Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Restricting standard SAP queries from seeing HR Data

Former Member

‎10-20-2011 10:16 PM

0 Kudos

Newbie back again with another question. When our system was implemented 2 yrs ago, supposedly HR Master Data was restricted from the majority of users. One of our SAP functional consultants just showed me how the Standard SAP Query can (if you know what to search for) pull up all HR master data.

Granted my user community isn't that knowledgeable (yet) but as the Security person, I'd rather they not be able too.

How do I restrict access to the Standard Query?

5 REPLIES 5

Former Member

‎10-20-2011 11:07 PM

0 Kudos

Which release are you on?

Which views are you using?

Are there SQVI or SQ01 queries?

Which authority-checks are made and is your authorization concept for the users the problem?

Note that for reporting "bugs" you should use service.sap.com/notes and not SDN.

You can however IMO escalate issues here if they require support and / or have a discussion value (eg. SAP told you that it is a "feature"... ;-).

Cheers,

Julius

Former Member
In response to Former Member

‎10-21-2011 5:11 PM

0 Kudos

The lastest release-when I look up my component list they say 604 to 700

view-quickview.

Query types-HR Infotype tables may be accessed by users of SQVI, SQ01, etc.

Which authority-checks - still researching. Part of my problem is that when the system was developed we had an HR expert and he was pretty hands on and not into sharing information. As often happens, he's moved on to other projects and I'm supposed to handle maintain and run with zero documentation or understand of his security model for HR. So I'm not sure if this was 1. by design and supposed to be managed inside HR some other way, 2. a gap 3. a bug.

My assumption is 2... it appears the SQVI is not using S_TABU_DIS in any assignments

Former Member
In response to Former Member

‎10-21-2011 7:19 PM

0 Kudos

In the case of SQVI it to my knowledge makes the checks at the time of building the queries. These are then generated and executed without checks.

Possibly they kept the generated queries and made "real" programs out of them, also without checks but already built. You will need to add the checks, but S_TABU_DIS is very blunt in that regard.

Rather add FM HR_Read_infotype to use the P* objects - assuming these are correctly assigned.

Cheers,

Julius

Former Member

‎10-24-2011 8:58 AM

0 Kudos

Hi,

If you have any legally sensitive or particularly commercially sensitive data then you need to have control over methods of getting data out of the system. SQ01 & SQVI are 2 of the many methods but are 2 of the more commonly abused ones.

SQVI - Don't grant in prod.

SQ01 - do all the report development in dev & transport them. Don't give the ability to create or change reports in prod. For HR, most importantly, ensure that all HR reporting via SQ01 (or related usages) is done using logical databases (LDB's). This will ensure that adequate checks on the HR auths are performed.

Former Member
In response to Former Member

‎11-01-2011 5:52 PM

0 Kudos

thanks everyone. I'm taking your input back to my tech team and my functional managers to discuss what path we want to take forward.