Here's why it's important to check how data is exported and by who it's spread
How do you monitor the data exported from SAP ECC?
Many users must be formally authorized in order to do that as part of their job. It’s however of great importance, especially in a GDPR framework, to monitor how and who exports data in a non-authorized way from the SAP system.
How do you do that? Let’s see some paid methods and others included in the SAP business suite
Which are the methods for exporting data from SAP?
SAP is an application in which data is stored in a database. This data can be accessed directly or by using SAP transactions.
Many ways of exporting data exist.
Below some of the main ones:
- Through the use of SE16, SE11 or similar transactions. In order to directly export the content of a table of the database. For example Customer Master Data as defined in SAP
- Through the use of export functionalities present in standard transactions
- Through the use of RFC functions exposed by SAP. For example, the RFC_READ_TABLE function
- Through the use of a custom program specifically built in order to export data from SAP
Each of the above methods can represent, in terms of data security, a chance for data leakage. What are then the ways in which you can prevent or control data loss/leakage? Which Data Loss Prevention techniques can be used?
SAP puts at our disposal various instruments that can be used to control data export (28777 – PC download: Logging, authorization check).
Some of these are native and have already been present for many years (since 3.0C release) inside the solutions, others are more recent, others are still paid solutions.
Why is it important do protect company data? Find out here!
Let’s start from the basis, the S_GUI authorization object.
S_GUI
This authorization object (available in the 4.0 SAP release) allows one to enable or disable the data export from SAP. This object intervenes if someone is using standard or custom (where provided for) transactions.
The object contains the following possible activities:
- 02 -> Copy data to the clipboard
- 61 -> Export data from SAP
- 60 -> Import data
Beware, in some cases it is possible to deactivate from customizing the control on this object, as described in note OSS 979917 - S_GUI authorization check needs to be disabled. Table SDOKPROF allows in fact to disable the authorization control in the GOS Generic Object Service functions, that is the button used for the management of transaction attachments (for example a Purchase Order attachment)
The SAP GUI allows one to protect the read or write actions of data towards the client too, read more here (SAP GUI Rules).
SAP Security Audit Log
How is it possible to trace what is exported from SAP? One of the ways in which you can do that is to activate the SAP Security Audit Log by tracing the data export event.
Through the activation of the SAP standard instrument called SAP Security Audit Log (release SAP_BASIS 731 and above) it’s possible to find who exported data through the standard SAP export function.
The above picture shows the security audit log extract (transaction SM20N), in yellow-colored row it’s possible to see that user MMANARA exported the content, or part of it, of table PA0008 (which contains personnel retribution data in a HR system) with transaction SE16, see “Program” column.
With the Audit Log it’s also possible to see the RFC callbacks which took place, which can be used, for example, to intercept callback events through RFC_READ_TABLE function.
One can also, through the ‘SGRPDL00’ enhancement, insert personal code parts for additional controls or specific logging actions.
Read here on how to configure the SAP Security Audit Log
Is there any specific function in the HR part?
As there exist a specific enhancement for the classic SAP part, so it is possible to make use of the same function for the HR part: HRPC0001.
Is there a way to be protected from data copy-paste?
For this matter, the standard functions mentioned before can’t be of any help. However, one can consider the application of note OSS 997201 - ALV export: Exit during authority check, in order to control the data copy-paste function. However, it’s not possible to be protected from print screen!
Are there any other ways? Even for non-dialog users
Yes, other instruments to control even the reading of data do exist, but some of these are not free:
- SAP RAL Read Access Log (included in the SAP suite), transaction SRALMANAGER, available from SAP Netweaver 7.01 release (SP15) and above
- SAP Field Masking (this is a paid service, made up of two modules)
UI Logging
UI Masking
Blog post originally translated from: https://www.aglea.com/blog/come-esportare-dati-da-sap