Six Steps to Control Your SAP IT Audit Risk With SAP Custom Objects
SAP system is helpful in automating the company's business processes and also improves the productivity of the employees.
As part of the SAP system there are multiple tables and programs.
These tables and programs are required to manipulate the data in the system.
During the process of implementing the SAP system customers have the option of creating their own tables and programs in the system.
These tables and programs have to start with Z or Y.
These are called as custom development objects.
What is the SAP IT Audit Risk with development objects? The custom programs and table can make changes to the system, so it is required that the custom development objects are properly managed and documented.
If left unmanaged there will be numerous custom objects in the system without proper documentation.
This is like leaving the dog loose in the house and you will be pushed to the corner The only way to display data in these custom programs in with transaction SE38/ SA38 (Program Execution) and custom table is with (SE11, SE16, SE17, SE16N) transactions.
But once you assign these transactions to the user the user is free to look at any table unless there are object restrictions.
Typically in most of the clients the end users will be only interact with handful of custom objects.
So it is like giving the user access entire public library when he just needs few books.
Getting Control of the SAP IT Audit Risk with SAP objects The custom objects created in the system can have sensitive data or just display data.
But these objects have to be properly secured.
For securing the custom objects following process has to be followed 1.
Created the custom programs or tables with proper naming convention.
For example if the object belongs to finance team and accounts payable sub team.
Then the object should include abbreviations of finance team and accounts payable sub team in the naming convention.
2.
Assign the custom object to an authorization group which indicates its functional team, sub team and the sensitivity of the data contained in the custom object 3.
Then create a custom transaction to linking the object.
This way the user can use the custom transaction for executing the transaction 4.
For custom program also include authority check statement in the program so that the data can also further restricted.
5.
Perform a trace analysis for the newly created transaction to identify the authorization objects required 6.
Now update the SU24 settings in the transactions with authorization object found in your trace Benefits: 1.
The internal audit team and the company can have complete control of custom objects in the system 2.
Since the custom object are assigned transactions the training and testing can be focused on the transaction 3.
Assigning data browser and program execution transaction to the user will cause performance issues.
As the user will be able to execute data with wide open selection criteria 4.
SAP Security errors can be reduced as objects needed for the transaction is automatically populated from the SU24 settings when the administrator creates the role 5.
Tracking the transaction usage will easier 6.
It is possible to give emergency access to only particular transaction
As part of the SAP system there are multiple tables and programs.
These tables and programs are required to manipulate the data in the system.
During the process of implementing the SAP system customers have the option of creating their own tables and programs in the system.
These tables and programs have to start with Z or Y.
These are called as custom development objects.
What is the SAP IT Audit Risk with development objects? The custom programs and table can make changes to the system, so it is required that the custom development objects are properly managed and documented.
If left unmanaged there will be numerous custom objects in the system without proper documentation.
This is like leaving the dog loose in the house and you will be pushed to the corner The only way to display data in these custom programs in with transaction SE38/ SA38 (Program Execution) and custom table is with (SE11, SE16, SE17, SE16N) transactions.
But once you assign these transactions to the user the user is free to look at any table unless there are object restrictions.
Typically in most of the clients the end users will be only interact with handful of custom objects.
So it is like giving the user access entire public library when he just needs few books.
Getting Control of the SAP IT Audit Risk with SAP objects The custom objects created in the system can have sensitive data or just display data.
But these objects have to be properly secured.
For securing the custom objects following process has to be followed 1.
Created the custom programs or tables with proper naming convention.
For example if the object belongs to finance team and accounts payable sub team.
Then the object should include abbreviations of finance team and accounts payable sub team in the naming convention.
2.
Assign the custom object to an authorization group which indicates its functional team, sub team and the sensitivity of the data contained in the custom object 3.
Then create a custom transaction to linking the object.
This way the user can use the custom transaction for executing the transaction 4.
For custom program also include authority check statement in the program so that the data can also further restricted.
5.
Perform a trace analysis for the newly created transaction to identify the authorization objects required 6.
Now update the SU24 settings in the transactions with authorization object found in your trace Benefits: 1.
The internal audit team and the company can have complete control of custom objects in the system 2.
Since the custom object are assigned transactions the training and testing can be focused on the transaction 3.
Assigning data browser and program execution transaction to the user will cause performance issues.
As the user will be able to execute data with wide open selection criteria 4.
SAP Security errors can be reduced as objects needed for the transaction is automatically populated from the SU24 settings when the administrator creates the role 5.
Tracking the transaction usage will easier 6.
It is possible to give emergency access to only particular transaction