SAP

R/2 Mainframe Solution
R/2 is SAP AG mainframe software that runs on IBM, Siemens, Amdahl, and compatible equipment. This type of solution cannot claim to be open, although with the help of Application Link Enabled (ALE) technology, R/2 can be linked to R/3 systems and share online data.

Nevertheless, and despite the emergence of new technologies and the significant decrease of hardware prices, some companies some companies preferred the approach of the mainframe solution. This is mainly targeted at enterprises with data?intensive and centralized industries.

R/2 is the antecedent of the client/server R/3 system and also offers comprehensive, fully functional business applications to satisfy the demands of mainframe users. SAP will still continue to support R/2 systems till the year 2004, and so it is advising customers to migrate to R/3.

Excessive access control is one of common finding made by IS auditor when auditing SAP R/3 application. This finding is very easy to be found especially if the SAP implementation is quite new.

This is common to be founded since during early implementation, assurance and governance is not a major issue compare to application performance. So after this stage we can see a lot of access given to unauthorized user such as vendor and third party user account.

So its really recommended that every company, who already implemented the SAP to perform Post Implementation Review for the application integrity and access control management.

Do you have any experience about excessive access control in SAP R/3

There are a lot of comparison between SAP and Oracle Finance available nowadays; this article is focusing the comparison in security or audit perspective.

1. Security Configuration

SAP stored their security configuration in application security level; Oracle Finance stored their security configuration in database security level. Storing configuration in application security level means that we could added the security level also in database configuration. So SAP will have two times higher security level than Oracle Finance.

Here is audit procedure to check both of Oracle Finance and SAP R/3 security configuration.

SAP R/3 Procedure:
Execute Transaction Code SA38
Run report RSPARAM

login/failed_user_auto_unlock           
login/fails_to_session_end              
login/fails_to_user_lock                
login/min_password_lng                  
login/multi_login_users                 
login/no_automatic_user_sapstar         
login/password_change_for_SSO           
login/password_expiration_time          
login/password_logon_usergroup          
login/password_max_new_valid            
login/password_max_reset_valid.          

SAP R3 is one of the largest ERP (Enterprise Resource Planning) used in industry nowadays. SAP is very huge application compare to others ERP. SAP contains more than 30.000 table and tcode to maintain the integrity of transaction. However the basic control for SAP R3 could be summarized by these 5 basic control categories.

1. System Environment
This include client configuration, segregation of duties in the environment, company code configuration and all basic system environment configuration

2. User Configuration
SAP*, super user security and powerful profiles

3. Security configuration
Password Management Controls such as minimum password, password expiration, fails to session end, fails to user lock, gui auto logout

4. Basis Configurations    
System Development and Maintenance, Transport Management, Audit Logs

5. User Access Management & Authorization
Access to sensitive tcode transaction

Any suggestion?