In this subsequent phase, a track of the authorizations created (previous phase) is kept. Detailed accounts of system events are used to record the actions of a user corresponding to that unique user account identifier. Auditing/Monitoring activities should be in compliance with enterprise’s overall IT strategy and should be performed on a weekly, monthly, quarterly, and yearly basis.

There are some key tasks that should be included in a monitoring plan. The following reviews should be a part of an ideal monitoring plans.

The system log records critical information important events. Each individual application server maintains local log files to which the information is written periodically. The security audit log records areas such as successful and unsuccessful dialog log-on attempts, RFC log-on attempts, changes to user master records, and transaction starts.

Reviewing User Activity
All SAP system users must be continuously monitored so that their problems can be rectified as soon as they occur. The timely attention to user problems can reduce administration overheads.

For example, if a SAP administrator wants to check for unrecognizable user Ids or the users trying to use non-permitted transactions, administrator can execute transaction AL08 and review user activity.

The BASIS users in a SAP system have access to sensitive areas of an organization. Therefore it is vital to monitor their access. Following instructions can be performed to check the access of BASIS User group.

• Enter transaction SUIM to view Repository Information of the system.
• Follow the Menu Path:
  • User > Lists of users (according to selection criteria) > user IDS (Double Click).

All change requests need to be properly reviewed and controlled prior to being applied. This formal process needs to be detailed enough to ensure that separation of duties and other control features are not breached. Strong integration knowledge of the SAP system is required for this review. Critical profiles, authorizations, and transactions need to be identified and treated even more carefully.

Administrators must check that default profiles act a template for user defined profiles and are not directly used in production. Default profiles contain values, which apply to all application servers. These include: SAP_ALL, SAP_NEW, S_A.ADMIN, S_A.CUSTOMIZ, S_A.DEVELOP, S_A.DOKU, S_A.SYSTEM, S_A.USER, S_ENT_IMG_GE, S_WF_ALL, and P_ALL.

SAP comes with some pre-configure clients (independent business units). They are client 000, 001 and 066 in the non-IDES system. In the IDES system, client 800 is the default client. SAP installation process automatically creates default user Ids and their corresponding passwords. SAP administrators must ensure that they are not used to access the system. The following table explains default user Ids in various SAP clients.

• Change all default passwords and verifying the password change by logging into various client areas.

• Assign SAP* to the Super user group.
  • Enter transaction SE16.
  • Enter SAP* into the field called BNAME.
  • Click "Execute" and verify.

• As a final step, check that the secret super user has been created (with a different user ID and password). All of the authorizations assigned to SAP* should then be removed (an empty profile list followed by a password change.