cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecureHR data when profile data in Information Steward

former_member293952
Explorer

on ‎08-25-2016 7:47 PM

0 Kudos

Hi All, We have a requirement to profile the data and implement scorecards based on the required business rules for the SAP HR data (Workday). We have a concern about how to secure the HR data as data would be a most sensitive data like SSN, Phone Number etc.,.

As part of security we care considering below additional steps to keep secure the data. Please review and advise if we have any best practices in this case and best possible approach to full fill this requirement.

1. Create dedicated Communication/System user. For Ex in our case: sapserviceqishr.

2. Build new security Roles to use only for HR Project.

3. Create separate database to store failed data.

4. If data comes from file systems, anyhow HR team could manage secure FTP locations.

But the profiled data will be stored in the SAP IS repository database. With the above actions we can secure in application level (from IS) but not in IS repo database level. Do we have encryption mechanism to protect that data? or Do we have any masking options with in DB level or else where? Please advise HOW we can secure this data?


Thanks

Venky

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

adrian_storen
Active Participant
‎08-29-2016 1:44 AM
0 Kudos

Venky,

I would create two new DI connections - one for the HR data and one for the HR failed data.  For additional security, you could also add a HR DI project.  All of these can then be secured with new HR groups (which you will need to create as sub-groups under existing DI groups).

As you would put the failures into a separate DB schema, you would have to talk to your DBAs about how that is encrypted/ accessed in the DB layer to prevent access.  You could look at VPD in Oracle if that's your DB technology, but would then need to give an exemption to the HR user that is used for the failed data repository connection.

regards

Adrian

Show replies
Show replies
former_member293952
Explorer
‎09-10-2016 5:44 AM
0 Kudos

Hi Adrian, Thank you for advise. We are clear on how to secure the data from Connection and Failed database perspective.

But if we profile the data that profile results will be stored under IS repo database. Unless if we create new IS repo/server HR data we can't restrict that data in common IS repo. But we can clear profile results by running purge task but that will clear all projects/tables profile results.

Do you have any idea on how to clear profile results specific to particular table or project?

Thanks

Venky

adrian_storen
Active Participant
‎09-11-2016 11:33 PM
0 Kudos

Venky,

My advice would be to never share the IS Repository account. However, that would not stop profiled data existing in the same table/s.

I'm not sure what your concern is.  Do you provide the IS repo password?  Or database users with select access to tables?  Or do you have custom reports off the database tables?

Depending on the issue you're trying to solve, you could limit access via the database.  That way it would not matter which tool is used to access the data and you could keep rather than purge profile results for HR users.  For instance, if you have Oracle then you could implement VPD and filter data out from access based on the user and a token.  This is likely to need to be need to be re-applied after each IS upgrade.

You could also articulate your requirements in the SAP Ideas space and see what SAP think.

regards

Adrian

Ask a Question