Hi Alex,

To be perfectly honest we may not even be to the point where we can ask meaningful questions. We have a situation internally that has us taking a fresh look at who is accessing sensitive HR data. We have monitoring turned on and can run SM20 but in the end nothing is being done. Just starting to look at this space and it's becomming obvious that there are many aspects to consider from proactive analysis on separation of duties, risk analysis, detection, mitigation, violation reporting. Data masking can also be in play in HR.

So obviously I'm trying to get my head around the big picture but to answer your question I'm trying to understand the space enough to see if there is anything that could...

1.) Give us some level of protection short term in the way of monitoring data, transaction use and provide sufficient tools to tools set provide effective setup/analysis.

2.) Have that solution be compatible with any fuller implementation we'd eventually pursue when we fully understand this space and decide to take on world hunger so to speak.

Thanks,

Doug

Hi Doug,

Thanks for that extra info, sounds like you have your work cut out! At least looking for an integrated approach is the right one in my mind.

Unfortunately in the HR space I'm not aware of many products that are really focused on HR risks. GRC Access Controls provides the mechanism to ID and monitor SOD's and access related risks. You can also use mitigation functionality. HR only has a rudimentary set of delivered risks but we are seeing an increase in clients developing specific infotype and action related rules.

There are also other vendors who are active in the market - SecurityWeaver, CSI, Controlpanel GRC, Xpandion, Approva all shave offerings in this area.

Detection and monitoring is much harder with HR. While GRC Access controls allows you to run alerts under certain conditions, as far as I am aware it is not tailored towards the HR side of things. While SAP provides infotype change logging, customisation is required to monitor who views particular infotype data. I know of companies who have done this but ultimately you would want to combine both data sources into something that reports in a consistent way.

I've not really looked into this use for it but potentially the GRC Process Controls engine could be used to monitor and report on exceptions.

It sounds like an interesting project, I'm interested to hear what the other SDNers have to say about this.

HR has some features of it's own which "normal" SAP approaches are not always compatible with or intuitive for SAPers.

Even the ABAP developers distinguish between ABAP and HR-ABAP at the programming technique level.

An important aspect is the time dependency of data in the data model - HR "mutates" the records and the rest of SAP generally modifies it with application change document histories (e.g. master data) or simply forbids it (e.g. document segments and indexes).

Considering your 2 requirements:

> 1.) Give us some level of protection short term in the way of monitoring data, transaction use and provide sufficient tools to tools set provide effective setup/analysis.

> 2.) Have that solution be compatible with any fuller implementation we'd eventually pursue when we fully understand this space and decide to take on world hunger so to speak.

You should definately go for released APIs.

For a taste of the alternatives you may encounter for HR data (salaries, credit card, disability, ...) you can take a read through this "flamewar" thread:

> The function module has no use for me, I extract data from SAP and analyze it afterwards.

It is very tempting in HR for developers to access the tables directly and also update them.

Most likely the "tools" of the consultants' trade are already "in da house" and you should concentrate on that first. You will not find them via HR authorizations nor AUTHORITY-CHECK statements.

This is also aggravated by the trend for HR systems to be "global" but legal requirements are "local". This is very difficult to program statically or even procedurally (via customizing).

Cheers,

Julius

Hi Alex, Julius,

Thanks very much. Your posts provide a lot of good insight into the challanges and possible alternatives. We have a lot of work ahead of us but it should be fun! I'm hoping we can keep this discussion going and hear what others have to say.

Thanks again,

Doug