Tuesday, October 20, 2020

SAP BW and GDPR

EU’s regulation regarding to data protection and privacy known as General Data Protection Regulation (GDPR) came to a force on 25 May 2018. Briefly, it gives EU residents better protection and control of their personal data. It regulates how organization can handle the data (from perspective of collecting, storing, and transferring it). In addition, as well how they use the data. The organization in and outside the EU that process data of EU residents must follow the rule. In this post, I would like to summarize how the GDPR or other data protection laws can be supported by SAP BW systems. In further text, I just use term the BW that means BW and BW/4HANA as well.

The SAP BW has so called Data Protection and Privacy (DDP) features which can help the organization comply with the GDPR. There are following 4 areas of the DDP:

1 Read Access Logging (RAL):

Is used to log and monitor read access to sensitive data. It is contained within NetWeaver Platform (ABAP Stack) infrastructure.  It can be used to log access of SAP BW: Master data maintenance, InfoProvider administration (“Display Data” e.g. function in t-code RSA1, t-code LISTCUBE etc.), PSA and table maintenance (t-codes SE16, SM320 etc.) and Update simulation. In the SAP BW, it is recommended to use LOPD authorization based read access logging for transactional data. The BW provides a mechanism for logging all LOPD relevant access to data in reporting and planning applications. The LOPD only works only with new Authorization Concept (called Analysis Authorization) that was introduced in BW 7.x. It does not work with 3.x Authorization Concept (that one was based on authorization objects). Following Analysis Authorizations are checked when data in BW is accessed: Reporting  in  all  BEx  front  ends  (BEx Analyzer in MS Excel, Web reporting, F4   help, Planning  applications  (Integrated  Planning  and  BW-BPS), BW  interfaces  that  read  data  (RSDRI,  RSCRM_BAPI,  open  hub  service),  Most  data  sources  in  Analysis  Process  Designer (APD).

The name LODP comes from Spanish data protection law, which was introduced after year 2020. Basically; the LOPD is logging all these above-mentioned activities and stores the information in its tables:

RSECLOPDLOGC - Store for LOPD Logs

RSECLOPDLOGF - LOPD Protocol: Filter

RSECLOPDLOGH - LOPD Log: Control Data

RSECLOPDLOGI - LOPD Log: Details

RSECLOPDQFILTER - Filter within Queries

RSECLOPDQIOBJ - LOPD-Relevant Objects Within Queries

RSECLOPDQSTAT - LOPD-Relevant Objects Within Queries

 

Moreover below are basic costuming tables of the LOPD:

RSECLOPDIP - InfoProviders  registered  as  relevant for the LOPD

RSECLOPDIOBJ - groups of InfoObjects are registered that represent LOPD relevant access

 

The LOPD logs can be reviewed in t-code RSECPROT. In case LOPD is enabled in the BW system all access to LOPD-relevant InfoProviders and queries done by all user are documented in here.

 

2 Information report:

SAP BW provide tools supporting users to analyze usage of sensitive information (e.g. where-used list, master data maintenance).

 

3 Deletion of personal data:

Sensitive data can be selectively deleted in SAP BW. Where-used list to support identification of InfoProviders containing the values to be deleted is provided. Possibility to automate regular deletion tasks of transactional data within Process Chains.

 

4 Log changes to personal data:

Track changes to master and transactional data. Audit and Change Logs available to monitor changes to transaction data.

 

On top of the LOPD in the newest version of the SAP BW (7.5 or BW4/HANA) SAP has provided tool so called Data Protection Workbench (t-code RSDPP) - DPW. The DPW manages identification of sensitive data and selective deletion of corresponding transactional and master data records. SAP Information Lifecycle Management (ILM) ensures data retention management in operational systems (ERP like SAP’s ECC or S4/HANA) from data protection & privacy compliance perspective. The framework of the ILM allows persisting notifications of deleted (personal) data during ILM processes (e.g. deletion of personal data). These ILM notifications are then replicated from operational system to BW. Technically the notifications are loaded to BW’s Data Store Object, via DataSources.  There is a mapping of SAP ILM object (e.g. ‚Sales Order‘) to BW DataSources (in the latest B4/HANA 1.0 and 2.0 systems there can extraction be based on CDS views). Finally, in the BW there is DPW. It provides data protection notifications, which contain information about ILM events based on ILM objects (for example, data archiving or data destruction for a business object instance, like a sales order) mapped to application-specific data sources. So sensitive data is identified and their corresponding transactional and master data records are selective deleted.

 

More information:

933441 - Frequently asked questions on BW (BW/4HANA) and read access logging for data protection

2590321 - Upgrade recommendations to support GDPR compliance

901648 - LOPD and data protection compliance in BW 7.0

2748685 - Business Suite Data Protection Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)

2824456 - SAP S/4HANA Data Protection Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)

2642676 - NW 7.50 - BEx 7.x Java runtime – deletion of data - excluding personal user

Introducing the Data Protection Workbench of SAP BW/4HANA 2.0

Data Protection Workbench for SAP BW/4HANA   

Data Protection Workbench for SAP BW              

Monday, October 19, 2020

What SAP software still using Adobe Flash?

Adobe Flash as platform to enable animations, rich web applications, games, video or a multimedia in general in mobile and desktop web browsers has come to end of its life. As predicted long time ago (approx. in 2010) by Steve Jobs in Thoughts on Flash due to its vendor lock-in, limited accessibility, security issues, rapid energy consumption, poor performance on mobile devices etc. the other technologies (mostly HTML5) proved to be better than the Flash. Thus, the Flash Player has been deprecated and has an official end-of-life on December 31, 2020. Web browser vendors will stop supporting it means whatever software using the Flash; it will not be possible to run the flash objects in the web browser anymore.

SAP has used the Flash technology in some of its products for web user interface therefore these products will no longer function beyond 2020. It is necessary to upgrade components of SAP software that is still using the flash to remain the SAP software functional. Below I provide a short overview of some SAP software in which the Flash technology was (is) used.

 

SAP Jam – within video functionality like screen capture and webcam recording

Sybase - SAP IQ COCKPIT

SAP Data Services – in Data Services Management Console (DSMC)

SAP BusinessObjects Business Intelligence Platform (SAP BI) - SAP BI LaunchPad, Central Management Console (CMC) – uses Flash prompt screen for the parameters, Xcelsius 2008, Dashboard Design 4.0, Crystal Reports for Enterprise, Crystal Reports Designer

SAP SuccessFactors - SAP SuccessFactors Learning administration (LOD-SF-LMS), SAP SuccessFactors Recruiting Marketing "Recruiter Dash" (LOD-SF-RMK), other Advanced UI features within the SuccessFactors (e.g. lineage charts and instructional videos)

SAP BPC – the BPC version needs to be upgraded to BPC 10.1, where Adobe Flash is replaced by HTML5 technology. Component that needs to be upgraded from is:

CPMBPC        801     CPM Business Planning and Consolidation


More information:

2458598 - Deprecation of Flash Support in Browsers

2935567 - BPC 10.0 for Microsoft and BPC 10.0 for NetWeaver regarding Adobe Flash end of support

2919654 - When is the end of maintenance for the BPC10.0 NW product?

2513517 - When does mainstream maintenance end for BPC 10.0?

2929829 - BPCMS 10.1: Retirement of Management Console component based on flash


Wednesday, October 7, 2020

SAP’s divestments over years

As follow up on my other blog called SAP’s acquisitions over years I try to collects divestments of SAP too. There are not much information on this topic available on internet. Thus, my guess is that most of information will only be added in future when it will come to selling of assets.

07/2020 - Qualtrics IPO - approximately 20 months after its acquisition the Qualtrics is set to go public via preparing its IPO.

05/2020 - SAP Digital Interconnect - to be acquired by Sinch. The Digital Interconnect division was added into the SAP via to a company called Mobile 365 Inc., which Sybase acquired in 2006. The Sybase became part of SAP when the company bought Sybase in 2010.

Thursday, October 1, 2020

How to make ABAP programs selection screen test portable

While ABAP report developing; standard developer tools are having an option how to enter texts to elements of selection screen. It is available within t-code SE38 in menu Goto -> Text Elements -> Selection Texts. However, maintain the text in this way makes our ABAP programs not portable. This is because the texts entered there are not part of the source code. In case we want to move the program from one system to another just via copy & paste the Selection Texts won’t be moved and they need to be entered into target system again manually via the menu path.

However, there is a way to overcome this obstacle. The Selection Texts can be adjusted within the ABAP source code as well. For that, we can use ABAP program events like AT SELECTION-SCREEN OUTPUT or INITIALIZATION. Within those events it is possible to manipulate with variables created by PARAMETERS and SELECT-OPTIONS (also frames defined in the report can be covered like this) ABAP statements. Let say I have small ABAP program like below with the two parameters on its selection screen: 

DATAlt_adr6 TYPE adr6"just for SELECT-OPTIONS

PARAMETERS p1 TYPE uja_appset_info-appset_id.
SELECT-OPTIONSs_rec FOR lt_adr6-smtp_addr.

AT SELECTION-SCREEN OUTPUT"Set labels for sel scr
  %_p1_%_app_%
-text 'Environment Name' ##NO_TEXT .
  %_s_rec_%_app_%
-text 'Email Recipients' ##NO_TEXT .

In this case, the Selection Texts are taken not from menu but from the ABAP report source code itself.