Setting Utilization Options

To provide context for evaluating sensitive SOD, risks, as well as for reporting on activities related to elevated privileges for emergency access management, you must configure utilization options on the agent for each of the SAP systems governed by Access Risk Management.

It is your BASIS administrator’s responsibility to correctly enable, configure, and monitor the security audit log so the capabilities that rely on SAP security audit logs can operate properly.

Caution

If SAP security audit logging is disabled or runs out of disk space, there is no way for Access Risk Management to recover those logs. This could result in audit control failures, particularly for Emergency Access Management.

To enable Security Audit Logs for EAM Utilization reporting:

1. In the Utilization Options section of the SAP system registration page, select the Expand icon .

   

2. Select a STAD option.

   • If you are running SAP 4.x version, select STAD – use SAPWL_WORKLOAD_GET_STATISTIC
   • If you are running SAP ECC version 5.0 or later, select STAD – use SWNC_COLLECTOR_GET_AGGREGATES

3. Follow the logic below to determine which of the following SAP Security Audit Log options to enable as the data source for Emergency Access Management utilization.

   • Use RSAU_READ_LOG if function module RSAU_READ_LOG exists in your system.
     • By default, all types of message IDs are enabled and collected, but you can select those you do not want to include. CUI and AU3 codes are not included here because they are required to be enabled, so there’s no option to disable them. Refer to Enabling Security Audit Logging for details about the message ID codes.
   • Use SM20 - Variable Data Column if RSAU_READ_LOG does not exist when executing function module RSAU_READ_FILE from SE37. When you execute SM20 for Transaction Starts, check whether the transaction code shows up in the Variable Data column.
   • Use SM20 - Transaction Code Column if RSAU_READ_LOG does not exist when executing function module RSAU_READ_FILE from SE37. When you execute SM20 for Transaction Starts, check whether the transaction code show up in the Source Transaction column.
   • Use SM20 - Transaction Code Column - Older 4.x” if you are on an older 4.x SAP R/3 system.

4. In the Application Server Connections section, select + Connection and enter the Host IP address, Instance Number, and Instance Name of the additional SAP application servers.

   Repeat for each application server you have.

   Important

   You must add every application server connection to ensure that all EAM activity is tracked. Security Audit Log will not work without these connections.

   Finding your instance name

   You can find the name of your instance by going to TCode ST03N in your Workload Monitor and looking in the ABAP Instance Name column.

   

5. Select Save to register your SAP system with these utilization settings.

Enabling Security Audit Logging

The SAP Security Audit Log, or “SM20,” enables SAP administrators to log sensitive system activities for security and auditing purposes, including dialog logons, RFC logons, RFC calls, transaction starts, report starts, user master changes, as well as system and other events. Common concerns about switching to SM20 are that it may result in increased storage costs and burden system administrators managing the log volume.

In all, administrators have the option to log 90 different event types; however, Access Risk Management does not require you to enable logging of all of these types. The system can extract the following sensitive actions that are not logged as transaction code starts:

• Manipulation Flags

  • Audit Log Changed (AUE)
  • C-Kernel Debugging Activated (CUK)
  • Field Content Changes During Debugging (CUL)
  • Debug Jump (CUM) – Skipping ABAP lines
  • Debug Stop (CUN) – A process was stopped from the debugger
  • Debug DB Manipulation (CUO) – Explicit database operation in debugger
  • Debug Session (CUP) – Non-exclusive debugging session started
  • System Changeability (EU1) – System changeability updates (SCC4)
  • Client Setting Changed (EU2) – Client setting changes
  • Change Document Deleted (EU3)
  • Audit Log Deletion (EU5)

• Administration Flags

  • User Created (AU7)
  • User Deleted (AU8)
  • User Lock Status (AUA)
  • User Auths Changed (AUB)
  • User Master Changed (AUD)
  • Password Change (BU2)

• Exfiltration Flags

  • Data Download (AUY)

• Action Executions

  • Report Started (AUW)
  • Transaction Started (AU3)
  • Fiori Application Started (CUI)

Common concerns about switching to SM20 are that it may result in increased storage costs and burden system administrators managing the log volume. However, event types AU3 and CUI will take up less than 1% of the entire log volume, meaning that the total disk space consumed by allowing at least these message types will not impact storage costs or create an undue burden on administrators.

Another common concern is that turning on SM20 may degrade SAP system performance due to generating a lot of log entries, with a high toll on database performance. You should not see a performance impact on your system for two reasons:

1. The Security Audit Log has been thoroughly optimized by SAP.
2. Both log event retrieval and writing to disk take place in the kernel.

If you are concerned, try it out for a day. Work with your BASIS team to request approval to enable and configure the SAP Security Audit Log with configuration to enable logging for all users, but only event types AU3 and CUI. Collect data for a period of time and verify that there are no adverse performance indications and that the overall disk space requirements are reasonable.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.