One morning the company’s security manager or auditor appears at your door and catches you off guard with a question, “Hey, how can I know if someone is looking at employee salaries or peeking at their social benefits?” Without hesitating or looking away from your computer, you answer the obvious, “Well, if the person doesn’t need this function as part of his job description, he doesn’t have permissions for it.” But this uninvited guest is not leaving. He replies, “And what if he got permission by accident, or if he moved to a different position and the relevant authorization wasn’t removed…? How can I know if this person is still using his old permissions and looking at sensitive employee data?”
Now, you know that HCM (i.e. Human Capital Management, or HR) data is a sensitive topic in the company, because there are regulations about exposing it, so you stop what you were doing and answer, “Well, if he changed any data we can look at change logs, if you suspect something.” Deep in your heart you know that this doesn't exactly answer what he’d asked, but you hope that it will be sufficient enough for him to go away. NOT! Unfortunately, he’s on to you and he replies, “I didn’t ask about changing the sensitive data, I asked about viewing it.”
Eventually you sigh, defeated, “Well, I can use the SAP logs to tell you who entered the T-Codes – such as T-Code PA30 or PA40 – that enable one to see HR Infotypes, but I can’t tell you who really saw the data, and what data, like which Infotype and Subtype was seen by whom.”
This is not a good start to your day…
The Only Real Solution for Knowing Who is Viewing Sensitive Data
Let me ease your mind about your answer – you were right. There is no way to know who is viewing sensitive employee data in the standard SAP system. Unfortunately, SAP didn’t include a simple basic mechanism to track, and more importantly, to alert about access to sensitive data. Unless self developed, you will need to acquire a third party tool like ProfileTailor Dynamics HCM Auditor to track and get alerts about access to HCM data.
ProfileTailor Dynamics identifies and alerts about high risk HR / HCM activity and unauthorized data access.
From our experience, if you want to get the most out of tracking HCM, this is the key data you need:
• Reports of possible access – you should be able to see clearly who has authorization to access specific Infotypes, Subtypes, Personnel Areas, Employee Groups, etc.
• Usage Inspection – you should be able to monitor access to HCM objects, like Employees and Infotypes. You have to know who displayed or changed HCM data, including what exact information was displayed or changed.
• Alerting capabilities – in order to be in control and not to be swamped with data, you should get immediate alerts when unusual or sensitive activity is performed so you can react instantly and prevent leakage of sensitive information.
The following are examples of the type of HCM activity that would generate immediate alerts:
• A Business User (not from the Human Resources dept.) suddenly accesses Infotype 0002 (Personal Details).
• A User viewed information in Infotype 0008 (Payments) in the payroll area “Senior Management.”
• Someone changed social security data using T-Code PA30 (Maintain HR Master Data).