Question:
Due to new legal requirements, we can no longer rely entirely on procedural training to protect some sensitive data.
Specifically, for HR Reporting we need to implement Customized Security that will mask the output of SSN (PERID) unless the user has authorization to export this information.
I am trying to locate a BAdi or User Exit that might allow us to put security on this field so that it will display with a masked value whenever reports are run against the PNP database.
TIA
Answer:
I do not recall a PNP specific user exit that allows you to do this and if there is, there is still the issue of non-PNP reports. In the SPRO there is configuration shouwing you the BADI for Security additions/replacement.
You may also want to consider trying to limit access to the infotype that houses the SSN ( I beleive it is IT0002) and see if the reports yield sufficient info without the IT.
Answer:
Write your own report and make sure that it doesn't output SSN. That is the cheapest alternative. You can also use the ABAP Query tool to set up your own 'infoset" the leaves off SSN as a queriable field. Also HR has its own version of ABAP Quey calle Ad HOC reporting that would allow you to do something similar.
This is just a starter suggestion. It would take a lot more than this to put it into actin but that is why you pay consultants.
ps I like the way you started your e-mail. I think you have gotten sensitized
_________________
bwSecurity
Answer:
Thanks for your input. I agree that removing SSN from the ad-hoc 'infoset' will help. We can also configure T588J to remove SSN from the infotype headers so it is only displayed as PERID on Infotype 0002. It seems that limiting access to IT0002 also limits access to the other fields such as employee name, which would not be acceptable. Do you know how to implement field level security?
In the IMG there is reference to BAdi HRPAD00AUTH_CHECK as customer specific authorization. Has anyone ever used this? Advice/Lessons learned?
TIA
Answer:
Hi,
Where do you need to see employee name, in a report, or in PA20 / PA30.
The difference is quite important as in reporting you can use P_ABAP to bring back the user name (IT0002), but the authorisations are built in such a way that they would not work when using PA20 / PA30.
In PA20 if you want to search by employee name you only need auth level R and M for IT0001, IT0002 would not generally be required.
Cheers
Peter
Answer:
How to restrict display of SSN on a report? I know that you can use P_ABAP to restrict which reports can be run, but not which fields will be displayed. The standard security profiles for access to the PNP data base allow us to restrict which employees are displayed based on the authorizations of the user running the report (ie. the user can only see employees for a specific personnel area). We are looking for ways to establish field level security on the SSN so that we can restrict which fields are displayed based on the authorizations of the user running the report. Thanks for your input so far.
Answer:
Hellol Guest,
P_ABAP is used to determine how the auth check for P_ORGIN is performed and can not be used to determine which reports a user can execute. In general you should never use P_ABAP.
You could create your own BADI and replace the SAP standard BADI used for checking, but I would seriously advise you not to do this.
As the issue is related to a report the easiest, cleanest and lowest maintenance solution is to take the advice of other members and create / find an equivalent report that does not output the SSN.
Cheers
Answer:
Hellol Guest,
P_ABAP is used to determine how the auth check for P_ORGIN is performed and can not be used to determine which reports a user can execute. In general you should never use P_ABAP.
You could create your own BADI and replace the SAP standard BADI used for checking, but I would seriously advise you not to do this.
As the issue is related to a report the easiest, cleanest and lowest maintenance solution is to take the advice of other members and create / find an equivalent report that does not output the SSN.
Cheers
P_ABAP is a perfectly viable object and gives you the opportunity to write reports off the logical database that access non-sensitive fields from sensitive infotypes. You obviously need to control the report or query development process so that you mitigate the risk that someone will include a sensitive field.
P_ABAP even has some advanced features that help secure information. Don't be scared off. You don't need add ins and exits.
_________________
bwSecurity