Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
P\6$3 +5
Michael Bonrat
Product Manager, SAP AG
1
$XWKRUL]DWLRQV DQG 'DWD 6HFXULW\ LQ P\6$3 +5
Legal requirements
2
&RQFHSW RI DXWKRUL]DWLRQ REMHFWV
Value
Value
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /3
3
([DPSOH IRU DQ DXWKRUL]DWLRQ REMHFW 3B25*,1
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization level
PERSA: Personnel area
PERSG: Employee Group
PERSK: Employee Subgroup
VDSK1: Organizational key
4
([DPSOH IRU DQ DXWKRUL]DWLRQ SURILOH GHILQHG ZLWK DQ
+5 DXWKRUL]DWLRQ REMHFW
Example for the level of detail you can use for the data access and
mode of access (read, write, ...) :
P_ORGIN
INFTY = 0-6 Which type of data (of an employee) can be
SUBTY = * accessed?
AUTHC = R, M
How can the data be accessed?
PERSA = DE01
PERSG = 1
Data of which employees can be accessed?
PERSK = *
VDSK1 = *
5
7KH PRVW LPSRUWDQW +5 DXWKRUL]DWLRQ REMHFWV
6
([WHQGHG SURWHFWLRQ IRU +5 PDVWHU GDWD 3B25*;;
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization level
SACHA: Payroll Administrator
SACHP: Administrator for HR Master Data
SACHZ: Administrator for Time Recording
SBMOD: Administrator Group
The fields SACHA, SACHP, SACHZ and SBMOD are fields from infotype Organizational
assignment (0001).Since this info type can have time dependent records, it is
possible that a user has access authorization only for specific time intervals.
7
'DWD SURWHFWLRQ IRU DSSOLFDQW GDWD 3B$33/
INFTY: Infotype
SUBTY: Subtype
AUTHC: Authorization Level
PERSA: Personnel area
APGRP: Applicant Group
APTYP: Applicant Range
VDSK1: Organizational Key
RESRF: Personnel officer responsible for application
In contrast to objects P_ORGIN and P_ORGXX the check with this authorization
object can not be disabled.
8
7KH DXWKRUL]DWLRQ ILHOG 9'6. 2UJDQL]DWLRQDO .H\
This fields allows to implement authorization profiles based on authorization objects in a more
complex way. You can define complex rules, which fill this field with the combined values of
fields in infotype 0001 of your employees records and check again this value with your
authorization profiles.
9
$FFHVV DXWKRUL]DWLRQ IRU DFFHVV RQ RZQ PDVWHU GDWD
3B3(515
The field Interpretation of assigned personnel number and the options EXCLUDE
and INCLUDE controls on infotype level, if on access on the own personnel number
a higher or lower (as defined in P_ORGIN) authorization should be available..
Example of an user profile with In unserem Beispiel soll der Benutzer weiterhin ein Sachbearbeiter
sein, der für die Basisbezüge (Infotyp 0008) eines Personalbereichs zuständig ist (weil es die
entsprechende P_ORGIN Berechtigung) besitzt. Weiterhin soll es so sein, daß der Mitarbeiter,
unabhängig davon, für welchen Personalbereich er zuständig ist, seine eigenen Daten immer
anzeigen können soll, aber seine Basisbezüge nicht ändern können soll. Die entsprechenden
Berechtigungen für das Berechtigungsobjekt P_PERNR müssen dann wie folgt gesetzt werden:
AUTHC = R, M AUTHC = W, S, D, E
PSIGN = I PSIGN = E
INFTY = * INFTY = 0008
SUBTY = * SUBTY = *
This profile allows the user to read data of all infotypes, which are stored for his own person. The
second authorization prevents him from changind data for infotype 8 records of his own personnel
number.
For all other personel numbers as for writing access of all infotypes (except for infotype 0008) the
authorization profile as defined in P_ORGIN is relevant.
10
6LPSOLILHG DFFHVV RQ H[HFXWLRQ RI VSHFLILF SURJUDPV
3B$%$3
If specific non critical reports (Phone list, internal address list, ...)
should be available also for users, which normally don‘t have access
to HR data, you can define such profiles with authorization object HR:
Reporting (P_ABAP).
Aside from the above describe scenario (simplified access for specific programs),
you can also define other scenarios with the field Degree of simplification
for authorization check for example an reading access even for an personal
clerk, which is no more responsible for an specific employee, i.e. an separate check
of organizational assignment and infotype authorization
11
'DWD SURWHFWLRQ IRU REMHFWV RI 2UJDQL]DWLRQDO
0DQDJHPHQW 7UDLQLQJ (YHQW 0JPW 3/2*
12
)XUWKHU +5 DXWKRUL]DWLRQ REMHFWV
*in this list some international or country specific authorization objects are missing. For the
complete list or how to find them please use Maintainenance of Authorization Objects (TR:
SU21) and display object class HR.
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /13
13
&RQFHSW RI VWUXFWXUDO DXWKRUL]DWLRQ
14
([DPSOHV IRU VWUXFWXUDO SURILOHV
OU0:001
Example 1:
Profiles for personal officers,
z who need full access to Org.Units, OU1:100 OU2:200 OU3:300
Positions and Persons
Pos1 Pos3 Pos5
z who are responsible for the
employees per branch of the Pers1 Pers3 Pers5
organizational structure Pos2 Pos4 Pos6
Pers2 Pers4 Pers6
Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path StatV
StatV Depth
Depth Sign
Sign Per.
Per. FM
FM
All
All 11 01
01 O
O 001
001 X
X O-S-P
O-S-P 11
All_OU1
All_OU1 11 01
01 O
O 100
100 X
X O-S-P
O-S-P 11
All_OU2
All_OU2 11 01
01 O
O 200
200 X
X O-S-P
O-S-P 11
All_OU3
All_OU3 11 01
01 O
O 300
300 X
X O-S-P
O-S-P 11
15
([DPSOHV IRU VWUXFWXUDO SURILOHV
EG0:001
Example 2:
Profiles for training administrators,
z who creates new event groups EG1:100 EG2:200 EG3:300
z who creates new event types ET1 ET3 ET5
z who creates new events
E1 E3 E5
ET2 ET4 ET6
E2 E4 E6
Profile
Profile Nr.
Nr. PV
PV OT
OT OID
OID Maint.
Maint. E-Path
E-Path StatV
StatV Depth
Depth Sign
Sign Per.
Per. FM
FM
All
All 11 01
01 LL 001
001 X
X L-D-E
L-D-E 12
12
All_EG1
All_EG1 11 01
01 LL 100
100 X
X L-D-E
L-D-E 12
12
All_EG2
All_EG2 11 01
01 LL 200
200 X
X L-D-E
L-D-E 12
12
All_EG3
All_EG3 11 01
01 LL 300
300 X
X L-D-E
L-D-E 12
12
16
'HILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
and ...
17
'HILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
18
*HQHULF GHILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
Manager
Manager 11 01
01 O
O X
X O-S-P
O-S-P RH_GET_MANAGER_
RH_GET_MANAGER_
ASSIGNMENT
ASSIGNMENT
No start
object
defined in
the profile!
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /19
19
*HQHULF GHILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
Manager
Manager 11 01
01 O
O X
X O-S-P
O-S-P RH_GET_ORG_
RH_GET_ORG_
ASSIGNMENT
ASSIGNMENT
No start
object
defined in
the profile!
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /20
20
*HQHULF GHILQLWLRQ RI VWUXFWXUDO DXWKRUL]DWLRQV
Logic used by the two standard modules for start object finding:
A012 O1 O2 O1 O2
= Hat
A003
S1 A012 A003
S1
= Hat
US1 P1 S2 S2
US1 P1
A268 A268
US2 P2 US2 P2
A268 A268
You can define your own modules, which can use other relationsship types
or object types!
21
6WUXFWXUDO DXWKRUL]DWLRQV DQG SHUIRUPDQFH
22
(IIHFWLYH PDLQWHQDQFH DQG DVVLJQPHQW RI VWUXFWXUDO
SURILOHV
Task:
Define structural
Task:
profiles
Optimize
perfomance for
big profiles
Manual Generic
Definition Definition
Manual Assignment with
assignment of report
Result:
users RHBAUS02
Structural
profiles defined
Result:
Task: Users with big
Assign profiles profiles assigned
for view storing
in SAP-Memory
Store profile at
Manual Org.Unit or Task:
Assignment Position and Define job for
distribute regular run of
(RHPROFL0) RHBAUS00
23
7KH PDLQ VZLWFKHV IRU +5 DXWKRUL]DWLRQV
This switch controls the use of
authorization object P_ORGIN
This switch controls the use
of authorization object
P_ORGXX
24
&RPSOHWH SURILOH RI DQ +5 XVHU WZRSDUW DXWKRUL]DWLRQ
FRQFHSW
Profiles,
Profiles, defined Profiles,
Profiles, defined
with structural with HR
authorization:
authorization: authorization
objects:
objects:
25
(QKDQFHPHQW SRVVLELOLWLHV
26
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV
Manager‘s Desktop:
Make sure the InfoSets of your users are consistent to the profiles
of your users!
27
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV (PSOR\HH 6HOI 6HUYLFH
2. Select employees
3.
28
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV (PSOR\HH 6HOI 6HUYLFH
1. + 2.
3. a) Reconcile a)
users/ESS-role
b) Create user b)
and/or assign
ESS-Role
c) Delete users c)
29
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV 0DQDJHU¶V 'HVNWRS
30
6SHFLDO DXWKRUL]DWLRQ TXHVWLRQV FRQFHUQLQJ VSHFLILF
+5 DSSOLFDWLRQV 0DQDJHU¶V 'HVNWRS
31
$XWKRUL]DWLRQ FRQFHSWV LQ +5 6XPPDU\
32
3URWHFWLRQ DJDLQVW QRW DOORZHG 'RZQORDG([SRUW
0028777
0030724
0119800
33
3URWHFWLRQ DJDLQVW QRW DOORZHG H[HFXWLRQ RI UHSRUWV RU
ORJJLQJ RI UHSRUW H[HFXWLRQ
34
3URWHFWLRQ DJDLQVW QRW DOORZHG UHSRUWLQJ ZLWK JHQHULF
UHSRUWLQJ WRROV 3URWHFWLRQ E\ 5ROH PHQXSURILOH
35
3URWHFWLRQ DJDLQVW QRW DOORZHG UHSRUWLQJ ZLWK JHQHULF
UHSRUWLQJ WRROV $XWKRUL]DWLRQ REMHFW 6 B48(5<
36
3URWHFWLRQ DJDLQVW QRW DOORZHG UHSRUWLQJ ZLWK JHQHULF
UHSRUWLQJ WRROV ,QIR6HWV DQG 8VHU JURXSV
37
3URWHFWLRQ DJDLQVW QRW DOORZHG UHSRUWLQJ ZLWK JHQHULF
UHSRUWLQJ WRROV
..., beside these security features, which concern in first line the development and/or
execution of predefined queries, it is also possible to log Ad-hoc-Reporting.
For logging of Ad-Hoc-Reporting you define for which InfoSet the logging should be active
and you get selection fields, output fields, user, date etc..
You can report on the log files with the user group /SAPQUERY/SQ and the InfoSet
/SAPQUERY/QUERY_LOGGING.
38
&RQWLQRXV VHFXULW\ FRQWURO ZLWK WKH 6HFXULW\ $XGLW
/RJ
Gives additonal to the System log the possility to lot security relevant
events in the system. The following event and classifications can be used
for log-writing:
39
&RQWLQRXV VHFXULW\ FRQWURO ZLWK WKH 6HFXULW\ $XGLW
/RJ
40
&RQWLQRXV VHFXULW\ FRQWURO ZLWK WKH 6HFXULW\ $XGLW
/RJ
41
*HQHUDO IXQFWLRQV IRU DFFHVV DXWKRUL]DWLRQ DQG GDWD
SURWHFWLRQV &RQFOXVLRQ
The general functions for data protection, in the query area and log writing
and audit functions complete the mySAP HR authorization concepts and
allow to implement further functions for data protection.
9
SAP AG 2001, TechED Vienna , WR13D3W1, Michael Bonrat /42
42
/HJDO 5HTXLUHPHQWV &RPSDQ\ VSHFLILF OHJDO
UHTXLUHPHQWV
z Starting point for legal requirements in a lot of countries are company specific
regulations and guidelines, which very often have virtually the same function and
significance as national or international law!
z Take care to take the in the boat the representants of the employee, when you
collect legal requirements
43
/HJDO 5HTXLUHPHQWV 7KH PRVW FRPPRQ WHUPV LQ
QDWLRQDO OHJDO UHTXLUHPHQWV
z Personal Data
z Sensitive Data
z Fair and lawfull use
z Purpose
z Adequacy
z Accuracy
z Information (of data subjects)
z Security and Confidentiality („... with appropriate costs in relation to risk“)
z Notification
z Remedies and penalties
z ...
More in:
A Guide to Data Protection Compliance for Multinational Organisations
with Operations in Europe (by Maitland & Co/UK)
44
/HJDO 5HTXLUHPHQWV 'DWD SURWHFWLRQ :HE 6LWHV
DERXW QDWLRQDO OHJDO UHTXLUHPHQWV
Australia: www.privacy.gov.au/
Austria (DE, EN): www.bka.gv.at/datenschutz/
Belgium (EN, NL, FR): www.privacy.fgov.be/
Canada (EN, FR): www.privcom.gc.ca/
Denmark (DN, EN): www.datatilsynet.dk/
Finland: www.tietosuoja.fi/
France (FR, EN, ES): www.cnil.fr/
Germany (DE, EN): www.bfd.bund.de/
Great Britain: www.dataprotection.gov.uk/
Greece: www.dpa.gr/
Hong Kong (EN): www.pco.org.hk/
Hungary (EN): www.obh.hu/adatved/indexek/index.htm/
Ireland: www.dataprivacy.ie/
45
/HJDO 5HTXLUHPHQWV 'DWD SURWHFWLRQ :HE 6LWHV
DERXW QDWLRQDO OHJDO UHTXLUHPHQWV
Use also the web pages of employee representation associations in the different
countries. They offer very often good templates for a data protection guideline,
which are also very usefull for the technical implementation
46
/HJDO 5HTXLUHPHQWV (8 'DWD 3URWHFWLRQ 'LUHFWLYH
EU Directive
Prohibits transfer of personal data to countries w/o equivalent
protections
(Concerns: Data accuracy, Appropriate use, Personal awareness,Right of
access, ...)
z Identifiable Person
y Reference to an id
y Reference to one or more factors specific to their physical, physiological, economic, cultural or
socila identity
z Sensitive data
y Age, health, financial, job performance information, religious beliefs
47
/HJDO 5HTXLUHPHQWV (8 'DWD SURWHFWLRQ 'LUHFWLYH
DQG VLPLODU TXHVWLRQV
48
/HJDO 5HTXLUHPHQWV ,QWHUQDWLRQDO UHTXLUHPHQWV
DQG OHJLVODWLRQ,QIRUPDWLRQ VRXUFHV
!
!
49
5RDGPDS IRU GHILQLWLRQ DQG LPSOHPHQWDWLRQ RI D
FRPSDQ\ VSHFLILF GDWD SURWHFWLRQ FRQFHSW
50
5RDGPDS )LUVW VSHFLILFDWLRQ RI WKH FRPSDQ\
UHTXLUHPHQWV %DVHG RQ EXVLQHVV UHTXLUHPHQWV
51
5RDGPDS 6WDUW RI WHFKQLFDO LPSOHPHQWDWLRQ
52
5RDGPDS 6HFXULW\ UHOHYDQW GHFLVLRQV EDVHG RQ
LQIRUPDWLRQ FRPLQJ IURP WKH WHFKQLFDO LPSOHPHQWDWLRQ
53
5RDGPDS 7HVW )LQDO ,PSOHPHQWDWLRQ DQG
FRQWLQXRXV $XGLW
54
$XWKRUL]DWLRQV DQG GDWD SURWHFWLRQ LQ P\6$3 +5
&RQFOXVLRQ
Using
the general security functions in mySAP
the authorization concepts in mySAP HR
and a company specific concept for data protection 9
you can implement an authorization concept and a data protection guideline,
which fulfills company specific and legal requirements.
55
&RS\ULJKW 6$3 $* $OO ULJKWV UHVHUYHG
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components
of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of
Microsoft Corporation.
IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®, AS/400®, OS/390®, and
OS/400® are registered trademarks of IBM Corporation.
ORACLE® is a registered trademark of ORACLE Corporation.
INFORMIX®-OnLine for SAP and Informix® Dynamic ServerTM are registered trademarks of Informix Software
Incorporated.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and
other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP EarlyWatch, BAPI,
SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com are trademarks or registered
trademarks of SAP AG in Germany and in several other countries all over the world. All other products
mentioned are trademarks or registered trademarks of their respective companies.
56
Please complete your session evaluation
and drop it in the box on your way out.
57