SAP audit risks of your custom SAP tables

A SAP system is made up of several tables. All data entered into a SAP system is stored in the back-end database tables. Within the SAP application, you will be able to view the data through table navigation transactions. When the user has unrestricted access to table view transactions, he will be able to see all the data in the SAP tables. This is a huge SAP audit risk because sensitive information could be exposed. For example, if the SAP user is knowledgeable, he can go to the human resources table and retrieve all the salary information of the company’s employees or obtain the price information of all the products produced by the company. This type of security breach could be used to blackmail the company or the information can be sold to competitors.

SAP audit controls with SAP groups

SAP has grouped the tables by authorization groups. For example, if the tables belong to the Human Resources Personnel Administration functional area, then they are grouped by HRPA (Human Resources Personnel Administration) authorization group. This classification of tables by authorization groups can be used by the SAP security team to restrict the role to a particular SAP table. It is good practice to assign all custom tables created by the customer to an authorization group.

Table protection in SAP role

Roles can be restricted to view or maintain a particular table with the S_TABU_DIS authorization object. This object controls what can be done with the information in the table. This object has two fields, one is authorization group and the other is activity. This group is the attribute of the table that is assigned based on the data type of the table. But users should not be given any of the table navigation transactions. These transactions will give users wide open access. The best practice is to create a custom transaction and bind the table to the custom transaction.

Assigning authorization to the custom table

If the customer has many custom tables that are not assigned to a group, these tables must be assigned to the appropriate authorization groups. Once it has the list of tables, the SAP audit group will consult with the development and functional teams to identify the group this table belongs to. These authorization groups can be the existing ones or they can create new authorization groups. SAP Audit Best Practice is locking the SAP table with Custom Transaction as this will ensure that the user who gets this custom transaction will only be able to display or maintain that particular table.