How to avoid viewing sensitive data via direct access to the SAP HCM database.

Industry & Trends / 28.07.2023

With the help of the new Generic Table Browser (GTB), a long-standing problem has been solved.

There are various ways to display and analyze HCM data in the SAP system. Given the immense importance of the data, which has additional confidentiality and integrity requirements due to the GDPR, this topic is high on the priority list for many companies. The imperative need to ensure the confidentiality and integrity of this data has significantly increased the criticality of this aspect.

One “secure” way to achieve this is certainly through the use of PA transactions, such as PA20, which are secured by appropriate permissions and can restrict access to dedicated personnel data. However, a key prerequisite for this is the flawless implementation and execution of a comprehensive authorization concept in the HCM environment.

Experience shows, however, that this scenario does not always exist in a reliable manner and that the direct route via the SAP database is often chosen when, for example, it is a matter of “quickly looking something up”. As a rule, this procedure is preferred above all by Basis administrators, developers or the HR clerks. Until now, such accesses were controlled via the authorizations at table level via S_TABU_DIS, S_TABU_NAM and S_TABU_CLI. Here, however, the “all or nothing” principle is applied.

But are these people really allowed to see all personal data without restriction?

The HCM table PA0008 for basic pay contains the salary data of every employee in the company. This stored data is of central importance for regular analyses related to monthly salary payments and is therefore frequently accessed. However, access to this data should be limited to authorized groups of people. However, direct database access means that all data can be viewed in full, right down to the top management level, which represents a potential security vulnerability.

SAP now provides the solution to this problem through the “Generic Table Browser (GTB)“.

Here are a few facts:

  • Table access permissions can be granted row by row or column by column.
  • Previous transactions, e.g. SE16N are extended and delivered as new transactions (SE16N à S416N).
  • Access is controlled by a new authorization object S_GTB_CUS.
  • Available with the software components SAP_APPL version ECC 616 and SAP_FIN version ECC 617.
  • After implementation of SAP Note 2124497 also available in software component SAP_ABA.
  • Details can be found in SAP Note 2140828 – GTB: Documentation of ‘generic table display functions’.

Application example of the generic table display function:

Structure of the access authorizations

Transaction S416_ROLE is used to create a GTB role that defines the accesses within the desired table on row and column level.
In this example the values of the fields BET01 to BET04 are completely excluded from the display. (Definition of columns WITHOUT authorization).
In the Permitted values definition section, the display of employees at the personnel number level (PERNR field) is limited to the range 1000 to 2000.

image 1

This GTB role is included in an authorization role via transaction PFCG using the authorization object S_GTB_CUS and finally assigned to the SAP user.

image 2

Important: The user still needs the general table authorization via S_TABU_DIS or S_TABU_NAM.

Display of data via transaction S416N

The SAP user with the GTB role, who only calls table PA0008, will only see the values for which he is authorized.

Important: Prerequisite is the use of one of the GTB transactions, here e.g. S416N. For this reason, it is equally essential to clean up the “old” table access permissions and remove them from the user roles. In concrete terms, this means replacing all SE16* transactions from the object S_TCODE with the counterpart of the new GTB generation.

In our example, personnel numbers between 1000 and 2000 are displayed, but the first 4 amount fields are not visible.

image 3

Personnel numbers outside the authorized value range PERNR 1000 to 2000 are also not displayed in the same way.

image 4

The introduction of the new Generic Table Browser function opens up completely new, flexible options for securing access to sensitive data. This is particularly significant in the area of SAP Human Capital Management (HCM), where the protection of personal data is of paramount importance. Thanks to the Generic Table Browser, companies can now ensure that only authorized users have access to sensitive SAP HCM data, resulting in improved data protection practices and an increased level of security.

We would be happy to be your partner in this area for the development of suitable authorization concepts and the implementation of solutions tailored to your needs. Contact us!

Autor: Sean Schröpfer