SAP BASIS Security - Manual de Autorização em HR

$XWKRUL]DWLRQV LQ
P\6$3 +5
Michael Bonrat
Product Manager, SAP AG
1
$XWKRUL]DWLRQV DQG 'DWD 6HFXULW\ LQ P\6$3 +5
mySAP HR specific authorization and data security concepts

Authorization and data protection with authorization objects
Authorizations and data protection with structural authorization
HR specific enhancement possibilities
General functions for data protection in the context of mySAP HR

Protection against not authorized download
Protection against not authorized execution of reports on HR master data
Protection against not authorized use of generic reporting tools
Protection against not authorized ad hoc reporting with Ad-hoc-Query
Protection against not authorized direct access on database tables
Legal requirements
Roadmap for definition and implementation of a company specific security

and data protection concept
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /2
2
&RQFHSW RI DXWKRUL]DWLRQ REMHFWV
User ... ... has authorization, ... which is checked:
User Authorization Transaction

Auth. Object Auth. Object
Field Field
Value Value
Value

Value

3
([DPSOH IRU DQ DXWKRUL]DWLRQ REMHFW 3B25*,1
An authorization object is defined by the fields contained in the

object. An authorization object can have up to 10 fields.
One of the most important HR authorization objects - HR: Master data

(P_ORGIN). This object checks the following fields:
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization level
PERSA: Personnel area
PERSG: Employee Group
PERSK: Employee Subgroup
VDSK1: Organizational key
With this authorization object an user could have the following

authorization profile ...
4
([DPSOH IRU DQ DXWKRUL]DWLRQ SURILOH GHILQHG ZLWK DQ
+5 DXWKRUL]DWLRQ REMHFW
Example for the level of detail you can use for the data access and
mode of access (read, write, ...) :
P_ORGIN
INFTY = 0-6 Which type of data (of an employee) can be
SUBTY = * accessed?
AUTHC = R, M
How can the data be accessed?
PERSA = DE01
PERSG = 1
Data of which employees can be accessed?
PERSK = *
VDSK1 = *
A user with the profile above can

Display (AUTHC = R) and search with match codes ( AUTHC = M)
Info types 0000 to 0006 (incl. all subtypes) (INFTY: 0-6; SUBTY = *)
This user has access on employees

of personnel area DE01, which are assigned to Employee Group 1
There is no authorization check using fields PERSK and VDSK
5
7KH PRVW LPSRUWDQW +5 DXWKRUL]DWLRQ REMHFWV
P_ORGIN Master Data

P_ORGXX Master Data - Extended Check
P_APPL Applicants
P_PERNR Master Data - Personnel Number Check
P_ABAP Reporting
PLOG Personnel Planning
... and two important authorization object from Bases to be used in HR:
S_TABU_DIS Table Maintenance (via standard tools
such as SM30)
S_TMS_ACT TemSe: Actions on TemSe Objects
List of HR authorization objects (continued)

z P_BEN - Benefit Area
z P_CH_PK - Pension Fund: Account access
z P_DE_BW - Statements SAPScript
z P_DK_PBS - P_DK_PBS
z P_PYEVDOC - Posting Document
z P_PYEVRUN - Posting Run
z P_DBAU_SKV - DBAU: Construction pay in Germany - social funds proced.
z P_HRF_INFO - Authorization Check InfoData Maintenance for HR Forms
z P_HRF_META - Authorization Check for Master Data Maintenance HR Forms
You can get an complete overview of all HR specific authorization the following way:path :
1. Chosse (in the SAP Easy Access Menu) Tools → ABAP Workbench → Development → Other
Tools → Authorization Objects → Objects or transaction SU21.
2. Choose Object class HR.
6
([WHQGHG SURWHFWLRQ IRU +5 PDVWHU GDWD 3B25*;;
If you want to control the access on HR master data more detailed,

you can use authorization object HR: Master Data – Extended Check
(P_ORGXX) . This object checks the following fields:
INFTY: Infotype
SUBTY: Subtype
SACHA: Payroll Administrator
SACHP: Administrator for HR Master Data
SACHZ: Administrator for Time Recording
SBMOD: Administrator Group
The fields SACHA, SACHP, SACHZ and SBMOD are fields from infotype Organizational
assignment (0001).Since this info type can have time dependent records, it is
possible that a user has access authorization only for specific time intervals.
7
'DWD SURWHFWLRQ IRU DSSOLFDQW GDWD 3B$33/
Access on HR applicant data is controlled with authorization object

HR: Applicants. This object checks the following fields:
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization Level
PERSA: Personnel area
APGRP: Applicant Group
APTYP: Applicant Range
VDSK1: Organizational Key
RESRF: Personnel officer responsible for application
In contrast to objects P_ORGIN and P_ORGXX the check with this authorization
object can not be disabled.
8
7KH DXWKRUL]DWLRQ ILHOG 9'6. 2UJDQL]DWLRQDO .H\
This fields allows to implement authorization profiles based on authorization objects in a more
complex way. You can define complex rules, which fill this field with the combined values of
fields in infotype 0001 of your employees records and check again this value with your
authorization profiles.
Organizational key: Organizational key:

12000000001000 12000000001200
PersArea: Cost Center: PersArea: Cost Center:

1200 0000001000 1200 0000001200
In the standard the field is filled with the values of the fields Personnel area and Cost
Center. In the customizing activity Set up organizational key you can define your own rules
for the field.
(Path: Personnel Management → Personel Administration → Organizational Data →
Organizational Assignment >Set up organizational key)
9
$FFHVV DXWKRUL]DWLRQ IRU DFFHVV RQ RZQ PDVWHU GDWD
3B3(515
If a user should get on access on his own data, another profile as on

general access on master data, you can control this with
authorization object HR: Master Data – Personnel Number Check
(P_PERNR). This object checks the following fields:

PSIGN: Interpretation of assigned personnel number
INFTY: Infotype
SUBTY: Subtype
The field Interpretation of assigned personnel number and the options EXCLUDE
and INCLUDE controls on infotype level, if on access on the own personnel number
a higher or lower (as defined in P_ORGIN) authorization should be available..
Example of an user profile with In unserem Beispiel soll der Benutzer weiterhin ein Sachbearbeiter
sein, der für die Basisbezüge (Infotyp 0008) eines Personalbereichs zuständig ist (weil es die
entsprechende P_ORGIN Berechtigung) besitzt. Weiterhin soll es so sein, daß der Mitarbeiter,
unabhängig davon, für welchen Personalbereich er zuständig ist, seine eigenen Daten immer
anzeigen können soll, aber seine Basisbezüge nicht ändern können soll. Die entsprechenden
Berechtigungen für das Berechtigungsobjekt P_PERNR müssen dann wie folgt gesetzt werden:
AUTHC = R, M AUTHC = W, S, D, E
PSIGN = I PSIGN = E
INFTY = * INFTY = 0008
SUBTY = * SUBTY = *
This profile allows the user to read data of all infotypes, which are stored for his own person. The
second authorization prevents him from changind data for infotype 8 records of his own personnel
number.
For all other personel numbers as for writing access of all infotypes (except for infotype 0008) the
authorization profile as defined in P_ORGIN is relevant.
10
6LPSOLILHG DFFHVV RQ H[HFXWLRQ RI VSHFLILF SURJUDPV
3B$%$3
If specific non critical reports (Phone list, internal address list, ...)
should be available also for users, which normally don‘t have access
to HR data, you can define such profiles with authorization object HR:
Reporting (P_ABAP).
This object checks the following fields:
REPID: ABAP Program Name

COARS: Degree of simplification for authorization check
Aside from the above describe scenario (simplified access for specific programs),
you can also define other scenarios with the field Degree of simplification
for authorization check for example an reading access even for an personal
clerk, which is no more responsible for an specific employee, i.e. an separate check
of organizational assignment and infotype authorization
11
'DWD SURWHFWLRQ IRU REMHFWV RI 2UJDQL]DWLRQDO
0DQDJHPHQW 7UDLQLQJ (YHQW 0JPW 3/2*
Access on objects of Organizational Management, of Training &

Event Management and Personnel Development is controlled with
authorization object Personnel planning (PLOG) . This object checks
the following fields:
PLVAR: Plan Version

INFOTYP: Infotype
OTYPE: Object Type
SUBTYP: Subtype
ISTAT: Planning Status
PPFCODE: Function Code
12
)XUWKHU +5 DXWKRUL]DWLRQ REMHFWV
S_MWB_FCOD Allowed Function Codes for Manager's Desktop

P_OCWBENCH Activities in the Off-Cycle Workbench
P_APPL Applicants
P_PE02 Authorization for Personnel Calculation Rule
P_PE01 Authorization for Personnel Calculation Schemas
P_PCLX Clusters
P_PCR Payroll Control Record
P_CERTIF Statements
P_TCODE Transaction Code
P_CATSXT P_CATSXT
*in this list some international or country specific authorization objects are missing. For the
complete list or how to find them please use Maintainenance of Authorization Objects (TR:
SU21) and display object class HR.
List of HR authorization objects (continued)

z P_BEN - Benefit Area
z P_CH_PK - Pension Fund: Account access
z P_DE_BW - Statements SAPScript
z P_DK_PBS - P_DK_PBS
z P_PYEVDOC - Posting Document
z P_PYEVRUN - Posting Run
z P_DBAU_SKV - DBAU: Construction pay in Germany - social funds proced.
z P_HRF_INFO - Authorization Check InfoData Maintenance for HR Forms
z P_HRF_META - Authorization Check for Master Data Maintenance HR Forms
You can get an complete overview of all HR specific authorization the following way:path :
1. Chosse (in the SAP Easy Access Menu) Tools → ABAP Workbench → Development → Other
Tools → Authorization Objects → Objects or transaction SU21.
2. Choose Object class HR.
13
&RQFHSW RI VWUXFWXUDO DXWKRUL]DWLRQ
User ... ... has structural profile, ...which is checked
User Structural auth.tion Transaction

Structural profile Strucural profile
„Fields“ „Fields“
„Value“ „Value“
14
([DPSOHV IRU VWUXFWXUDO SURILOHV
OU0:001
Example 1:
Profiles for personal officers,
z who need full access to Org.Units, OU1:100 OU2:200 OU3:300
Positions and Persons
Pos1 Pos3 Pos5
z who are responsible for the
employees per branch of the Pers1 Pers3 Pers5
organizational structure Pos2 Pos4 Pos6
Pers2 Pers4 Pers6
Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path StatV
StatV Depth
Depth Sign
Sign Per.
Per. FM
FM
All
All 11 01
01 O
O 001
001 X
X O-S-P
O-S-P 11
All_OU1
All_OU1 11 01
01 O
O 100
100 X
X O-S-P
O-S-P 11
All_OU2
All_OU2 11 01
01 O
O 200
200 X
X O-S-P
O-S-P 11
All_OU3
All_OU3 11 01
01 O
O 300
300 X
X O-S-P
O-S-P 11
15
([DPSOHV IRU VWUXFWXUDO SURILOHV
EG0:001
Example 2:
Profiles for training administrators,
z who creates new event groups EG1:100 EG2:200 EG3:300
z who creates new event types ET1 ET3 ET5
z who creates new events
E1 E3 E5
ET2 ET4 ET6
E2 E4 E6
Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path StatV
StatV Depth
Depth Sign
Sign Per.
Per. FM
FM
All
All 11 01
01 LL 001
001 X
X L-D-E
L-D-E 12
12
All_EG1
All_EG1 11 01
01 LL 100
100 X
X L-D-E
L-D-E 12
12
All_EG2
All_EG2 11 01
01 LL 200
200 X
X L-D-E
L-D-E 12
12
All_EG3
All_EG3 11 01
01 LL 300
300 X
X L-D-E
L-D-E 12
12
16
'HILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
For the definition of structural authorizations the following fields are

used:
Fieldname: Signification:
(Authorization profile): Key of the profile
(Sequence number): Line number of the profile definition
Plan version: For which plan version the profile is valid
Object type: Object type of the start object
Object ID: Object-ID of the start object
Maintenance: Maintencance or only read access
Evaluation path: Evaluation path to be used
Status vector: Planning status of the relations to read
Depth: Reading depth
Sign: Reading direction (top down or bottom up)
Period: Restriction according to the validity period
of the structure
Function module: Function module for dynamic definition of the
start object
and ...
17
'HILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
... the following fields are the OU0:001

most important:
1.1.02- ...
z Object type and Object ID:
What is the starting object of the
structural authorization? OU1:100 OU2:200 OU3:300
(What is the type and ID of the O
starting object?) Pos1 ↓ Pos3 Pos5
z Object type and Function module: Pers1 S Pers3 Pers5
What is the starting object of the ↓
Pos2 Pos4 Pos6
structural authorization? P
(Which FM module used to find the Pers2 Pers4 Pers6
the starting object?)
z Evaluation path:
Which objects will be in the profile?
z Maintenance:
Which type of access gives the
profile?
z Period:
For which validity period of the
structure the profile gives access?
18
*HQHULF GHILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
Profile for managers which are assigned to manager positions:

OU0:001
OU1:100 OU2:200 OU3:300

Pos1 = Manager Pos3 = Manager Pos5 = Manager
Pers1 Pers3 Pers5
Pos2 Pos4 Pos6
Pers2 Pers4 Pers6
Generic structural profile for these users:

Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path …
… Function
Function Module
Module
Manager
Manager 11 01
01 O
O X
X O-S-P
O-S-P RH_GET_MANAGER_
RH_GET_MANAGER_
ASSIGNMENT
ASSIGNMENT
No start
object
defined in
the profile!
19
Profile for employees, who have position in an organizational unit::

OU0:001
OU1:100 OU2:200 OU3:300

Pos1 Pos3 Pos5
Pers1 Pers3 Pers5
Pos2 Pos4 Pos6
Pers2 = Employee Pers4 = Employee Pers6 = Employee
Generic structural profile for these users:

Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path …
… Function
Function Module
Module
Manager
Manager 11 01
01 O
O X
X O-S-P
O-S-P RH_GET_ORG_
RH_GET_ORG_
ASSIGNMENT
ASSIGNMENT
No start
object
defined in
the profile!
20
Logic used by the two standard modules for start object finding:
Function module RH_GET_MANAGER Function module RH_GET_ORG

_ASSIGNMENT: _ASSIGNMENT:
O0 O0
A012 O1 O2 O1 O2
= Hat
A003
S1 A012 A003
S1
= Hat
US1 P1 S2 S2
US1 P1
A268 A268
US2 P2 US2 P2
A268 A268
You can define your own modules, which can use other relationsship types
or object types!
21
6WUXFWXUDO DXWKRUL]DWLRQV DQG SHUIRUPDQFH
The authorization check for users with

big authorization profiles can cause
performance problems.
To avoid this you should:

Not use „open evaluation pathes“
Use object type specific evaluation
pathes
For users with big profiles you should

use:
Authorization View storing in SAP-
Memory (RHBAUS00)
Automatic assignment of concerned
users (RHBAUS02)
Automatic update of concerned users
(RHBAUS01 and RHBAUS02)
22
(IIHFWLYH PDLQWHQDQFH DQG DVVLJQPHQW RI VWUXFWXUDO
SURILOHV
Task:
Define structural
Task:
profiles
Optimize
perfomance for
big profiles
Manual Generic
Definition Definition
Manual Assignment with
assignment of report
Result:
users RHBAUS02
Structural
profiles defined
Result:
Task: Users with big
Assign profiles profiles assigned
for view storing
in SAP-Memory
Store profile at
Manual Org.Unit or Task:
Assignment Position and Define job for
distribute regular run of
(RHPROFL0) RHBAUS00
23
7KH PDLQ VZLWFKHV IRU +5 DXWKRUL]DWLRQV
This switch controls the use of
authorization object P_ORGIN
This switch controls the use
of authorization object
P_ORGXX
This switch controls the

ORGIN: 1 use of a customer defined
ORGXX: 0 authorization object
This switch controls the use
of authorization object PERNR: 1
P_PERNR
NNNNN: 0
Tolerance period for
ADAYS: 15 authorization check in
calendar days
ORGPD: 0
This switch controls if in Personnel Administration

also the organizational structure (and structural
profiles) should be processed in the authorization
check.
z Die Berechtigungshauptschalter sind in der Tabelle T77S0 unter dem

Gruppennamen AUTSW abgelegt. Mit diesen Schaltern können Sie das
Verhalten der Berechtigungsprüfung beim Zugriff auf HR Infotypen Ihren
Wünschen entsprechend anpassen. Die Einstellungen der Schalter können auf
Mandantenebene verschieden ausgeprägt werden.
z In der Darstellung sehen Sie Schalterwerte der Standardauslieferung.
z Die Stammdatenprüfung (ORGIN) und die erweiterte Prüfung (ORGXX) können
additiv (beide Schalter haben den Wert 1) oder alternativ (nur ein Schalter hat
den Wert 1) verwendet werden.
z Hinweis: Sie können die Einstellungen mit Hilfe der Transaktion OOAC oder im
IMG der Personaladministration unter Werkzeuge → Berechtigungsverwaltung
→ Berechtigungshauptschalter bearbeiten vornehmen.
24
&RPSOHWH SURILOH RI DQ +5 XVHU WZRSDUW DXWKRUL]DWLRQ
FRQFHSW
Profiles,
Profiles, defined Profiles,
Profiles, defined
with structural with HR
authorization:
authorization: authorization
objects:
objects:
P_ORGIN Complete profile

of user 1
INFTY
+ O-6
...
P_ORGIN Complete profile

INFTY of user 2
+ 0-8
...
25
(QKDQFHPHQW SRVVLELOLWLHV
If you want to define more specific authorization profiles than

possible with standard authorization objects or the standard of the
structural authorization you can use the following enhancements:
Define a customer specific authorization object (P_NNNNN) and
activate the authorization check with this object:
The enhancement of the authorization concept with a customer defined object is
advised, if you want to check with fields, which are not checked in the standard
object. (For this requirement you should also see the customizing possibilities of
field VDSK1 in object P_ORGIN)
BAdI: Authorization (HRPAD00AUTH_CHECK)
The use of this BAdI is advised, if you want to implement an own check logic for HR
Master Data. (For more details about the implementation of this BAdI please see the
implementation examples in the BAdI definition)
BAdI: Structural authorization (HRBAS00_STRUAUTH)
The use of this BAdI is advised, if you want to implement an own check logic for the
structural authorization.
26
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV
Employee Self Service:
Use the special transaction HR_USER for assigning roles/profiles to

ESS users!
See ESS-Implementation Guide 4.6C (ISBN 1-893570-97-5) Role and

User (page 89)
Manager‘s Desktop:
Make sure your Manager‘s Desktop users have all authorizations

they need for the functions available in Manager‘s Desktop!
Ad-hoc-Query and SAP Query:
Make sure the InfoSets of your users are consistent to the profiles
of your users!
27
+5 DSSOLFDWLRQV (PSOR\HH 6HOI 6HUYLFH
Employee Self Service:

For creation and maintenance of
ESS-Users use the special
transaction HR_USER.
1. Copy and adapt the role
SAP_WP_Employee or
SAP_ESSUSER
2. Select employees
3.
28
+5 DSSOLFDWLRQV (PSOR\HH 6HOI 6HUYLFH
1. + 2.
3. a) Reconcile a)
users/ESS-role
b) Create user b)
and/or assign
ESS-Role
c) Delete users c)
29
+5 DSSOLFDWLRQV 0DQDJHU¶V 'HVNWRS
Does the user have

authorizations for all
functions available in
the tree?
30
+5 DSSOLFDWLRQV 0DQDJHU¶V 'HVNWRS
Does the user have

authorizations for all
infotypes available in
the infoset?
(Depending on the
function mode of the
Ad-hoc-Query this
might be handled by
the role and the profile
generator)
31
$XWKRUL]DWLRQ FRQFHSWV LQ +5 6XPPDU\
HR Authorization objects Structural authorization Enhancements
z P_ORGIN z P_ORGIN: VDSK1

z P_ORGXX z P_NNNN
z P_ABAP z BAdI: HRPAD...
z P_PLOG z BAdI: HRBAS...
z ...
The HR authorization objects and structural authorization permit to

implement even very complex authorization requirements for data
protection and access authorization.
If needed this standard can be enhanced in several ways (without

modification!).
9
32
3URWHFWLRQ DJDLQVW QRW DOORZHG 'RZQORDG([SRUW
You can protect your data against not

allowed download or export with
authorization object Authorization for
GUI activities (S_GUI).
Interesting notes in this context:
0028777
0030724
0119800
Don‘t forget in this context the data

protection by assignment of specific
printers for your personal officers or
specific printer rooms!
33
3URWHFWLRQ DJDLQVW QRW DOORZHG H[HFXWLRQ RI UHSRUWV RU
ORJJLQJ RI UHSRUW H[HFXWLRQ
Generally a user can only start reports,

which are available through their role menu
and the specific profile.
Even if a user could access the starting

screen of a report, which is not available in
his menu, he can not execute this report,
because of the missing entry in his profile
Another way to protect critical data (, but

which sometimes must be accessible) is to
write a log file about execution of these
reports.
(You find this seeting in the IMG under:
Personnel Administration → Tools →

Revision → Log report starts)
Additionaly you should check for every

application user, that transaction SA38 or
SE38 is not available through his profile!
34
3URWHFWLRQ DJDLQVW QRW DOORZHG UHSRUWLQJ ZLWK JHQHULF
UHSRUWLQJ WRROV 3URWHFWLRQ E\ 5ROH PHQXSURILOH
As for reports and other functions also

generic reporting tools (Ad-hoc-Query,
SAP-Query) are only available for an user if
they are part of his role an the specific role
menu.
So you can prevent access to these tools by

creating a role menu without these tools.
Beside this access protection which controls

the general access to these tools ...
35
UHSRUWLQJ WRROV $XWKRUL]DWLRQ REMHFW 6 B48(5<
... access in the query area is additionally

controlled by the authorization object
S_QUERY. This object controls, which
activities an user can execute in query tools:
Create/Change queries
Create/Change InfoSets and User
groups
(It is not possible to create additional

coding for InfoSets with this authorization
object!)
Even if an user should have been able to

start a generic reporting tool without such an
entry in his menu and no correct values in
authorization object, he could not define or
start queries ...
36
UHSRUWLQJ WRROV ,QIR6HWV DQG 8VHU JURXSV
..., because the access on HR infotypes is

only possible through explicitly assigned
InfoSets.
Don‘t forget in this context:
The authorizations profiles defined with

authorization objects and the structural
authorization are in the same way relevant No InfoSet
for work with the Ad-hoc-Query as for work
with programmed reports or other
–
applications! No Query!
37
UHSRUWLQJ WRROV
..., beside these security features, which concern in first line the development and/or
execution of predefined queries, it is also possible to log Ad-hoc-Reporting.
For logging of Ad-Hoc-Reporting you define for which InfoSet the logging should be active
and you get selection fields, output fields, user, date etc..
You can report on the log files with the user group /SAPQUERY/SQ and the InfoSet
/SAPQUERY/QUERY_LOGGING.
(To activate in the IMG: Basis Components → SAP-Query → Logging)
38
&RQWLQRXV VHFXULW\ FRQWURO ZLWK WKH 6HFXULW\ $XGLW
/RJ
Gives additonal to the System log the possility to lot security relevant
events in the system. The following event and classifications can be used
for log-writing:
Event classes to be logged: Possible rating of events to audit :

z Dialog logon zOnly critical
z RFC/CPIC logon zImportant and critical
z RFC function call zAll
z Transaction start
z Report start
z User master change
z Other
Additionaly you can connect the Security Audit Log to Computing Center
Management Alert Monitor
39
/RJ
1. You define the classes and events to be logged.
40
/RJ
2. Event specific definition of the log filter.
41
*HQHUDO IXQFWLRQV IRU DFFHVV DXWKRUL]DWLRQ DQG GDWD
SURWHFWLRQV &RQFOXVLRQ
General securirty Security functions in the Log writing, Audit- and

functions Query area Trace functions
z Role concept z Role concept z Log start of reports
z Printer control z Separation of Dev./Prod. z Log for Ad-hoc-
z Print control z A.-object S_QUERY Reporting
z Import/Export control z InfoSets, User groups z Security Audit
z Variants z ... z Trace
z ... z ...
The general functions for data protection, in the query area and log writing
and audit functions complete the mySAP HR authorization concepts and
allow to implement further functions for data protection.
9
42
/HJDO 5HTXLUHPHQWV &RPSDQ\ VSHFLILF OHJDO
UHTXLUHPHQWV
... the starting point in this area!
Company specific requirements
z Starting point for legal requirements in a lot of countries are company specific
regulations and guidelines, which very often have virtually the same function and
significance as national or international law!
z Take care to take the in the boat the representants of the employee, when you
collect legal requirements
43
/HJDO 5HTXLUHPHQWV 7KH PRVW FRPPRQ WHUPV LQ
QDWLRQDO OHJDO UHTXLUHPHQWV
... to know in this context:
z Personal Data
z Sensitive Data
z Fair and lawfull use
z Purpose
z Adequacy
z Accuracy
z Information (of data subjects)
z Security and Confidentiality („... with appropriate costs in relation to risk“)
z Notification
z Remedies and penalties
z ...
More in:
A Guide to Data Protection Compliance for Multinational Organisations
with Operations in Europe (by Maitland & Co/UK)
44
/HJDO 5HTXLUHPHQWV 'DWD SURWHFWLRQ :HE 6LWHV
DERXW QDWLRQDO OHJDO UHTXLUHPHQWV
Australia: www.privacy.gov.au/
Austria (DE, EN): www.bka.gv.at/datenschutz/
Belgium (EN, NL, FR): www.privacy.fgov.be/
Canada (EN, FR): www.privcom.gc.ca/
Denmark (DN, EN): www.datatilsynet.dk/
Finland: www.tietosuoja.fi/
France (FR, EN, ES): www.cnil.fr/
Germany (DE, EN): www.bfd.bund.de/
Great Britain: www.dataprotection.gov.uk/
Greece: www.dpa.gr/
Hong Kong (EN): www.pco.org.hk/
Hungary (EN): www.obh.hu/adatved/indexek/index.htm/
Ireland: www.dataprivacy.ie/
45
/HJDO 5HTXLUHPHQWV 'DWD SURWHFWLRQ :HE 6LWHV
DERXW QDWLRQDO OHJDO UHTXLUHPHQWV
Italy (IT, EN): www.garanteprivacy.it/garante/ie/HomePage

Japan: www.somucho.go.jp/
Netherlands (NL, EN): www.registratiekamer.nl/
New Zealand: www.privacy.org.nz/
Norway (NO, EN): www.datatilsynet.no/
Portugal: www.cnpd.pt/
Spain: www.ag-protecciondatos.es/
Sweden (SV, EN): www.datainspektionen.se/
Switzerland (D, F, IT, EN): www.edsb.ch/
USA/Safe Harbor: www.export.gov/safeharbor/
Use also the web pages of employee representation associations in the different
countries. They offer very often good templates for a data protection guideline,
which are also very usefull for the technical implementation
46
/HJDO 5HTXLUHPHQWV (8 'DWD 3URWHFWLRQ 'LUHFWLYH
EU Directive
Prohibits transfer of personal data to countries w/o equivalent
protections
(Concerns: Data accuracy, Appropriate use, Personal awareness,Right of
access, ...)
Impact of the EU Directive

Makes operating in Europe simpler, not more complex
The law is still evolving, and this creates uncertainty
International data users have to examine their business practices in
the light of the changing legislation
But!!!: EU Directive does not

Outlaw global HR
Make it impossible to process European data outside of Europe
Stop us doing global skill or competency databases
Provided that we follow some guidelines, which you can find ...
z Identifiable Person
y Reference to an id
y Reference to one or more factors specific to their physical, physiological, economic, cultural or
socila identity
z Sensitive data
y Age, health, financial, job performance information, religious beliefs
47
/HJDO 5HTXLUHPHQWV (8 'DWD SURWHFWLRQ 'LUHFWLYH
DQG VLPLODU TXHVWLRQV
... on the following web pages:

Newest decision about “Safe Harbour Principles“ as equivalent to European data
protection directive:
www.ita.doc.gov.ecom
http://europa.eu.int/comm/internal_market/en/media/dataprot/news/safeharbor.htm
Answers to further questions concerning international data transfer are available on
the following web pages:
Transfer of data between USA and JAPAN:
Center for Social and Legal Research and the Japan-US Privacy and Data
Protection Program.
(http://www.privacyexchange.org/japan/jlegal/jprivacylaws.html) Guide to
Privacy and Data Protection in Japan. Hackensack, NJ: CSLR, November 30,
2000.
Transfer of data between ASEAN an Non-ASEAN countries:
Asia Pacific Security (http://www.dfat.gov.au/arf/rshome.html)
Transfer of data between MERCOSUR and Non-Mercosur countries:
In this area there is not general regulation available at present. Either see the
Web-Pages of the specific MERCOSUR countries for detailled information or
take the EU or US pages as starting point.
48
/HJDO 5HTXLUHPHQWV ,QWHUQDWLRQDO UHTXLUHPHQWV
DQG OHJLVODWLRQ,QIRUPDWLRQ VRXUFHV
!
!
49
5RDGPDS IRU GHILQLWLRQ DQG LPSOHPHQWDWLRQ RI D
FRPSDQ\ VSHFLILF GDWD SURWHFWLRQ FRQFHSW
Who is involved? Goal:

zemployee Get all involved groups in the company
zrepresentants of the employees in the discussion about the security and
zemployer data protection concept
zConsultants (Internal/External) !
zSAP
z...
Goal:
Which guidelines and legal requirements
have to be applied? Get a first overview of requirements to
respect
zCompany specific data protection guideline
zLegal requirements
zEuropean data protection guideline
Goal:
Further points:
Keep in mind the organizational
zWeb-Applications framework and special requirments and
zBudget for security and data protection conditions
zInterfaces
zDevelopment/ Productive System
z...
50
5RDGPDS )LUVW VSHFLILFDWLRQ RI WKH FRPSDQ\
UHTXLUHPHQWV %DVHG RQ EXVLQHVV UHTXLUHPHQWV
Before the technical questions of authorization

(roles, profiles, ...) the functional business
requirements and the necessary data should be
fixed (with or without system context!):
Which roles are necessary for

Goal:
HR data, which roles for administration
and customizing Get business definition of roles
Which data should be stored in the

system?
Goal:
Get overview of data to be stored !
Goal:
Which reports are necessary?
Get list of reports to be defined
!
... and the results should be documented
in a first version of the data protection
guideline!
51
5RDGPDS 6WDUW RI WHFKQLFDO LPSOHPHQWDWLRQ
After the business definition of

requirements the possibilities of technical
implementation must be evaluated and
rated – also under a security aspect!
Start technical definition of roles Goal:

Get technical definition of „functional“
roles“. Get information about available
authorization objects for „data profile“
Evaluate and start technical Goal:
implementation of data storage Get overview about pro and cons of
different possibilities:
- Standard infotype
- Customer infotype
!
...
Goal:
Get overview about reporting techniques
Evaluate and start tecnical
implementation for reporting
and approaches to be used
!
52
5RDGPDS 6HFXULW\ UHOHYDQW GHFLVLRQV EDVHG RQ
LQIRUPDWLRQ FRPLQJ IURP WKH WHFKQLFDO LPSOHPHQWDWLRQ
The information coming from the different

implementation give the background for
our security decisions and their
implementation
How will we control the „data access Goal:
profile“ (Which concepts can/will we Technical definition of „data access
use)? profile“
(document in d-protection guideline!)
Fix list of used infotypes (PA nad PD)
and used Object types
Goal: ! !
Evaluate implications for „data access
(document in d-protection guideline!) profile“ (also functional profile) and
adapt profiles)
Implement technical solutions for Goal:

reporting. and evaluate implications
Evaluate implications for „data access
for „data
profile“ (also functional profile) and
adapt profiles)
Already during the technical implementation it should be specified,

how the guideline should be controlled in the productive system!
53
5RDGPDS 7HVW )LQDO ,PSOHPHQWDWLRQ DQG
FRQWLQXRXV $XGLW
After tests and implementation

control of the guideline in regularly
time periods:
Execute and analyze system audits → Logs with warnings?, Change of

parameters?
Analyze log files → Work related use?
Analyze „Top Ten/“Low Ten“ → Check not necessary reports: Enchance

or delete from menu and profile
Analyze not correct log-ons, not

→ Reason? (bad usability, not allowed
correct start of transactions, ...
access, missing function in profile, ?)
54
$XWKRUL]DWLRQV DQG GDWD SURWHFWLRQ LQ P\6$3 +5
&RQFOXVLRQ
General security and mySAP HR authorization Definition and

authorization concepts concepts implementation of a
z general security (SSO, z Authorization objects company specific data
...) z Structural authorization protection concept
z Roles/Profiles z Enchancements z Documentation
z S_GUI, .... z... z Transparency
z InfoSets, User groups, z Audit
Using
the general security functions in mySAP
the authorization concepts in mySAP HR
and a company specific concept for data protection 9
you can implement an authorization concept and a data protection guideline,
which fulfills company specific and legal requirements.
55
&RS\ULJKW 6$3 $* $OO ULJKWV UHVHUYHG
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components
of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and
OS/400® are registered trademarks of IBM Corporation.
ORACLE® is a registered trademark of ORACLE Corporation.
INFORMIX®-OnLine for SAP and Informix® Dynamic ServerTM are registered trademarks of Informix Software
Incorporated.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI,
SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world. All other products
mentioned are trademarks or registered trademarks of their respective companies.
56
Please complete your session evaluation
and drop it in the box on your way out.
Be courteous — deposit your trash, and do

not take the handouts for the following
session.
The SAP TechEd 2001 Staff
57

SAP BASIS Security - Manual de Autorização em HR

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SAP BASIS Security - Manual de Autorização em HR

Uploaded by

Copyright:

Available Formats

$XWKRUL]DWLRQV LQ

mySAP HR specific authorization and data security concepts

General functions for data protection in the context of mySAP HR

Roadmap for definition and implementation of a company specific security

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /2

User ... ... has authorization, ... which is checked:

User Authorization Transaction

An authorization object is defined by the fields contained in the

One of the most important HR authorization objects - HR: Master data

With this authorization object an user could have the following

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /4

A user with the profile above can

This user has access on employees

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /5

P_ORGIN Master Data

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /6

List of HR authorization objects (continued)

If you want to control the access on HR master data more detailed,

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /7

Access on HR applicant data is controlled with authorization object

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /8

Organizational key: Organizational key:

PersArea: Cost Center: PersArea: Cost Center:

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /9

If a user should get on access on his own data, another profile as on

AUTHC: Authorization level

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /10

This object checks the following fields:

REPID: ABAP Program Name

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /11

Access on objects of Organizational Management, of Training &

PLVAR: Plan Version

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /12

S_MWB_FCOD Allowed Function Codes for Manager's Desktop

List of HR authorization objects (continued)

User ... ... has structural profile, ...which is checked

User Structural auth.tion Transaction

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /14

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /15

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /16

For the definition of structural authorizations the following fields are

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /17

... the following fields are the OU0:001

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /18

Profile for managers which are assigned to manager positions:

OU1:100 OU2:200 OU3:300

Generic structural profile for these users:

Profile for employees, who have position in an organizational unit::

OU1:100 OU2:200 OU3:300

Generic structural profile for these users:

Function module RH_GET_MANAGER Function module RH_GET_ORG

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /21

The authorization check for users with

To avoid this you should:

For users with big profiles you should

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /22

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /23

This switch controls the

This switch controls if in Personnel Administration

z Die Berechtigungshauptschalter sind in der Tabelle T77S0 unter dem

P_ORGIN Complete profile

P_ORGIN Complete profile

SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /25

AUTHC: Authorization level