Employees management inside the HR systems (Human Resources). Here it's also essential to manage access in a way that protects sensible data.
Which are the instruments inside SAP HR systems used for logs management? Let's see the main ones here.
I'm not talking about architectural aspects, since HR can be directly installed on an existing ERP system, rather about aspects of applicative data segregation. If we assume that the management of processes linked with HR happens on premise and not in cloud through systems like Success Factor.
Attention to the data has always been a top priority, that's why SAP decided to define and provide an authorization model that is very detailed and unique under many aspects (while maintaining a similar structure to the classic ERP).
Also, the HR module is not always installed directly on existing ERP systems.
As for other systems, the reasons are many:
Let's start by distinguishing the two main HR modules:
The first one is used to manage personnel master data, so the PERNR (Personnel Number). Technically, if we simplify, all transactions that start with PA, i.e. PA20 or PA30.
With these transactions it's possible to display and maintain infotypes.
Infotypes, to make it simple, represent a certain set of data, for example Communication (which would be all contact information of a certain employee), Organizational location etc.
Of course, other modules do exist, but PA and PD are for sure the main ones. It's important to note that SAP uses the HR module for other processes (for example there are integrations between the controlling and HR processes, as well as sales processes).
It is then possible to have a bare minimum of employees' master data stored even though the HR system is not really utilized (for example for payrolls).
By default some logs are already active in the PA module, these allow to check who made changes to the employees' master data.
With transaction S_AHR_61016380 it's possible to see the recorded changes
As for PD, it concerns employee development and growth. Technically, all PP* transactions are concerned. For example PPOM or PP01 etc. In this case logs are not active by default, it is then necessary to activate them (that is highly suggested)
By personalizing table T77CDOC_CUST it's possible to decide on which links to activate changes logs
By activating the logs in the above table, every change that is made also generates a log
Usually only some relations are activated, but not all of them. With the report RHCDOC_DISPLAY or RHRHAZ00, or with transaction RE_RHRHAZ00 it's possible to display the changes:
Other useful logs, even for the HR systems, are the following:
All the above logs are concerned with changes to data, not with display accesses. This last type of log can be activated in two ways:
Yes, SAP GRC can be useful in two ways:
Blog post originally translated from: https://www.aglea.com/blog/sap-hr-log