Hi Security-Folks,
I like to discuss with you the recommended settings for the Security Audit Log (SM19 / SM20).
Here's my proposal:
Profile Parameters:
rsau/enable = 1
rsau/selection_slots = 10
rsau/user_selection = 1
Filter settings in SM19:
1. Filter: Activate everything which is critical for all users '*' in all clients '*'.
- You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
- Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
- If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT
2. Filter: Activate everything for users 'SAP*' in all clients '*'
This includes the built-in user SAP* as well as all users account names starting with SAP, e.g. SAPSUPPORTx because of rsau/user_selection = 1
To show log entries in for user SAP* only, filter by SAP#* in SM20 or use report RSAU_SELECT_EVENTS instead.
3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'
n. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free )
What settings are you using and why?
Kind regards
Frank Buchholz
Active Global Support - Security Services