The RSUSRxxx Standard SAP Audit Reports

The SAP system has some in built reports that are invaluable for SAP system auditors. By providing simple or complex combination of selection criteria, you can generate reports that make your audit job easy. These reports come with the RSUSR prefix followed by three digit codes. Reports that fall under this category are RSUSR003, RSUSR005, RSUSR007, RSUSR008, RSUSR009, RSUSR100, RSUSR101 and RSUSR102.

In order to objectively analyze these reports, it is important to understand the company policies. Policy areas that need familiarization and understanding includes the following but not limited to segregation of duties, delegation of authority, password policies and user access and management procedures.

The work method to generate these reports is to provide details of the selection criteria in transaction SE 38 (ABAP Editor) or SA 38 (ABAP Execute Program).

RSUSR003: The SAP system comes with a number of standard users that are used to perform specific administrative tasks. These users include SAP*, DDIC, SAPCPIC and Earlywatch . These users are created with default passwords. It is expected that their user password be changed to a non trivial password after installation to guide against misuse and enforce control in the SAP system. Report RSUSR 003 allows you to know from a glance whether these accounts have been appropriately maintained or not.

RSUSR005: This report displays users with critical authorizations in the SAP system. Some transactions are considered critical in the SAP system and it is expected that their assignment to users should be tightly controlled. Critical authorization does not only apply to technical or basis individual, it also applies to functional users. This report allows an auditor to review users that have critical authorizations.

RSUSR006: User management in SAP can be quite challenging especially in a large organization. Typically, the system can be configured in such a way that a user gets locked after entering a wrong password on a defined number of times. Furthermore, via system parameter setting, it is possible to define how the user gets unlocked…either automatically at midnight or explicitly by the system administrator. Report RSUSR006 provides a list of all users that have been locked as a result of entering incorrect password in the system.

RSUSR007: When users are created in the SAP system, their details including address are entered into the system. For some reasons or the other, it is possible to have users that have incomplete address data. Report RSUSR007 is used to generate a list of such users. These users can be reviewed and their address data completed appropriately. It is good practice to have complete address for all users. It helps user organization and management.

RSUSR008: It is not impossible to have users with complex combination of authorization or transactions in the SAP system especially where duties are not appropriately segregated. Also this might be the case where a matrix of incompatible transaction does not exist. The implication therefore is concentration of powerful roles with some individuals that can perform activities that are not properly controlled or conflicts with the rule of segregation of duties. It is important to review report RSUSR007 in such situation. The report lists users that have incompatible combination of critical authorizations and/or transaction.

RSUSR009: This report is similar to what is obtained with RSUSR005 aforementioned, however, it offers more flexibility. The report displays users who posses’ critical authorization and it allows you to explicitly specify the critical authorization in the selection criteria.

RSUSR100: This report is generated when you need to review change documents for users. It shows modifications to the user’s security.

RSUSR101: This report is generated when you need to review change document for profiles. it shows modifications made to profile security.

RSUSR102: This report is generated when you need to review change documents for authorization. It shows modifications made to authorization security.