Employees management inside the HR systems (Human Resources). Here it's also essential to manage access in a way that protects sensible data.

Which are the instruments inside SAP HR systems used for logs management? Let's see the main ones here.

Why is SAP HR separated from SAP ERP?

I'm not talking about architectural aspects, since HR can be directly installed on an existing ERP system, rather about aspects of applicative data segregation. If we assume that the management of processes linked with HR happens on premise and not in cloud through systems like Success Factor.

Attention to the data has always been a top priority, that's why SAP decided to define and provide an authorization model that is very detailed and unique under many aspects (while maintaining a similar structure to the classic ERP).

Also, the HR module is not always installed directly on existing ERP systems.

• That is why it is usually necessary to update the HR system more often than the ERP system. This means that more frequently the machine would need to be stopped, which is not always feasible in an ERP system.
• Also, many companies just prefer to have a separate system dedicated to the data as an ulterior certainty that data will be protected.

Why are logs important in this system?

As for other systems, the reasons are many:

• To check who modified what
• For investigations in a detective manner
• To check who displayed what
• To use the gathered data for event correlation and critical patterns search

Which are the available logs in the HR systems?

Let's start by distinguishing the two main HR modules:

• PA - Personnel Administration
• PD - Personnel Development

The first one is used to manage personnel master data, so the PERNR (Personnel Number). Technically, if we simplify, all transactions that start with PA, i.e. PA20 or PA30.

With these transactions it's possible to display and maintain infotypes.

Infotypes, to make it simple, represent a certain set of data, for example Communication (which would be all contact information of a certain employee), Organizational location etc.

Of course, other modules do exist, but PA and PD are for sure the main ones. It's important to note that SAP uses the HR module for other processes (for example there are integrations between the controlling and HR processes, as well as sales processes).

It is then possible to have a bare minimum of employees' master data stored even though the HR system is not really utilized (for example for payrolls).

By default some logs are already active in the PA module, these allow to check who made changes to the employees' master data.

• With transaction S_AHR_61016380 which calls the RPUAUD00 report. It's possible to see the changes made to infotypes. The following tables define which logs are to be traced:
  
  • HR Documents: Infotypes with Documents (V_T585A)
  • HR Documents: Field Group Definition (V_T585B)
  • HR Documents: Field Group Characteristics (V_T585C)
    

With transaction S_AHR_61016380 it's possible to see the recorded changes

As for PD, it concerns employee development and growth. Technically, all PP* transactions are concerned. For example PPOM or PP01 etc. In this case logs are not active by default, it is then necessary to activate them (that is highly suggested)

By personalizing table T77CDOC_CUST it's possible to decide on which links to activate changes logs

By activating the logs in the above table, every change that is made also generates a log

Usually only some relations are activated, but not all of them. With the report RHCDOC_DISPLAY or RHRHAZ00, or with transaction RE_RHRHAZ00 it's possible to display the changes:

Other useful logs, even for the HR systems, are the following:

• V_T599R PM->PA->Tools->Revision-> Log for the tracing of reports executed in HR (Report RPUPROTD)
• SAP Security Log, Transaction SM20N or RSAU_READ_LOG
• Table trace, ergo transaction SCU3
• Loggin activation on SAP Queries

All the above logs are concerned with changes to data, not with display accesses. This last type of log can be activated in two ways:

• With the application of OSS Note 2187273 - How to display Access Log / Individual Number Log for Japan special infotype
  • In it a development is requested, as described in the note and it could be not possible to put in place (the note refers to Japanese specifics, but it stands also for standard infotypes)
    
  • With the SAP Field Masking product, by deciding which transactions or fields should be traced.

Can SAP GRC Access Control be useful for HR systems?

Yes, SAP GRC can be useful in two ways:

• For the Segregation of duties (SoD) in HR (especially for payroll processes)
• For verifying accesses in HR. It can in fact be useful to define a SoD risks matrix for accesses, not for SoD purpose, but for checking access to HR data.

Blog post originally translated from: https://www.aglea.com/blog/sap-hr-log