Auditor and the Case of the Rogue User

We had an “incident” on Tuesday where a user deleted an entire folder. It’s been a TOTAL nightmare but we are back up and running.

Any hints on how I can interrogate the audit database to figure out who deleted the folder?

This was the first request I saw this morning. It’s a scenario I’ve encountered several times, and it’s never pleasant. Recovering the content is hit or miss depending on the situation, but identifying the culprit can be pretty simple with Auditor. However, it does require that Auditor was running and capturing delete events when the content was deleted.

If you’re reading this, maybe you’re currently in this situation. A user “accidentally” selected the option to delete a folder.

Accidental delete 1

And then that user “accidentally confirmed”, ‘yes, I really do want to delete that content.’

Accidental delete 2

If you’re the person responsible for recovery, hopefully you had a good backup and can restore the content. If you don’t have nightly backups running, check to see if you can migrate the content up from a lower environment, or check with your developers/users to see if a local copy exists on their system. Good luck.

But back to the subject of this post: Whether or not you’re able to recover the lost content, you’re almost definitely going to get the question: “Who did it???”


First steps

First, check that the prerequisite has been met.

Log into your CMC, navigate to Auditing, and check to make sure that Auditing is enabled, working, and the delete option is selected.

Screen Shot 2015-11-25 at 4.21.23 PM

If the Auditing criteria is not met, then your next step will be to find an eccentric scientist with a DeLorean, or a mad man with a blue box to take you back in time so you can get Auditor working before the content is deleted. And you may as well confront the user to prevent the content deletion before it occurs – assuming your action won’t cause a catastrophic temporal paradox. But I digress.

If the Auditing is running and capturing deletes, you’re ready to investigate.

The following will create a very simple report to reveal the person responsible.

Create a new Webi doc and use SAP BI’s Auditing universe

select universe

From the Event class, add Object to Result objects and add Event Type to filters. Set the Event type to Delete.

Optional (but recommended): Add Object to Query Filters. Specify the object to equal the name, or match the pattern of as much as possible of the object’s name.

Event Objects

From the Characteristics class, add User to Result objects.

Optional: Add Object Type to filters and specify the type of the object that was deleted.

Characteristics Objects

From the Time class, add Start datetime to Result objects.

Optional: Add one of the Only events… filters to filters and specify the type of the object that was deleted.

Time Objects

When your query is ready, it will look something like this:

Completed query

Run your query, and find out who will be the recipient of a friendly “gentle reminder”.


Alternate Approach

If you choose to investigate Auditor directly through the database rather than through SAP’s universe, you can run a simple query directly against the event table (ADS_EVENT in SAP BI4, or AUDIT_EVENT in SAP BusinessObjects XI31).

Screen Shot 2015-11-25 at 4.39.43 PM

Change the object_name filter to your object’s name.


Happy sleuthing!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.