It is always advisable to perform a check on SAP R/3 system a couple of times a year to ensure the tight security of SAP

System. Below are few useful Do s which c an help to achieve the high degree of Security: Review the following:System security file parameters (TU02) (e.g. password length/format, forced pas sword sessions, user failures to end session etc.) have been set to ensure con fidentiality and integrity of password. Security-Parameter-Settings-Documentation 1. Setup and modification of user master records follows a specific procedure a nd is properly approved by management. 2. Setup and modification of authorizations and profiles follows a specific proc edure and is performed by someone independent of the person responsible for user master record maintenance. 3. An appropriate naming convention for profiles, authorizations and authorizati on objects has been developed to help security maintenance and to comply with re quired SAP R/3 naming conventions. 4. A user master record is created for each user defining a user ID and password . Each user is assigned to a user group, in the user master record, commensurate with their job responsibilities. 5. Check objects (SU24) have been assigned to key transactions) to restrict acce ss to those transaction. 6. Authorization objects and authorizations have been assigned to users based on their job responsibilities and ensuring the SOD (Segregation of duties). 7. Users can maintain only system tables commensurate with their job responsibil ities Select a sample of :1. Changes to user master records, profiles and authorizations and ensure the ch anges were properly approved. (The changes can be viewed with transaction (SECR) . 2. Verify that a naming convention has been developed for profiles, authorizatio ns and in-house developed authorization objects to ensure that theycan be easily managed and will not be overwritten by a subsequent release upgrade (for Releas e 2.2 should begin with Y_ or Z_ and for Release 3.0 by Z_ only.) 3. Assess and review of the use of the authorization object S_TABU_DIS and revie w of table authorization classes (TDDAT) whether all system tables are assigned an appropriate authorization class and users are assigned system table maintenance access (Through S_TABU_DI S) based on authorization classes commensurate with their job responsibilities. 4. Assess and review of the use of the authorization objects S_Program and S_Edi tor and the review of program classes (TRDIR) whether all programs are assigned the appropriate program class and users are assigned program classes commensurat e with their job responsibilities. SAP R/3 Security Table are Tables in SAP R/3 that have relations or direct impac

t to Logical Access Control, Program Changes Control and Operational Control. To day, the convergence of the Internet within distributed ERP systems is ever-incr easing the demands on data and business process security almost exponentially. Organizations which employ distributed business processes and data systems requi re surety of both data and its accompanied processes; promising continued suppor t of essential business needs - whilst mitigating unauthorized access to critica l information. This is especially true with the introduction of Sarbanes-Oxley a nd other federally mandated policies and procedures many having direct (read pot ential fines and/or jail time) responsibility tied to the efficacious employment of recognized security measures. Below the list of SAP R/3 Security Table that could be used for your referrences

USR02 Logon data USR04 User master authorization (one row per user) UST04 User profiles (multiple rows per user) USR10 Authorisation profiles (i.e. &_SAP_ALL) UST10C Composit profiles (i.e. profile has sub profile) USR11 Text for authorisation profiles USR12 Authorisation values USR13 Short text for authorisation USR40 Table for illegal passwords USGRP User groups USGRPT Text table for USGRP

USH02 Change history for logon data

USR01 User Master (runtime data)

USER_ADDR Address Data for users AGR_1016 Name of the activity group profile AGR_1016B Name of the activity group profile AGR_1250 Authorization data for the activity group AGR_1251 Authorization data for the activity group AGR_1252 Organizational elements for authorizations AGR_AGRS Roles in Composite Roles AGR_DEFINE Role definition AGR_HIER2 Menu structure information - Customer vers AGR_HIERT Role menu texts AGR_OBJ Assignment of Menu Nodes to Role AGR_PROF Profile name for role AGR_TCDTXT Assignment of roles to Tcodes AGR_TEXTS File Structure for Hierarchical Menu - Cus AGR_TIME Time Stamp for Role: Including profile AGR_USERS Assignment of roles to users USOBT Relation transaction to authorization object (SAP) USOBT_C Relation Transaction to Auth. Object (Customer) USOBX Check table for table USOBT USOBXFLAGS Temporary table for storing USOBX/T* chang

USOBX_C Check Table for Table USOBT_C