
4. Use the Locked checkbox:
< To lock a transaction, select the
checkbox next to the
transaction.
< To unlock a transaction,
deselect the checkbox.
5. Choose Enter.
Carefully check which transactions you lock. You could accidentally lock yourself out of a
transaction, which would prevent you from unlocking this or other transactions.
4
2
5
3
Database Tasks
815
Access to transactions can also be controlled by building security authorizations on the
security object S_TCODE under Cross application authorization objects.
Database Tasks
Backups
< Make certain you get a usable backup at year-end.
< Send backup tapes offsite for an extended period.
Operating 8ystem Tasks
Backups
< Make certain you get a usable backup at year-end.
< Send backup tapes offsite for an extended period.
Other Tasks
Disaster Recovery Test
Perform a full system recovery test.
See chapter 2, Disaster Recovery.
Other Tasks
Release 4.0B
816

Chaper 8

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chaper 8

Uploaded by

Copyright:

Available Formats

System Administration Made Easy 81

Chapter 8: 8cheduled Annual Tasks

Chapter 8: Scheduled Annual Tasks

You might also like