SAP 시스템 전산감사의 목적은 이 시스템의 데이터를 신뢰할 수 있는가로 귀결된다.
정상적인 프로세스로 데이터가 입력되었는지,
이 프로세스를 사용하는 사용자는 정당한지,
프로세스 중간에 부정한 개입은 없었는지,
최종적으로 해당 통제들이 효과적으로 수행되고 있는지 등등을 종합하여 결정된다.
여기서는 전산감사 시, 주요하게 확인하는 권한 오브젝트에 대해서 정리한다.
1. 슈퍼유저/관리자 ID 제어 권한
1-1. Create User
| Auth. Object | Field | Value |
|---|
| S_USER_GRP | ACTVT | 01 |
1-2. Assign Roles to User
| Auth. Object | Field | Value |
|---|
| S_USER_AGR | ACTVT | 22 |
| S_USER_GRP | ACTVT | 22 |
1-3. Assign Roles (Change) to User
| Auth. Object | Field | Value |
|---|
| S_USER_AGR | ACTVT | 02 |
| S_USER_GRP | ACTVT | 22 |
1-4. Assign Roles (SAS) to User
| Auth. Object | Field | Value |
|---|
| S_USER_GRP | ACTVT | 02 |
| S_USER_SAS | ACTVT | 22 |
1-5. Assign Profiles to User
| Auth. Object | Field | Value |
|---|
| S_USER_PRO | ACTVT | 22 |
| S_USER_GRP | ACTVT | 22 |
1-6. Assign Profiles (SAS) to User
| Auth. Object | Field | Value |
|---|
| S_USER_PRO | ACTVT | 02 |
| S_USER_SAS | ACTVT | 22 |
1-7. Passord Reset/ Unlock User
| Auth. Object | Field | Value |
|---|
| S_USER_GRP | ACTVT | 05 |
1-8. Create Profile
| Auth. Object | Field | Value |
|---|
| S_USER_PRO | ACTVT | 01 |
| S_USER_AUT | ACTVT | 22 |
1-9. Change Profile
| Auth. Object | Field | Value |
|---|
| S_USER_PRO | ACTVT | 02 |
| S_USER_AUT | ACTVT | 22 |
1-10. Create Role (PFCG)
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | PFCG |
| S_USER_AGR | ACTVT | 01 |
| S_USER_AGR | ACTVT | 64 |
| S_USER_PRO | ACTVT | 01 |
1-11. Change Role (PFCG)
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | PFCG |
| S_USER_AGR | ACTVT | 02 |
| S_USER_AGR | ACTVT | 64 |
| S_USER_PRO | ACTVT | 01 |
1-12. Create Atuthorization Objects
| Auth. Object | Field | Value |
|---|
| S_USER_AUT | ACTVT | 01 |
1-13. Change Atuthorization Objects
| Auth. Object | Field | Value |
|---|
| S_USER_AUT | ACTVT | 02 |
2. SAP Audit Log 관리
2-1. Delete Security Audit Log Files
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SM18 |
| S_ADMI_FCD | S_ADMI_FCD | AUDA |
| S_ADMI_FCD | S_ADMI_FCD | AUDD |
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SM19 |
| S_ADMI_FCD | S_ADMI_FCD | AUDA |
| S_C_FUNCT | PROGRAM | SAPLSECU |
| S_C_FUNCT | PROGRAM | SAPMSM19 |
| S_C_FUNCT | ACTVT | 16 |
2-3. Delete Change Documents
| Auth. Object | Field | Value |
|---|
| S_SCD0 | ACTVT | 06 |
| S_SCD0 | ACTVT | 08 |
3. Data 생성/변경/삭제 권한
3-1. Change Any Client Dependent Tables via Table Maintenance
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SM30 or SM31 |
| S_TABU_DIS | ACTVT | 02 |
3-2. Change Any Client Independent Tables via Table Maintenance
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SM30 or SM31 |
| S_TABU_DIS | ACTVT | 02 |
| S_TABU_CLI | CLIIDMAINT | X |
3-5. Insert Code in Query Infoset or Create Query
| Auth. Object | Field | Value |
|---|
| S_QUERY | ACTVT | 23 |
3-6. Insert Code in Query and Execute Query
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SQ00 or SQ01 |
| S_TABU_DIS | ACTVT | 03 |
3-7. Debug Edit
| Auth. Object | Field | Value |
|---|
| S_DEVELOP | OBJTYPE | DEBUG |
| S_DEVELOP | ACTVT | 01 |
| S_DEVELOP | ACTVT | 02 |
3-8. Bypass S_TCODE via Module Pool
| Auth. Object | Field | Value |
|---|
| S_DEVELOP | OBJTYPE | PROG |
| S_DEVELOP | ACTVT | 16 |
3-8. Bypass S_TCODE via Function Module
| Auth. Object | Field | Value |
|---|
| S_DEVELOP | OBJTYPE | FUGR |
| S_DEVELOP | ACTVT | 16 |
4. Batch Job 등록/변경 권한
4-1. Background Job Admin (ALL)
| Auth. Object | Field | Value |
|---|
| S_BTCH_ADM | BTCADMIN | Y |
4-2. Background Job Admin (Periodic)
| Auth. Object | Field | Value |
|---|
| S_BTCH_ADM | BTCADMIN | P |
4-3. Release Background Job via SM36
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SM36 |
| S_BTCH_JOB | JOBACTION | RELE |
4-4. Modify Background Job Under Any User
| Auth. Object | Field | Value |
|---|
| S_BTCH_JOB | JOBACTION | MODI |
| S_BTCH_NAM | BTCUNAME | * |
4-5. Delete Background Job Under Any User
| Auth. Object | Field | Value |
|---|
| S_BTCH_JOB | JOBACTION | DELE |
| S_BTCH_NAM | BTCUNAME | * |
5. 시스템 설정 주요 권한
5-1. CTS Import (S_CTS_ADMI)
| Auth. Object | Field | Value |
|---|
| S_CTS_ADMI | CTS_ADMFCT | IMPA or IMPS |
| S_TRANSPRT | ACTVT | 60 |
5-2. CTS Import (S_CTS_SADM)
| Auth. Object | Field | Value |
|---|
| S_CTS_SADM | CTS_ADMFCT | IMPA or IMPS |
| S_TRANSPRT | ACTVT | 60 |
5-3. Change SAP Parameter
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | RZ10 |
| S_RZL_ADM | ACTVT | 01 |
| S_DATASET | PROGRAM | SAPLSPFL |
| S_DATASET | ACTVT | 33 |
| S_DATASET | ACTVT | 34 |
5-4. Change Client Setting Via Table Maintenance
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SCC4 |
| S_CTS_ADMI | CTS_ADMFCT | TABL |
| S_TABU_DIS | DICBERCLS | SS |
| S_TABU_DIS | ACTVT | 02 |
| S_TABU_CLI | CLIIDMAINT | X |
5-5. Global Change Options SE06
| Auth. Object | Field | Value |
|---|
| S_TCODE | TCD | SE06 |
| S_TRANSPRT | ACTVT | 03 |
| S_CTS_ADMI | CTS_ADMFCT | INIT |
| S_CTS_ADMI | CTS_ADMFCT | SYSC |
안녕하세요. 전산 감사에 관심이 많은 전산감사 꿈나무입니다. BC님의 고견을 듣고자 댓글 작성합니다.
SAP 권한 중 CTS Import Authorization Object와 관련하여 문의 드리고자 합니다.
CTS Import Authorization Object로 S_CTS_ADMI와 S_CTS_SADM를 조회하는 것으로 정리 되어 있는데요. 혹시 두 오브젝트의 역할에 차이가 있는 것일지요?