02-19-2013 7:32 PM
We have a training system refreshed with the data from Production system. The SAP support team almost has complete access to all data/tables in training system as they needed for testing different functionalities in it. Now we would like to atleast restrict access to sensitive HR data like payroll, salary or user personal details from our SAP team.
So what can be the solution for this. I tried to restrict it using SE16 by authorization group but as there are n number of tables which can have a sensitive HR data, I don't think its possible by maintaining authorization fields.
Can we restrict it by modifying the authorization values for SE16 or we have to plan for TDMS as a final solution.
Thanks.
02-19-2013 7:37 PM
Unless you have proper authorizations (customer implemented roles) that you can put in place for restricting access to sensitive data, I recommend you implement data masking/scrambling by either custom means (eg. ABAP program) or by purchasing TDMS to do it.
02-19-2013 7:37 PM
Unless you have proper authorizations (customer implemented roles) that you can put in place for restricting access to sensitive data, I recommend you implement data masking/scrambling by either custom means (eg. ABAP program) or by purchasing TDMS to do it.
02-19-2013 8:07 PM
Dear Samuli,
Thanks for the reply. Can you please provide more information on how data masking can be achieved by custom means (ABAP programs). Can this be developed in house.
Secondly, is there any way HR data access can be restricted using authorization.(Means restricting HR table access by SE16)
02-19-2013 8:15 PM
Well data masking can certainly be developed in house, I have done it couple of times. In case of HR you just need to know all relevant HR infotypes (and possibly clusters) and change all entries with random (but meaningful) data. Some infotypes can be more complicated than others (for example the salary infotype 0008) but nothing an experienced ABAP programmer can't handle. It will certainly take some time to do the inhouse implementation (+ verify it) so you should ofcourse do the pros and cons of the inhouse solution vs. TDMS.
I am not the right person to ask about HR authorizations but I do know that they can be quite complicated. You can limit them by infotype, subtype, company code, personnel area, etc. Then there are structural and context authorizations to complicate things further. My point being that it is more complicated than limiting table access.
02-20-2013 5:52 AM
Can you try in auth object S_TABU_DIS remove values for field "Authorization Group" starting with "P".Dont leave any * in object field values of S_TABU_DIS
02-20-2013 6:49 AM
Dear Shahnas, I have already restricted the access with all auth grps starting with P*. But my question is whether this restriction is enough to restrict people to view any HR Sensistive data.
Does the SAP will recommend the same or they will suggest for TDMS as a correct solution.
Samuli thanks again for your reply, I am trying to see which is the correct solution for us, whether to restrict using Auth groups, TDMS or will check for in house development also.