Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Who’s Looking at Top-Secret Salary Information?

  • Font size: Larger Smaller
  • Hits: 7541
  • 2 Comments
  • Print

One morning the company’s security manager or auditor appears at your door and catches you off guard with a question, “Hey, how can I know if someone is looking at employee salaries or peeking at their social benefits?” Without hesitating or looking away from your computer, you answer the obvious, “Well, if the person doesn’t need this function as part of his job description, he doesn’t have permissions for it.” But this uninvited guest is not leaving. He replies, “And what if he got permission by accident, or if he moved to a different position and the relevant authorization wasn’t removed…? How can I know if this person is still using his old permissions and looking at sensitive employee data?”

iStock_000026249003XSmall.jpg

Now, you know that HCM (i.e. Human Capital Management, or HR) data is a sensitive topic in the company, because there are regulations about exposing it, so you stop what you were doing and answer, “Well, if he changed any data we can look at change logs, if you suspect something.” Deep in your heart you know that this doesn't exactly answer what he’d asked, but you hope that it will be sufficient enough for him to go away. NOT! Unfortunately, he’s on to you and he replies, “I didn’t ask about changing the sensitive data, I asked about viewing it.”

Eventually you sigh, defeated, “Well, I can use the SAP logs to tell you who entered the T-Codes – such as T-Code PA30 or PA40 – that enable one to see HR Infotypes, but I can’t tell you who really saw the data, and what data, like which Infotype and Subtype was seen by whom.”

This is not a good start to your day…

The Only Real Solution for Knowing Who is Viewing Sensitive Data

Let me ease your mind about your answer – you were right. There is no way to know who is viewing sensitive employee data in the standard SAP system. Unfortunately, SAP didn’t include a simple basic mechanism to track, and more importantly, to alert about access to sensitive data. Unless self developed, you will need to acquire a third party tool like ProfileTailor Dynamics HCM Auditor to track and get alerts about access to HCM data.

ProfileTailor_HCM_Auditor.jpg

ProfileTailor Dynamics identifies and alerts about high risk HR / HCM activity and unauthorized data access.

From our experience, if you want to get the most out of tracking HCM, this is the key data you need:

Reports of possible access – you should be able to see clearly who has authorization to access specific Infotypes, Subtypes, Personnel Areas, Employee Groups, etc.

Usage Inspection – you should be able to monitor access to HCM objects, like Employees and Infotypes. You have to know who displayed or changed HCM data, including what exact information was displayed or changed.

Alerting capabilities – in order to be in control and not to be swamped with data, you should get immediate alerts when unusual or sensitive activity is performed so you can react instantly and prevent leakage of sensitive information.


Practical Examples
The following are examples of the type of HCM activity that would generate immediate alerts:
• A Business User (not from the Human Resources dept.) suddenly accesses Infotype 0002 (Personal Details).
• A User viewed information in Infotype 0008 (Payments) in the payroll area “Senior Management.”
• Someone changed social security data using T-Code PA30 (Maintain HR Master Data).

Get the Solution
Be in touch with us about effectively monitoring your HR data access, because ProfileTailor Dynamics HCM Auditor is the only realistic solution. Contact us now for a free demo.

Dror Aviv joined Xpandion in 2010 as a programmer in the R&D team. Combining technical knowledge with implementation skills, Mr. Aviv serves today as a Senior Implementation Advisor, bringing with him extensive hands-on experience from the field. He works closely with customers at their sites, and is an expert in defining customer needs, translating them into business process and implementing them via ProfileTailor Dynamics’ suite of products.

Comments

Leave your comment

Guest 24/06/2017

RELATED BLOG POSTS

18/11/2010
in XpandionPosted by Yoav Michaeli

Office Space- A funny movie about hackers or a real life security threat?

Though most SAP programmers are reliable, serious professionals, there are a few who are intent on harming their organizations – and because of these few, we are rightfully afraid of the power of SAP Programmers. They almost always have a significant number of authorizations in the production system...
15/04/2011
in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
06/08/2013
in Security & AuthorizationsPosted by Dror Aviv

SUIM: The Pitfalls of Analyzing SAP Authorizations During an Audit

    37 inShare (This is the short version of an article regarding the most popular T-Code used to analyze SAP Authorizations. Download the full SUIM article including examples and screenshots). When it comes to SAP audit time, audi...
30/07/2013
in Security & AuthorizationsPosted by Dror Aviv

How to Understand SAP Authorizations in 10 Minutes or Less

If you’re like most CIOs, CISOs or internal auditors that work in a company that has implemented SAP, every day you have to contend with overloaded terms like “Profile,” “Authorization Role” and “Authorization Object” and quotes such as “This person can't access the company code because he doesn’t h...
02/10/2012
in Security & AuthorizationsPosted by Yoav Michaeli

Hooray! We Caught a Thief!

This is a true story from last week – an Xpandion expert received a phone call from one of our European clients, claiming they just received a High Risk Irregular Behavior alert pertaining to unauthorized access of salary information. After a quick investigation using ProfileTailor™ Dynamics, it was...

Headquarters

+972-3-624-4245

157 Yigal Alon Street,

Tel Aviv 67443, Israel

info@xpandion.com

US Office

+1-800-707-5144

33 West 19th Street, New York,

NY 10011, USA

info.us@xpandion.com

India Office

+91-989-2546216

C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India

info@xpandion.com