Data Description
The DEVACCESS event is used in SAP to determine which users have development access in the environment.
Potential Use Cases
This event could be used for the following scenarios:
Determine which users have development access in the environment.
Correlate with transaction code use to identify potential compliance concerns.
Splunk Event
The event will look like this in Splunk:
SAP Navigation
Navigate to this data by using the SE16 t-code, and enter the DEVACCESS value into the Table Name field, and execute the t-code.
Then enter the desired parameters into the selection criteria and execute.
The data displayed will match with the data in Splunk.
Field Mapping
The field mapping between the data from SAP and values in Splunk can be seen in the table below:
Field | Description | Unit of Measure |
|---|---|---|
CURRENT_TIMESTAMP | The date time stamp when the information was collected | YYYYMMDDHHMMSS |
EVENT_SUBTYPE | String | |
EVENT_TYPE | DEVACCESS | String |
UNAME | User name | String |
UTCDIFF | The UTC OFFSSET in HHMMSS that the data was collected in | HHMMSS |
UTCSIGN | The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in. | + | - |