User Management with SAP Security Audit

User Management with SAP Security Audit

What is SAP Security audit?

User access to the SAP system is the most important part of SAP Security, and it gives the user the authority to process commands in the system. The authority required to employ such functions in the system is given by the SAP Role. So whenever an organization employs SAP, they first of all try to know the population of workers and then accordingly, they organize the workers’ tasks into various jobs. Roles are then created on the basis of jobs and their functions.

Adding and Approving Users with SAP

When the SAP system is audited, the objective that is considered the most primary is looked into. It is the process of approving and adding new users in the system. Also, during this audit, another aspect is taken care of, that concentrates on approving changes in the system regarding user access. This auditing process is commonly automated, but nonetheless, it can be carried out manually as well. Still, the auditing personnel always take care about the details and look into every aspect of the process and supervise it. Only when they are fully satisfied, they give the confirmation about the approval of user and its addition into the system properly.

Qualification of Users with SAP Security Audit

This is the procedure where the auditor or the auditing team finds out about any training essentials that the users need before system access is granted to them. The type of training requirement that they are looking for can be either a fully-professionally provided training in a course or can be the one that is acquired through previous work experience. It is very important the users’ training details must be classified, verified and then stored properly. The auditors look into this aspect too as it is an important step in qualifying the users.

User Removal from the System through SAP Security Audit

Many a times, it is commonly seen that some users do not require further access to the system or some parts of it. The common reasons for this are inactivity of the user in the system, user resignation or if no more system access is essentially required by the user. The users are removed or their access is partially locked by the audit team, as per the requirements. If a user does not use the system for a specific period of time, then the auditors lock the user’s access to the system due to inactivity. This period can range from one to three months. It is important for the audit team too to know about the results of this procedure. Either the user access can be locked, or it can be completely removed from the system after the documentation of approval of the same. If a user resigns from the company or leaves it for any reason, or is moved to a different department in the company which does not require access to the SAP system, it leads to user locking or removal. The auditors make note of the removed users from the HR system or the ones who have been placed at a different branch or designation or department, and after knowing it, the audit team observes the changes that occurred in the SAP system. The auditors normally try to identify the change and its authorization.

Validating Users in SAP

This procedure helps the auditors to identify the frequency of user validations and confirmations about their need to access SAP system. The audit also demands for user reviews at regular intervals by a supervisor to confirm the validation of user access. This reviewing process can be carried out half yearly or quarterly, depending upon the policies of the company.