People who are using a SAP system all known the term transaction code. SAP data is restricted using role based access controls. Users that get access to the SAP system via a Graphical User interface (I include portal-like functionality just to keep it simple) and the restriction of SAP table data for the users is managed by the assigned authorizations of this user. If users want to have access to functionality in the SAP system, the transaction code is the front door to get access to this functionality.
SAP systems keep track of the transaction codes that were started by the users. This data is stored in the so called STAD data. STAD data can be used for monitoring, analyzing, auditing and maintaining the security concept. When analyzing the access restrictions to SAP functionalities and Segregation of Duty conflicts, STAD data can be used to answer questions like:
- Who has performed a certain critical functionality? And When?
- If a user has a critical Segregation of Duties conflict, did he actually perform this conflict?
Also for maintaining and monitoring the security concept the STAD data can be very helpful. It will give the overview of the functionality (transaction codes) that a user did use. This information can be used doing Reverse Business Engineering to decide which functionality the user does and does not need.
SAP systems only stores a limited period of STAD data. The number of days/weeks/months that the data is stored can be managed in the SAP system itself. The larger the period of the STAD data is defined, the more storing capacity the server needs. To downsize this capacity it is possible to make regular downloads of the STAD data and store this somewhere else. If this download is extended to the same database every time, you can have a large period of STAD data which is very valuable information.
Example of download STAD data
STAD data can be extracted from the SAP server(s) using the CSI Xtractor for example. This tool uses a Remote Function Call connection from the computer to the SAP server and the user logs on with his own SAP logon credentials (figure 1).
Figure 1 – Logon with user-id and password to make RFC connection to SAP system
After selecting the period, the tool makes the downloads and you have a STAD database with all the STAD data from the SAP system (in this example I have created the database in Microsoft Access).
This downloaded STAD data can be used by own reports/analysis. It is also possible to included this database and data in detailed SAP security analyse tools like CSI Authorization Auditor to analyze which transactions in a certain role were used by the user (figure 4) and of SOD conflicts were executed by the user (figure 5)
Figure 4 – Example of transactions being used in CSI Authorization Auditor
Figure 5 – Example of SOD conflict with Executed (STAD) information
(C) Meta Hoetjes 2014
CSI Authorization Auditor and CSI Role Build and Manage are registered trademarks by CSI tools bvba