SAP Security Change History Logs: The forgotten archive objects
When most people think of archiving, they usually think of transactional business data such as
FI/CO, SD data or technical data (archiving objects; i.e., workitems or idocs). Yet there are also objects for SAP security which take up valuable system space in all SAP systems but are not frequently used. These archive objects will allow the data within the SAP security change history tables to be archived. Once data is archived, it can be move from the main database storage (tier one storage), to lower level storage media.
Though the space relegated to these objects, taken individually, might seem low in your ECC or other SAP system, the logs are created wherever SAP security is used. Looking at the number of systems, the effect of the change and change history for data that is seldom accessed can have impact for technical groups and storage cost and system performance.
Chart: Examples of forgotten archive objects (change history docs)
Archiv Object | Archive Object Description | Table | Table Description |
---|---|---|---|
US_AUTH |
User Master Change Documents: Authorizations | USH12 | Change history for authorization values |
US_PASS | Change Documents: User (Other Data) | USH02 | Change history for logon data |
US_PROF | User Master Change Documents: Authorize Profiles | USH10 | Change history for authorization profiles |
US_USER | User Master Change Documents: User Authorizations | USH04 | Change history for authorizations |
Archiving
these security change history logs cannot only free up additional space in your SAP system, but still meet compliance governance requirements. Also, once you archive data, it is static and cannot be changed or deleted thus supporting the company’s purge strategy and protecting the data for audit/governance.
Other advantages to archiving change logs:
- Once data has been archived, the change logs cannot be accidently deleted from the SAP system
- Allows for storage of change logs to reside on lower cost media while maintaining accessibility to the log data supporting teams, such as:
- Security
team - Governance
and Audit - Others
- Security
- Opens space in system(s) for the critical business operations
- Allows for the development of a purge strategy for change logs
- Does not have impact on business because the security archiving objects fits with technical archiving
- Cannot accidently be purged from the SAP system
It helps to have an understanding of the security areas and how they are tied to governance and audit. Dolphin has worked with many customers on archiving and creating an archiving strategy that streamlines the infrastructure and secures access. This encompasses when to archive, how to retrieve the archived data and documentation for governance and audit.
Hi James,
Are there Archive infostructures/Field catelogs available for the above mentioned archive objects? If not, how can we access the archived data?
Best Regards,
Ankit Goel