sap, security, technology

SAP Table Logging

You have never heard of sap system audit either if you are very new in sap operation business or you are simply very lucky one. Congrats from me!

In any case you should be prepared to meet them and answer their questions. There are lot of possible questions… My favorite one is the question about the „TRACEABILITY“ – this means it should be possible for you to keep a trace of „important“ changes to the system in a documented and tamper-proof auditable manner.

To achieve it:

  1. Table logging should be enabled in the (productive) system
  2. Define the important/critical tables (the most tricky one)
  3. Activate logging for the defined tables

Enable table logging

Set profile parameter rec/client = ALL

Set TMS Parameter RECCLIENT = ALL (important: without this parameter changes based on transport requests won’t be logged!!!)

Define tables to be logged

Which tables are important for auditors? Ask them ! 🙂

If you don’t get an answer (I’ve never got) start with following tables:

  • T000 Clients Table
  • T001* Company Codes
  • T003* Document Types, Operation Types, Order Types
  • T004* Directory of Charts of Accounts
  • T007* Tax Keys
  • T008* Blocking Reasons for Automatic Payment Transactions
  • T012* House Banks
  • T030 Standard Accounts Table
  • T033 FI Depreciation Area
  • T042* Parameters for payment transactions
  • T044A Foreign Currency Valuation Methods
  • T044Z Customer/Vendor Accounts with Changed Reconciliation Account
  • T074 Special G/L Accounts
  • T077* Customer Account Groups, Vendor Account Groups, G/L Account Groups
  • T078* Transaction-dependent screen selection for customer / vendor / G/L master
  • T079* Company code-dependent screen selection for customer / vendor master
  • T169* Invoice Verification/Valuation
  • TACTZ Valid activities for each authorization object
  • TADIR Directory of Repository Objects
  • TBAER Rules for Changing Documents
  • TBRG Authorization groups
  • TCUR* Configuration of exchange rates
  • TDDAT Maintenance Areas for Tables
  • TDEVC Development Classes/Packages
  • TSTC List of all SAP transaction codes

Activate logging for the defined tables

For some tables logging is set by default, for others set it in the technical settings (transaction codes: SE11 or SE13):

No alt text provided for this image

Follow ups

All changes will be written to the table DBTABLOG so it is getting pretty big after a while.

The table can be analyzed using transaction code SCU3 (Analyze Changed Customizing Objects and Tables). Whit the same transaction you can archive some entries (using regular job) or even delete some without archiving it first… but I’m not sure if you can keep your role as sap admin after that.

No alt text provided for this image

Enjoy!