cancel
Showing results for 
Search instead for 
Did you mean: 

Data production

Former Member
0 Kudos
410

hi,

anybody send memeterial about data production.

regards,

jana

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

hi,

Symptom

Questions on the topic of data protection in SAP systems and in R/3

in particular.

Reason and Prerequisites

The R/3 System processes highly sensitive personal data. The R/3 System is used in many states worldwide and it must represent different national laws, in particular in the area of Financial Accounting and Human Resources.

The EU data protection guidelines apply to the European Economic Area, in Germany, the business-related processing of personal data is defined in the German Data Protection Act (Bundesdatenschutzgesetz, BDSG).

Purpose of this law is the protection of the personal rights of the individual.

The data protection officer (Datenschutzbeauftragter, DSB) has to ensure the observance of this law as well as other regulations on data protection.

Solution

On the basis of the strict German security and data protection rules R/3 had to contain security functions for data protection from the very beginning. A large number of security mechanisms to ensure confidentiality and integrity data is provided, such as authentification, authorization concept, logging, data compression and encryption as well as secure embedding in different operating systems, databases and networks.

Thus the preconditions are developed to adjust an SAP R/3 System to the security requirements of the company. These requirements must be defined by the persons responsible for security and data protection at the beginning of the project and have to be customized for the specific systems. Generally, a test system with test data will have a lower security level than a production system with actual personal data.

The book "Sicherheit und Datenschutz mit SAP-Systemen" (as listed in the bibliography in the attachment) provides an introduction to the security functions and their interaction within SAP systems. In the book, security is closely linked to data protection and data security. The book emphasizes the incorporation of real-life measures into corporate security.

• Security guide

The security of the overall system is the ultimate precondition for data protection.

The question whether or not a business application is secure and ensures data protection cannot be answered theoretically but only in practical use. The project management and the administrators take a high level of responsibility because they have to realize and monitor the possibilities of the system in accordance with the security requirements of the company (security concept).

For this purpose the SAP security guide R/3 is provided which is delivered to the system administrators. It basically deals with the following chapters:

Databases 117 *

Operating systems 39

Communication methods 22

Network infrastructure 19

Communication interfaces 22

Internet 23

Authorization concept 27

User authentification 24

Logging and check 17

Encryption 10

Protection of the system in production 20

(*: Number of pages of Release 3.0 of 04/11/2001)

How much security depends on administration can be shown with the example of user authentification via password design. The specifications of state or country data protection officers can be carried out in the R/3 System as follows:

o Every person receives a separate user ID

o The user ID is only valid for a certain period

You can set the validity period for each user via the From-To date, for example for maintenance or in case of emergency.

o Display the last logon

Date and time of the last logon are contained in system status.

o Minimum length of the password is 6 characters

allowed settings: 3 up to 8.

o No first names or no trivial passwords

You can list all prohibited passwords in table USR40. In addition, the first three characters must not match the user ID or be identical (for example AAA).

o Requirement to change the password

Entry by number of days.

o Preventing the use of old passwords

The last five passwords must not be used.

o Protection of the password file

Passwords are stored as hash value. They cannot be reconverted. Transmission from frontend is carried out compressed. When you use Secure Network Communication (SNC),the password does not have to be transferred via the network. The original password is not know and is not stored.

o Limitation of logon attempts with block of the user

You can set the number of the invalid logon attempts from 1 to 99 in each case until the end of a session or until the user lock occurs;

o Logging of failed attempts

Failed logon attempts and user locks are registered in the system log. If desired, you can enter all successful and unsuccessful logons additionally in the security audit log

with user ID and ID of the terminal.

o No logon via function key

Client, user ID and password are not required, if SNC makes the authentification. The normal logon process can then be locked.

o Automatic logoff after prolongued period of inactivity

The maximum period of inactivity has to be specified in seconds.

o The administration should note that a distribution of the security

guide in the company gives persons in other areas the option of checking the observance of the guidelines.

• Guides of working groups

The work group data protection developed a 'Data Protection Guideline SAP R/3' ('Leitfaden Datenschutz für SAP R/3') in the working group audit.

It is divided into the following chapters:

o Implementation process

o Tasks of the data protection officer (DPO)

o Rights of the persons concerned and of all persons

o Carrying out of the organizational/technical measures

o Order data processing

o Special topics such as quality audit information system

Purchase order number 5002 4598 (only German). The guide can be displayed in the Internet for information material under the following address:

http://www.sap.de/revis

or

http://www.sap-ag.de/germany/aboutsap/revis/

A revision of the guide with respect to changes in the German Data Protection Act (BDSG) and to release 4.6 has been available in the Internet since October 2001.

The working group audit developed several inspection guides. The 'SAP Prüfleitfaden R/3 FI'(inspection guide), for example, contains the following important chapters in the system section for the persons in charge of data protection and security:

o System overview

o Security and protection against unauthorized access

o Workbench organizer and transport system

o Table access and logging

Purchase order number 5001 4633 (German or English). The guide can be displayed in the Internet under the above address.

The following points from the guides relevant for data protection are emphasized:

o The 'Audit Information System' for internal auditors consists of a report tree which can also be used for data protection, especially in the areas of system configuration, repository, security configuration and authorizations;

o The PC download can generally be prohibited via authorization object or be restricted with an exit for specific applications or users;

o Separation of the systems in development, quality assurance and production;

o Task sharing of the authorization administration in user administrator, activation administrator, and authorization administrator;

o Logging of all security-related events in the security audit log, like logging on and off, starting a transaction, starting a report, calling RFC, changing authorization, download.

"Logging of user actions" is described in detail in Note 139418.

Reports with information about the storage of data of the persons concerned can be extracted from the AIS, e.g. RFDKVZ00 and RFKKVZ00 in the business, bilance-oriented audit for debtors and creditors, in HR with RPPSTM00 (personnel summary) or Transaction PA10 (personnel file). In IS-H, patient data is listed with Report RNLAUS00. Here, we recommend you to contact the special departments.

As already mentioned above, data protection in an overall system can only be ensured, if on the one hand on system side (operating system, database, network, R/3 application) the respective support is given, and on the other hand the necessary steps can be taken in the project. A weakness in one system component can endanger the overall system.

• Remote Service

Using Remote Service, SAP offers services for customers; a remote connection is required. The SAP safety measures regarding physical and logical connections, network safety with encryption and authentication, as well as the measures which customers must take, can be found in Note 46902 and in the brochure "Safety of Customer Connections", order number 5002 8244).

On the SAP Service Marketplace, the booklet can be accessed directly via the alias name /remoteconnection.

http://service.sap.com/remoteconnection

Please note that the ordering party (the customer) always controls the connection: he opens and closes the session, and creates the user with password and access authorizations. The customer decides whether personal data may be accessed in the system in production. In most cases, this access is not required - mapping in the test system is sufficient.

During Remote Service in the system in production, it is not intended to transfer personal data to SAP in an order, store them there and process them in a defined way. The data are just displayed, processing is carried out on the customer PC only. The technical and organizational measures are required on the customer side. This also includes control and logging of maintenance measures.

Please get informed under alias /certificates about the comprehensive certification measures of SAP development and maintenance:

http://service.sap.com/certificates

Apart from the certification to meet legal requirements in financial accounting and HR payroll, ISO certificates for global development and Corporate Support, you can also find the ITSEC security certificate of the BSI there.

• Realization

The practical recommendations for data protection differ from company to company.

In the company there should be a contact person for data protection. He should be supervised by the management and should not be subject to instructions.

He is responsible for informing employees, checking programs, authorizations, data avoidance and transmissions. He is the contact person if questions and complaints occur.

In Germany you have to nominate a data protection officer whose tasks are determined in the German Data Protection Act. The directives of the European Union also consider the DPO as an alternative to selfcontrol in the company. Thus, obligations to report can be simplified or avoided.

The project management should additionally determine persons in charge of the individual applications and systems. The system administrators are responsible for security of the overall system (see security guideline), the persons responsible for the applications are the contact persons for the persons in charge of data protection. They must have the required R/3 education and training to be able to fulfill these tasks.

The DPO should be integrated in the single projects which accompany personal data processing, like the employee representation (works council or personnel council in Germany). In the project plan, a corresponding basic education and training should be provided.

However, it is not required that the DPO becomes an SAP specialist. He has to rely on the help of colleagues and the technical knowledge of his contact persons, administrators and SAP consultants.

With the example of the BDSG (German Data Protection Law) proposals

are shown how the tasks of a person in charge of data protection can be fulfilled in the R/3 System.

Check and training (§ 4g)

1. Monitoring the correct application of programs, that process personal data

The standard R/3 System software is subject to regular checks by respected international evaluation companies. In Germany software is evaluated according to the following criteria:

o Principles of proper accounting (GoB)

o Comments of the technical committee on modern account settlement systems (FAMA)

o Principles of proper computer-supported accounting systems (GoBS)

o Tax rules

The audit guides of the audit working group provide recommendations for external and internal auditors concerning the check procedure in the R/3 System.

Checking the proper application of the programs, in particular the modifications and enhancements, can be carried out by internal auditing on the basis of audit guides and procedure overviews (see below).

How the check is carried out will differ in the companies depending on the time available and the scope of the data to be checked.

There can be various variants:

o Monitoring of data entry

Form standards, screen

o Transaction-oriented evaluation

PA10: Personnel file displays the contents of the infotypes with converted reference numbers.

o Table, field and program analysis with the ABAP

Dictionary. The reference numbers must be interpreted in the check tables.

Rules for modifications and customer development should exist and you should adhere to them. The DPO should be informed about any DP plans as early as possible. This is the only way he can check, if aspects relevant to data security are affected.

With the SAP authorization concept, any functions or objects in the SAP System can be protected. The programmer determines where and how checks are run; the user administrator determines, who is authorized to execute a function or access an object.

The user administration should be carried out in the already mentioned trisection. Here the user IDs and initial passwords are created.

They check, if the new user is informed about his responsibility for the processing of personal data or if the user has been bound to the data secret.

It is recommended that all users of the system generally sign this agreement, even if they do not have access to personal data.

This central instance can enforce further rules, if required:

o Ensuring the protection of business and operating secrets in the corporate group and of foreign companies.

o Special obligation of the administrators and the emergency users who have extensive authorizations in the R/3 System as well as in the system environment. In particular logon abuse must be prevented (secure passwords).

o Confidential handling of all information related to the access and handling of the system, like password, addresses, data structure, programs and documentation.

In the HR system, there is the option to monitor the program use including the parameter variants set. You can use this to determine abuse and problems in the authorization assignment.

2. Training persons processing personal data

The corresponding data protection training can be entered for each person in the HR system in infotype 0022. In infotype 0035, you can store the obligation to ensure data security additionally as company instructions.

Overviews (§§ 4e and 4g)

It is useful to create overviews to get to an overview of personal data processing. You should record in which systems and in which SAP components personal data is processed. These overviews are required for check, advance control and information purposes.

In the data protection workshop, we decided to recommend the splitting of the overviews into a public register and company-internal procedure directory:

o The public register is the basis for a report to the supervising authority and for information to anybody. The reports should be brief and clear.

o The company-internal procedure directory serves the data protection officer for fulfilling his tasks. For advance control, it may have to contain details down to the field level. In addition, the persons with access authorization and the security measures need to be added.

According to the BDSG (German Data Protection Law), the overviews are to be provided by the responsible instance.

To fulfill this obligation, the responsible user department must at least have sufficient knowledge of table processing, the repository information system, ABAP Dictionary and the authorization concept. In this area the DPO should acquire basic knowledge with the help of the user department.

Since the DPO should be involved in the projects from the very beginning, he takes part in the decisions as to which data to enter and to store in Customizing. At this point the requirements for the following items in the overviews have to be discussed:

1. Purpose of data collection, processing or utilization

Examples:

mySAP HR: Personnel Administration, Payroll Accounting, Time Management, Organizational Management, Recruitment, Personnel Services

mySAP FI: Maintenance and services for customers and vendors

mySAP CRM: Telemarketing, contact management, services management, resource planning, Internet Customer Self-Service

2. Description of the groups of persons and the corresponding data

For the public register, general information is sufficient, such as

Persons: Employees, applicants, customers, vendors

Data: Employee, applicant, customer, vendor data acc. to the standard of mySAP HR, mySAP FI and mySAP CRM;

For the company-internal procedure directory, the data protection

officer needs more comprehensive information. In the R/3 system, you can trace the personal data down to the individual fields of a table or a program. The data protection officers have to define the detail of information they need to be able to fulfill their tasks.

It does seem to be useful to only create file overviews which are required for the validity check. It is not mandatory that they exist on paper but they can be generated dynamically from R/3. Extensive file registers are quickly outdated and redundant.

You should also note that in the ABAP Workbench tools are available which support dynamic analysis in the system:

In the list display, you can carry out additional selections or where-used lists of objects. Search icons allow automatic search for single terms. With the Data Browser you can determine certain vendors or personnel numbers via table keys.

Since the BDSG (German Data Protection Law) demands overviews, you should also consider the request by the Data Protection Consultant (see the bibliography) for easily comprehensible directories for standard software:

o Especially for complex standard software, there is a risk of generating a data cemetery with more than questionable practical benefit.

o The respective application should be documented in a way that you can check eligibility, recognize data flow and know the system administrator for details and documentation.

o Since the remuneration accounting, customers, vendors and trip costs contain both personal and financial data, the company should adapt the principles of proper computer-supported accounting systems (GoBS).

o The DPO keeps his registers compact and clear and refers to the persons responsible for documentation according to the GoBS.

The management of a check-oriented overview of the especially important company data could be regarded as another approach. This could contain for example prohibited data, data that has to be especially protected, and data to be deleted on time. In practice checks would concentrate on this data.

During the check you can dynamically access each single table field. The ABAP Dictionary provides the following information (Transaction SE11) here:

o Table structures with fields and domains

o Where-used lists for tables, fields and domains in templates (screens), programs, screens and tables

o Online documentation of tables and fields

o Value tables for the allowed values of a domain

o Table contents

o Number of currently filled entries in a table

o Versions of table definition

3. Recipients or categories of recipients

Recipients of personal data are for example bank, tax office, social security institutions, health insurance agencies, insurance agencies, home savings banks, pension offices.

4. Time limits for deletion of data

Here you can give instructions regarding the periodic deletion of data e.g. after expiry of the preservation period.

For detailed lists regarding time limits see the following Internet address:

http://www.heilbronn.ihk.de/dokumente/aufbewahrung.htm

1. Planned data transmission to other countries

Here, the recipients in countries out of the EC with low data protection level should be added in particular.

Permission is granted when a contract has to be fulfilled, or in case of special contracts where a high protection level is defined. Due to the bureaucratic permit procedure defined in Art.26 of the EC regulations, the standard contract clauses recommended by the EC should be used:

http://europa.eu.int/comm/internal_market/en/dataprot/news/clauses.htm

2. General description of security measures

The measures largely depend on the importance of the data. Apart from access protection by means of firewalls, user access sists and routers, the measures recommended in the security guide need to be checked: particularly authentication, user administration, authorization concept, authorizing, operating system, database, network and security software.

3. Persons with access authorization

With the R/3 authorization concept the access to transactions and programs is allowed for individuals or employee groups.

Example in HR:

With authorizations, for example for transactions, programs, infotypes and info subtypes, the access modes are determined. There are read authorizations, authorizations for locked writing and release of locked entries (dual control).

In order to meet all security requirements from the point of view of the system and application, a comprehensive authorization concept is required.

It is not sufficient to assign certain check tasks to the system environment, such as the database table check. In addition, the cluster and pool single tables are only known to the R/3 System, the database only knows the containers cluster pool or table pool.

In a business application, the user has different activity characteristics, for example to process business objects like display, create, change, mark, activate, delete, which cannot be delegated to the database. Furthermore, user authorizations must be coordinated with the user department according to business criteria: The user may only access selected parts of a table in certain program-specific constellations, such as reading in a specific transaction, under a predefined program constellation, in plant 0001, for the purchasing group ABC.

Administration and user department may use the role concept which considerably simplifies the authorization maintenance. Different roles are assigned to the users according to the job description which contains individual authorization objects in generated profiles.

The direct testing with current roles remains as a check task for the DPO and the internal auditing in order to find out whether the access protection described and required is kept. A list of theoretical access modes is used for documentation.

• Attachment: Tools for data analysis

Basic knowledge of the R/3 table structure is required here. Terms like transparent table, pool table, cluster table, structure, field name, data element, domain, screen should be known.

Information on tables, structures, field names, data elements and domains as well as their use in programs, screens and tables can be determined via the ABAP Dictionary.

The role SAP_CA_AUDITOR_DS is intended for the data protection auditor.

It contains the required read authorizations.

How can the responsible department create a data overview for the DPO

or branch down to the individual fields?

Due to legal requirements an employer has to store more than 200 detailed specifications on the employee. In HR, master data is processed in more than 300 tables (infotypes) with more than 10,000 fields. The tables PA0000 to PA0999 are reserved for master data (structure P0000 to P0999).

In a table overview (see point 1 below), you can create a

short description of infotypes or tables for the DPO.

Examples:

Number of tables

HRPA* Personnel planning data 99 (in 4.6C test system)

PA0* HR master data 468

PA2* time data 13

PB0* applicant master data 34

PB4* applicant data 6

KN* customer master record 30

LF* vendor master 18

SADR* address administration 19

(PA0*: all tables starting with PA0)

Tables with personal reference are not specified as personal reference tables in the SAP System, but can be determined via personnel domains (see point 3 below).

During Customizing, the person in charge of the project determines, which infotypes are used in the company. In addition, it is checked which fields are required. If the DPO is involved in the project, a field analysis for individual tables in the ABAP Dictionary can be performed here.

In the ABAP Dictionary and the AIS,functions are available that allow to drill down to the single fields of tables. Table contents and the number of entries can also be derived from the ABAP Dictionary display. In addition, the generated lists can be stored on the PC for further processing (download authorization required).

The menu paths may differ slightly in the single R/3 Release statuses. As an example status 4.6C is listed here:

1. Table overview

Menu path: -> Tools -> ABAP Workbench -> Development

-> Dictionary (SE11) -> Database table 'PA0*'

-> Display -> Print

2. Displays or prints tables and fields (can also be printed as table manual with report RSSDOCTB)

Menu path: -> Tools -> ABAP workbench -> Overview -> Information

system

-> ABAP Dictionary -> Fields -> Structure fields

'P000*'

Print (SE84)

3. Where-used list of tables, data elements and domains

Menu path:-> Tools -> ABAP workbench -> Development

-> Dictionary with selection

-> Domains 'KUNNR' for customer number -> Utilities

-> Where-used list -> indirect application

-> Table (or program, screen (SE11))

The lists generated can be stored via PC as Excel, Word or text file, and if necessary, they can be used for a separate register:

Menu path: -> System -> List -> Save -> Local file

-> not converted or converted as spreadsheet or rich

text format or HTML format

4. 4. Audit Information System

The AIS provides transactions, reports and variants which allow you to create an extensive file register "at the touch of a button".

Menu path: -> Information Systems -> Audit Info System -> System Audit

-> Human Resources Audit / Data Protection Audit

-> File Register for Personnel-Related Data

Among other things, there are variants for applicants, customers, vendors, employees, persons responsible and users. When Report RSCRDOMA is started, you can decide whether or not only those tables that are filled are to be evaluated. The report supplies a list of all tables in which the domains of the variants occur. Individual table fields can be displayed in this list; a where-used list of tables in reports or screens can be generated from it.

• Bibliography:

o Bergmann/Möhrle/Herb, Datenschutzrecht Handkommentar, Richard Boorberg publishing company, status: October 1995

o Dammann, Ulrich; Simitis, Spiros: EG-Datenschutzrichtlinie. Nomos Verlagsgesellschaft, Baden-Baden 1997.

o GDD, Data protection in the company: Arbeitshilfe für betriebliche Praxis, 4th edition 1994, Gesellschaft für Datenschutz und Datensicherung e.V., Bonn

o Gliss, Hans, Das Register nach § 37 BDSG und die Pflichten des Datenschutzbeauftragten, Datenschutz-Berater 4/1998, Verlagsgruppe Handelsblatt GmbH

o Hornberger Werner; Schneider Jürgen: Sicherheit und Datenschutz mit SAP-Systemen. Galileo Press GmbH, Bonn 2000 --> www.galileo-press.de English translation: Security and Data Protection with SAP Systems. Addison Wesley, London 2001.

regards,

reddy

Former Member
0 Kudos

thanks

Answers (2)

Answers (2)

former_member190272
Active Contributor
0 Kudos

Hi

Please stop this........ This not good in sap Plz stop

Thanks

Pankaj Kumar

Former Member
0 Kudos

Hi All,

You Both Reddy are friends, In one day he ask question & you give the answer. i theing in morning your poiny must me 10 to 20 points for sure. but now yours point is 80+ you are gaining the points from only person. i can clearly see you are making some unwanted dirty game here. if this follows you. some action will be taken for sure. so stop this. now itself.

pherasath