Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

German Work Council - Performance Monitoring Transactions

Go to solution
Former Member

‎05-18-2009 8:05 PM

0 Kudos

The German Work Council requires limiting/restricting access to certain Performance Monitoring Transactions and table logging options. Can someone please provide a list of transactions or options for this requirement.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎05-18-2009 9:24 PM

0 Kudos

There is no definitive list of transactions as the requirements are a bit subjective. You could extrapolate their requirements and never give anyone to transaction change logs for example!

Mainly stuff like the audit log and ST03N need to be available to a limited number of users (not users managers generally......) but most important is what you do with the data. What you cannot do is send data out without a users permission, which would allow somone to judge their individual performance. If you apply this to your situation then you should pick everything up. If you have centralised SAP Support team then it's fine for some users to have access ot log files (transaction, audit, change) as long as they are relevant for their job and they are aware of what they can & can't do with the data (it's not just Germany, Austria also has similar laws). As individuals, their managers and the company can be fined for breaches, it's worth spending time on.

6 REPLIES 6

Go to solution
jurjen_heeck
Active Contributor

‎05-18-2009 9:17 PM

0 Kudos

> The German Work Council requires

EDIT Ah. Law. Didn't know that. Sarcastic comment removed.

> limiting/restricting access to certain Performance Monitoring Transactions and table logging options.

Please elaborate on "certain". Guessing is going to get us just as far as you've gotten.....

Oh, by the way, SAP security is about allowing stuff, not restricting.

Edited by: Jurjen Heeck on May 18, 2009 10:28 PM

Go to solution
Former Member

‎05-18-2009 9:24 PM

0 Kudos

There is no definitive list of transactions as the requirements are a bit subjective. You could extrapolate their requirements and never give anyone to transaction change logs for example!

Mainly stuff like the audit log and ST03N need to be available to a limited number of users (not users managers generally......) but most important is what you do with the data. What you cannot do is send data out without a users permission, which would allow somone to judge their individual performance. If you apply this to your situation then you should pick everything up. If you have centralised SAP Support team then it's fine for some users to have access ot log files (transaction, audit, change) as long as they are relevant for their job and they are aware of what they can & can't do with the data (it's not just Germany, Austria also has similar laws). As individuals, their managers and the company can be fined for breaches, it's worth spending time on.

Go to solution
Former Member
In response to Former Member

‎05-18-2009 10:31 PM

0 Kudos

Alex, Thanks for the response. I wanted to know if you have any list of transactions that require de-activation especially per the law requirements of German Work Council

Go to solution
Former Member
In response to Former Member

‎05-18-2009 11:16 PM

0 Kudos

Hi Varun,

If you read my reply you'll see that it's not that simple. There are no transactions which need to be deactivated but you need to be careful how you use what is there, especially around the areas I highlighted (and that you had already identified).

Go to solution
Former Member
In response to Former Member

‎05-19-2009 9:51 AM

0 Kudos

i second that, alex.

varun, please understand that even data that give a clue about the performance of an employee, like - for example - the answer to the question: how many transport orders did a single worker confirm in a day (LT11, LT12, LL01) maybe a subject of 'performance monitoring'. there's no special transaction to my example, since - if you wanted to know these data, you could use SE16, SE16N, SQVI, SQ01, LL01, most of the LX* transactions, a couple of HR-transactions and even a complete BI system.

what you have to investigate is where are your data going, what kind of evaluations and reports are there - and then you have to recognize the 'dangerous' spots.

Go to solution
Former Member
In response to Former Member

‎05-23-2009 9:16 PM

0 Kudos

A manager can most likely anyway just use the application specific Information System to display / download the transaction data such as a journal list - if that is going to be an aspect of a Key Performance Indicator (KPI).

The security audit log (SM20N) and system performance indicators (ST03N) only have co-incidental overlaps to this and will provide distorted (and aggregated...) information for this purpose.

They (security events and response times) are not the correct tools.

The manager should define KPIs which are clear to the employee, and the employee should be able to perform (influence the outcome).

An end user should not be able to influence the response times between the SAPGui and the application server which they are load balanced to, or (un)translate the program name... etc...

It is the wrong tool, so you should protect and not use this data for other reasons.

Also do not bother about tcodes to protect it - objects S_TOOLS_EX and S_ADMI_FCD (values AUD*) will take care of that at the application level.

Cheers,

Julius