(DI-2311) Collector for User Authorization Security

The technical name of the Collector for User Authorization Security is /DVD/MON_SEC_CL_COL_USR_AUTH.

The collector aims to track and analyze user authorizations, roles, and profiles, focusing on critical security aspects such as identifying users with high privileges, debugging permissions, and potential vulnerabilities in SQL execution. Its main goal is to enhance security by providing insights, KPIs, and reports related to user access and authorization within the SAP environment.

Default KPI delivered with this collector

The following default KPIs are delivered with this collector:

KPI name

Description

Unit

Detail table

KPI name

Description

Unit

Detail table

SEC_USR_AUTH_SAP_ALL

Number of users with SAP ALL authorizations

Count

Yes

SEC_USR_AUTH_S_DBCON_A36

Number of users with S_DBCON (ACTVT=36) authorization

Count

Yes

SEC_USR_AUTH_S_DEVELOP

Number of users with S_DEVELOP authorization

Count

Yes

Parameters

The following parameter is used for this collector:

Parameter name

Description

Default value

Parameter name

Description

Default value

SUPPRESS_PRODUCTION_SYSTEM

Parameter if the production monitoring should be suppressed

X

Detail table

The collector provides a detail table User master authorizations. The technical name of the detail table is /DVD/MON_SEC_S_USR_AUTH_DET.

The detail table associated with the collector serves to report and list dialog users with elevated authorizations, specifically those with permissions SAP_ALL, debugging access (S_DEVELOP) and authorizations for DB02 query executions (S_DBCON;ACTVT=36). This table offers an organized overview of users holding potentially risky authorizations, aiding administrators in identifying and managing security vulnerabilities. It contains the following fields:

Technical name

Description

Technical name

Description

TIMESTAMP

When the records are saved into the Detail table

SID

System ID

AUTH_NAME

Security: User authorization name

AUTH_TEXT

Security: User authorization text

USER_NAME

User Name