SAP HR LOG

Posted by Fabio Mambretti on Jun 10, 2022 12:00:00 AM

Employees management inside the HR systems (Human Resources). Here it's also essential to manage access in a way that protects sensible data.

Logs

Which are the instruments inside SAP HR systems used for logs management? Let's see the main ones here.

Why is SAP HR separated from SAP ERP?

I'm not talking about architectural aspects, since HR can be directly installed on an existing ERP system, rather about aspects of applicative data segregation. If we assume that the management of processes linked with HR happens on premise and not in cloud through systems like Success Factor.

 

Attention to the data has always been a top priority, that's why SAP decided to define and provide an authorization model that is very detailed and unique under many aspects (while maintaining a similar structure to the classic ERP).

 

Also, the HR module is not always installed directly on existing ERP systems.

  • That is why it is usually necessary to update the HR system more often than the ERP system. This means that more frequently the machine would need to be stopped, which is not always feasible in an ERP system.
  • Also, many companies just prefer to have a separate system dedicated to the data as an ulterior certainty that data will be protected.

 

 

Why are logs important in this system?

As for other systems, the reasons are many:

  • To check who modified what
  • For investigations in a detective manner
  • To check who displayed what
  • To use the gathered data for event correlation and critical patterns search

 

Which are the available logs in the HR systems?

Let's start by distinguishing the two main HR modules:

  • PA - Personnel Administration
  • PD - Personnel Development

The first one is used to manage personnel master data, so the PERNR (Personnel Number). Technically, if we simplify, all transactions that start with PA, i.e. PA20 or PA30.

 

With these transactions it's possible to display and maintain infotypes.

 

Infotypes, to make it simple, represent a certain set of data, for example Communication (which would be all contact information of a certain employee), Organizational location etc.

 

Of course, other modules do exist, but PA and PD are for sure the main ones. It's important to note that SAP uses the HR module for other processes (for example there are integrations between the controlling and HR processes, as well as sales processes).

 

It is then possible to have a bare minimum of employees' master data stored even though the HR system is not really utilized (for example for payrolls).

 

By default some logs are already active in the PA module, these allow to check who made changes to the employees' master data.

 

  • With transaction S_AHR_61016380 which calls the RPUAUD00 report. It's possible to see the changes made to infotypes. The following tables define which logs are to be traced:
    • HR Documents: Infotypes with Documents (V_T585A)
    • HR Documents: Field Group Definition (V_T585B)
    • HR Documents: Field Group Characteristics (V_T585C)

V_T585A
With transaction S_AHR_61016380 it's possible to see the recorded changes

S_AHR_61016380

 

As for PD, it concerns employee development and growth. Technically, all PP* transactions are concerned. For example PPOM or PP01 etc. In this case logs are not active by default, it is then necessary to activate them (that is highly suggested)

 

By personalizing table T77CDOC_CUST it's possible to decide on which links to activate changes logs

T77CDOC_CUST

 

By activating the logs in the above table, every change that is made also generates a log

PPOM

Usually only some relations are activated, but not all of them. With the report RHCDOC_DISPLAY or RHRHAZ00, or with transaction RE_RHRHAZ00 it's possible to display the changes:

RHCDOC_DISPLAY

 

Other useful logs, even for the HR systems, are the following:

 

  • V_T599R PM->PA->Tools->Revision-> Log for the tracing of reports executed in HR (Report RPUPROTD)
  • SAP Security Log, Transaction SM20N or RSAU_READ_LOG
  • Table trace, ergo transaction SCU3
  • Loggin activation on SAP Queries

 

All the above logs are concerned with changes to data, not with display accesses. This last type of log can be activated in two ways:

 

UI Logging

 

Can SAP GRC Access Control be useful for HR systems?

Yes, SAP GRC can be useful in two ways:

  • For the Segregation of duties (SoD) in HR (especially for payroll processes)
  • For verifying accesses in HR. It can in fact be useful to define a SoD risks matrix for accesses, not for SoD purpose, but for checking access to HR data.

 

Blog post originally translated from: https://www.aglea.com/blog/sap-hr-log

 

Topics: security audit log, audit sap, UI logging, SAP LOG

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all