Use of Role Based AIS for Technical System Auditing at DuPont Chris Leeder DuPont Chris Carr SAP Session: 509.

Use of Role Based AIS for Technical System Auditing at DuPont Chris Leeder DuPontChris Carr SAP

Session: 509

Introduction

• DuPont Company Overview

• DSAP Project Overview

• DSAP Architecture

• AIS Background

• Role Based AIS

• Benefits and Next Steps

The DuPont Company

Based in Wilmington, Delaware: operates in more than 70 countries

• 2002 Sales were $24 Billion• Total Assets are $35 Billion• 79,000 Employees, about half are outside of the United States• 200+ years • Consists of 5 business platforms

– Agriculture & Nutrition

– Coatings & Color Technology

– Electronic & Communication Technologies

– Performance Materials

– Safety & Protection

What is DSAP?

The Organization put in place to successfully complete the

SAP implementation and eventually support the

application run activities.

DSAP Leverages ASAP

0Discovery & Evaluation

1Project

Preparation

2Business Blueprint

34 5

RealizationFinal

Preparation Go Live & Support

Deliverables:………………………………….

Prepare

Plan Train Kickoff

ExecuteQC

NextPhase

Monitor progress against deliverables

DSAP Architecture

DSAP provides a Transactional Backbone for Business Growth

DuPont Confidential

Home Cluster(SAP Version 4.0B)

GD1 GB1 GP1

GDD GB2

GD2

TP1

C Cluster(SAP Version 4.6C)

Q Cluster(SAP Version 4.6C)

UDR

TD1 TB1

TD2

DSAP Current and Future Core SAP R/3 Landscape

CP1CD1

CD2

CB1

CDD CB2

TDD TB2

QD1 QB1 QP1

QDD QB2

QD2

T Cluster(SAP Version 4.6C)

Created by an SAP user group for internal and eternal auditors. Auditing firms provided the initiative for creating audit-supporting tools for the R/3 environment.

AIS Background

Arthur Andersen Bansbach Schübel Brösztl & Partner

KPMG Deutsche Treuhand-Gesellschaft

Price Waterhouse Coopers

Ernst & Young Deutsche Allgemeine Treuhand AG

Internal auditors from various companies

SAP User Groups

AIS Overview

AIS is the Toolbox for . . .AIS is the Toolbox for . . .

Internal Auditors

External Auditors

System Auditors

Data Security Officers

AIS Overview

Audit guideline ---------- User group

Security guide ----------- SAP

System Audit Business Audit

SAP SAP

AuditIS

Development AuditIS

G/L ISCustomer IS

Vendor ISAssets IS

User/Security

BC940 AC900BC680

System Admin

AIS Overview

Checklist for system Checklist for system auditaudit

InformationInformationretrieval using retrieval using

Existing R/3Existing R/3programsprograms

FAQFAQFrequently asked questionsFrequently asked questions

Who is permittedWho is permittedto ...?to ...?

Why AIS ?

To ensure compliance with project standards created by DSAP for:

• System Administration

• Design and Configuration

• Security and Controls

• Monitor Progress against deliverables

Role Based AIS

The role based AIS “Audit Information System” consists of several single end user roles.

In order to work with the AIS, the auditor needs a user in the SAP System with the relevant single roles assigned to his user master

record.

Note: The menus do not have authorization values. The authorization roles contain authorization values but no menu.

Role Based AIS Until SAP Release 4.6C, AIS was realized using a menu technique (transaction SECR).

As of SAP Release 4.6, AIS is part of the SAP Standard System

As of SAP Release 4.6C (Support Package SAPKH46C27), the technical implementation of AIS in the program has been changed to a role-based maintenance environment (transaction PFCG).Additional development of AIS will only be carried out in this new environment.

Role Based AIS

SAPSAP

To facilitate working with the AIS, the auditor needs a user in the SAP System. This user master record requires a wide range of display authorizations.

Several single roles have been defined for the AIS. These single roles are divided into two groups:- Transaction roles (SAP_AUDITOR*)

- Authorization roles (SAP_CA_AUDITOR*)

Installation recommendation:SAP Note 0 451 960

Auditor

Role Based AIS The authorization roles required for these menus are documented in PFCG. (Pull

up the menu role and read the info in the description tab)

Role Based AIS

AIS – Single roles

SAP_AUDITOR_ADMIN

SAP_AUDITOR_BA_ORGA

SAP_AUDITOR_BA_FI_GL

SAP_AUDITOR_BA_FI_AA

SAP_AUDITOR_BA_FI_AR

SAP_AUDITOR_BA_FI_AP

. . .

SAP_CA_AUDITOR_APPL_ADMIN

SAP_CA_AUDITOR_APPL

SAP_CA_AUDITOR_HR

SAP_CA_AUDITOR_SYSTEM

Copy / Modification

Y_AUDITOR_BA_ORGA

Y_AUDITOR_BA_FI_GL

Y_AUDITOR_BA_FI_AR

Y_AUDITOR_BA_FI_AP

Y_CA_AUDITOR_SYSTEM

Role Based AIS

Role Based AIS - Data Collection

Data Collection Strategy using MS Excel:

The transaction roles contain a menu tree, from which the data collection XLS worksheets will be derived. This menu will occupy the leftmost column of the spreadsheet and will be a copy of the

AIS menu being executed in the SAP system.

Example: Run menu item, report or transaction ,check against inputs column, then record results in the

Results/Observations column on the data collection worksheet.

Role Based AIS - Data Collection Worksheets

AIS - System Audit Tree (System Audit) Inputs Results/Observations Owner/Action Resolutions

| (This Column contains the AIS menu)

(This column defines what document and/or standards should be referenced.)

(This column is for recording the results of the AIS transaction or report against the documents or standards)

(The column is for assignment of action item to an owner) (This column records the resolution)

|-- Top 10 Security Reports

| |

| |-----RSPFPAR Display profile parametersCheck against Dupont standard settings as defined in PP00776

Security parameters are set per Dupont standards, login/multi_login_users is not set, additional standards should be created and distributed to all DSAP systems.

Rod Grisin w ill review against DSAP documentation

Update parameter settings in KP1 per DSAP documentation

| |-----SM20 Security Audit Log Assessment

Check if security log is active, if the log is active review the contents of the log and document f indings

Security Log is NOT active in KP1

Chris Leeder, Chis Carr and Reenie w ill discuss w hether or not the audit log is necessary Activate audit log in KP1

| |-----RZ27_SECURITY CCMS Security Alerts

Check if security alerts are active, if active review the contents of the log and document f indings

Security Alerts are NOT active in KP1

Chris Leeder, Chis Carr and Reenie w ill discuss w hether or not the audit log is necessary Activate CCMS security alerts in KP1

| |-----SUIM User Information System Check SAP_ALL,SAP_NEW usage

SAP_ALL and SAP_NEW are still assigned to certain users see SAP_ALL_KP1.rtf

Chris Carr w ill w ork w ith the security team to have sap_all and sap_new removed from all users in KP1 Remove profiles from all users in KP1

Role Based AIS- Supporting Documentation

Reference(s):

The following sources are used for reference:

1-DSAP- Documentation, and Position Papers

2-SAP Security Guide and Checklist

3-AIS System Audit Guide

4-SAP Online Service System (OSS)

Role Based AIS- Summary

Summary:

The auditor will execute the transactions in the SAP provided role based AIS menus, and compare findings with the standards defined in the "inputs" field on the data collection spreadsheet.

Additional documents such as the output list of a report or transaction are saved on a network directory or a lotus notes

database.

Role Based AIS –Benefits

The use of role based AIS has provided benefits in the following areas

• Standardized audit format

• Easy to create and maintain security access/privileges for audit team

• Shorter audit time frames with custom front end

• Ease of customization

• Preventative Maintenance

• Identify gaps across systems via the data collection worksheets

Role Based AIS –Benefits , cont

AIS - System Audit Tree (System Audit) InputsResults/Observations (KP1)

Results/Observations (CP1)

Results/Observations (TP1)

| | | --- Trusted Systems

| | | |-----SMT1 Trusted Systems (Display <-> Maint.)

A RFC client, which is registered as a trusted system, is able to access the RFC server without any password check

No Errors (Position on Trusted Systems may be needed)

No Errors (Position on Trusted Systems may be needed)

No Errors (Position on Trusted Systems may be needed)

| | | |-----SMT2 Trusting systems (Display <->Maint.)

A RFC client, which is registered as a trusted system, is able to access the RFC server without any password check

No Errors (Position on Trusted Systems may be needed)

No Errors (Position on Trusted Systems may be needed)

No Errors (Position on Trusted Systems may be needed)

| | |-- CPIC / SAP Gateway

| | | |-----SM54 CPIC DestinationsReview CPIC destinations

No Errors (Position on Gateway Use may be needed)

No Errors (Position on Gateway Use may be needed)

No Errors (Position on Gateway Use may be needed)

| | | |-----SMGW Gateway MonitorReview active connections

No Errors (Position on Gateway Use may be needed)

No Errors (Position on Gateway Use may be needed)

No Errors (Position on Gateway Use may be needed)

| | | |-----RSGWLST Accessible GatewaysReview accessable gateways Secinfo not active Secinfo not active Secinfo not active

| | | ------S_ALR_87101250 ParametersReview gateway parameters

Parameter : gw/monitor set to - 2 : Monitor commands from local and remote gateway are accepted

Parameter : gw/monitor set to - 2 : Monitor commands from local and remote gateway are accepted

Parameter : gw/monitor set to - 1 : Monitor commands from local accepted

Role Based AIS –Next Steps

The repository auditor role will be used to review compliance with DSAP standards for development and maintenance of technical objects.

The repository audit will focus on the following areas:

• Table Authorization Groups

• Table logging for critical tables

• Changes Repository Objects

• Repairs

Role Based AIS –Next Steps

The Users and Authorizations auditor role will be used to review compliance with DSAP standards for development and maintenance of SAP users and security objects.

The User and Authorization audit will focus on the following areas:

• Users and Authorizations

• Role Administration

• Central User Administration

• Security Profile Parameters

Role Based AIS –Next Steps

Data Collection Worksheets in Lotus Notes:

• Shared Access to Audit Findings

• Links to Supporting Documentation

• Workflow

• Permanent record of audit results

• “Real time AIS”

• Collaboration

Role Based AIS - Next Steps

Audit guideline ---------- User group

Security guide ----------- SAP

System Audit Business Audit

SAP SAP

AuditIS

Development IS AuditIS

G/L ISCustomer IS

Vendor ISAssets IS

User IS

BC940 AC900BC680

Thank you for attending!Please remember to complete and return your evaluation form following this session.

Session Code: 509