SAP Audit Check List for SAP user Parameters

SAP Audit Check list for System profile

To view the following parameter settings go to SA38 RSUSR003 (These are changed by Basis using tcode RZ11) SAP Audit Check list for System profile SAP Risk Comparing Parameters SAP System Profile Parameter SAP Production Supplied systems Default Value Login/min_passord_lng Minimum password length for user 3 12 password Login/min_password_digits Minimum number of digits in a 0 2 password this will be enable in Production Login/min_password_specials Minimum number of special digits 0 2 in a password this will be enabled in Production Login/password_expiration_time Number of days between forced 0 90 password change. Login/fails_to_session_end Number of invalid logon attempts 3 3 allowed before the SAP GUI is disconnected. Login/fails_to_user_lock Number of invalid logon attempts 12 5 within a day before the user id is automatically locked by the system. Rdisp/gui_auto_logout Time, in seconds, that SAPGUI is 0 1200 secs automatically disconnected because 15 mins of in-activity. Houghton Mifflin does not want users to be logged out of the portal of it goes down hence the long logout time. Auth/test_mode Switch to report RSUSR400 for N N authority check Auth/system_access_check_off Switch off automatic authority 0 0 check Description

Auth/no_check_in_some_cases

Special authorization checks turned Y off by customer Login/ext_security Security access controlled by N external software. Auth/rfc_authority_check Permission for remote function 1 calls from within ABAP programs Login/failed_user_auto_unlock Disable system function for 1 automatic unlock of users atmidnight. Login/no_automatic_user_sapstar Disable ability to logon as SAP* 0 with PASS of password when SAP* deleted. Login/disable_multi_gui_login Disable multiple GUI logins on the 0 same account. This will be set to 1 in Production. Auth/tcodes_not_checked User buffer overflow can lead to blank losing authorization for tcodes SU53 and SU56. This setting can be used to exclude them from the auth check. Auth/authorization_trace Does not allow every trace to be N logged once because USOBX is delivered complete. This could affect system performance if log is allowed. Auth/object_disabling_active Auth objects can be globally Y deactivated through tcodeAuth_Switch_Objects Auth/object_disabling_active Authority Check Deactivation Y Rec/client Auto Table Logging Off

Y N 1 1

SU53 SU56

Y 100?

SAP Audit Check list

Give you the Guidance on some of the values which can be checked as part of SAP Audit compliance.

SAP Audit Check list

for the User paramters should be constantly monitored when the new systems are installed or there is a system copy.