Monitoring the behavior of SAP users

Monitoring the behavior of SAP users

Increasing requirements (e.g. from GDPR regulations) force organizations to implement solutions that will increase the level of security of systems processing personal data. SAP is no different. Today's article will show you how to increase data security in 3 steps.

Data security is not only about authorizations

To break down the topic into prime factors, let's start with the basics. Each user in SAP is granted authorizations. They decide whether the user should get access to a certain batch of data or whether such access should be blocked. Based on the assigned roles, we can restrict access. Thats true. Here, on the other hand, there is a quite serious problem related to the potential leakage of data outside the system.

1. Monitoring of personal data display

Standard SAP solutions are limited to authorization management. The standard does not provide a clear answer to questions about "who", "what" and "when" displayed on its screen. Currently, with an ordinary mobile phone, each user is able to take a picture of the screen on which personal data is displayed (or make a print screen), there is practically no trace of this action. Therefore, it is important to monitor and log risky user operations with greater accuracy than the standard functionalities provided.

There are more examples of potential abuse. For example, privileged users (for example administrators) have almost unlimited access to data containing sensitive information. The new GDPR requirements are about monitoring access to data as effectively as possible. Not only regulatory requirements should be the only factor aimed at introducing changes to the processes of access to personal data. After all, the mere leakage of payroll data can disrupt the order between employees. Data can also be hijacked by competitors - and that's also a business problem.

Above, we present the essential elements of logging user behavior with the accuracy of displaying personal data, in a global manner. The resolution of user monitoring should therefore be large enough to precisely provide information related to the access (displays) of SAP HR data.

2. Saving data to files

As standard, the SAP system allows you to globally enable or disable the possibility of downloading data (e.g. from a report to which the user has access). By default, the logs only allow information about when and who downloaded a file with a specific name, to a specific path. As standard, there is no information about the content of downloaded files.

You can pay attention to the above screen through the prism of information about possible violations:
1 - What data was collected? No information
2 - Were there any critical personal data in the file? No information
3 - Are we able to play the downloaded file? No.

Fortunately (for data security in SAP), there are solutions that can effectively solve the above-mentioned problems. By providing extended information in logs about specific activities, with much more resolution.

With the help of defined keywords, reports or file sizes - administrators are able to receive information about potential abuse connected with downloading critical portions of data. Additionally, each download is postponed (for a specific amount of time), so it is possible to completely play the downloaded file

3. Exploitation of Transactions

Reducing the risks associated with unauthorized access to data also means ensuring that the rights granted are limited to the necessary minimum. The assumption is this - the authorizations granted do not always meet the required requirements in 100% (they are often much larger than those that the employee actually needs to perform his daily activities). Therefore, the use of transactions should be analyzed in terms of their use.

Statistics are located in ST03N and updated monthly. Thanks to this:
- unused transactions can be removed from user rights
- transactions not used in the role (by any user) - can be completely removed from the role


The above set of three user monitoring elements, with which you can extend your SAP system, supports the processes related to risk management and will directly increase the level of security. Such an operation will allow for quick ordering of the possibilities of abuse.

It is worth adding one more extremely important thing from the user monitoring perspective.

During one of our projects, a few weeks after the implementation of the above-mentioned functionalities, users were informed that their activities were monitored. The drop in data downloads to files fell by about 63%.

What are your users doing in SAP?