How to Audit Your SAP BusinessObjects Environment

  • by Anurag Barua, Independent SAP Advisor
  • September 16, 2013
Auditing in SAP BusinessObjects is an area that is not very well understood. Learn about the concept of auditing in SAP BusinessObjects with a focus on configuring audit settings in the Audit Dashboard in BI 4.x.
Key Concept

Starting with SAP BusinessObjects BI 4.0, you can configure your audit settings in the Audit Dashboard. The Audit Dashboard is the one-stop shop for all your audit configuration activities.

With so much activity happening on your BusinessObjects servers, you would expect a lot of auditing activity to be taking place. Unfortunately, not a whole lot is known about the auditing capabilities in BusinessObjects, and therefore, either not much auditable information is being collected or, even if it is being collected, little to no auditing of this information is taking place. This situation holds true for both internal and external IT audit personnel.

If you have spent many years in the security, audit, access, or administration areas of SAP systems, be advised that auditing in BusinessObjects is different from auditing in either the SAP ERP Central Component (SAP ECC) or SAP NetWeaver environments. The BusinessObjects technical framework is much different from SAP’s. If you are installing BusinessObjects in your environment for the first time, you need to understand that BusinessObjects does not have a standard template or accelerator such as the Audit Information System (AIS) in SAP systems. Therefore, I explain the key concepts of auditing in the BusinessObjects realm and, in particular, the Audit Dashboard, which is the portal to all your audit configuration activities. 

Auditing in the BusinessObjects Enterprise (BOE) Server

So what exactly constitutes auditing in the BOE Server? Auditing allows you to keep track of and record important events that take place on your BOE servers. It answers the key questions that an internal or external auditor is likely to ask (e.g., who, what, and when). This information is recorded in a database called the Auditing Data Store (ADS). Once the data is in the ADS, you can report off it for the operations performed in the system.

Bear in mind, however, that auditing is a double-edged sword. The deeper the level of your audit, the more overhead you add to your servers, resulting in slower processing. You therefore have to make decisions about the level of auditing you want to enable. In fact, the SAP system provides you with the option of excluding the auditing database from even being installed. A best practice that SAP recommends is to keep the audit database separate from the Central Management Server (CMS) database if you decide to install the audit database. This is intended to reduce the overhead on the CMS. Data that you collect as part of the BusinessObjects audit process can be used to access the following information:

 

  • Data about all users accessing the system and the documents with which they are interacting
  • Instances of successful logins, logoffs, and invalid attempts
  • All changes to objects in reports by customers
  • Usage analysis on objects in universes
  • Successful and unsuccessful jobs
  • Event information
  • Access privileges
Join Tracy Levine of itelligence for a discussion on a three-phased approach to prepare for an SAP security audit on November 20 at 1:00 p.m. EST; register at http://bit.ly/1b9USz8

Anurag Barua

Anurag Barua is an independent SAP advisor. He has 23 years of experience in conceiving, designing, managing, and implementing complex software solutions, including more than 17 years of experience with SAP applications. He has been associated with several SAP implementations in various capacities. His core SAP competencies include FI and Controlling FI/CO, logistics, SAP BW, SAP BusinessObjects, Enterprise Performance Management, SAP Solution Manager, Governance, Risk, and Compliance (GRC), and project management. He is a frequent speaker at SAPinsider conferences and contributes to several publications. He holds a BS in computer science and an MBA in finance. He is a PMI-certified PMP, a Certified Scrum Master (CSM), and is ITIL V3F certified.

Anurag will be presenting at the upcoming SAPinsider BI 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here. He also will be a presenter at the SAPinsider Managing Your SAP Projects 2017 conference, October 24-26, 2017, in Copenhagen. For information on that event, click here.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.