Data Description

The DEVACCESS event is used in SAP to determine which users have development access in the environment.

Potential Use Cases

This event could be used for the following scenarios:

  • Determine which users have development access in the environment.

  • Correlate with transaction code use to identify potential compliance concerns.

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Navigate to this data by using the SE16 t-code, and enter the DEVACCESS value into the Table Name field, and execute the t-code.

Then enter the desired parameters into the selection criteria and execute.

The data displayed will match with the data in Splunk.

Field Mapping

The field mapping between the data from SAP and values in Splunk can be seen in the table below:

Field

Description

Unit of Measure

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

EVENT_SUBTYPE

String

EVENT_TYPE

DEVACCESS

String

UNAME

User name

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -