Tuesday, October 20, 2020

SAP BW and GDPR

EU’s regulation regarding to data protection and privacy known as General Data Protection Regulation (GDPR) came to a force on 25 May 2018. Briefly, it gives EU residents better protection and control of their personal data. It regulates how organization can handle the data (from perspective of collecting, storing, and transferring it). In addition, as well how they use the data. The organization in and outside the EU that process data of EU residents must follow the rule. In this post, I would like to summarize how the GDPR or other data protection laws can be supported by SAP BW systems. In further text, I just use term the BW that means BW and BW/4HANA as well.

The SAP BW has so called Data Protection and Privacy (DDP) features which can help the organization comply with the GDPR. There are following 4 areas of the DDP:

1 Read Access Logging (RAL):

Is used to log and monitor read access to sensitive data. It is contained within NetWeaver Platform (ABAP Stack) infrastructure.  It can be used to log access of SAP BW: Master data maintenance, InfoProvider administration (“Display Data” e.g. function in t-code RSA1, t-code LISTCUBE etc.), PSA and table maintenance (t-codes SE16, SM320 etc.) and Update simulation. In the SAP BW, it is recommended to use LOPD authorization based read access logging for transactional data. The BW provides a mechanism for logging all LOPD relevant access to data in reporting and planning applications. The LOPD only works only with new Authorization Concept (called Analysis Authorization) that was introduced in BW 7.x. It does not work with 3.x Authorization Concept (that one was based on authorization objects). Following Analysis Authorizations are checked when data in BW is accessed: Reporting  in  all  BEx  front  ends  (BEx Analyzer in MS Excel, Web reporting, F4   help, Planning  applications  (Integrated  Planning  and  BW-BPS), BW  interfaces  that  read  data  (RSDRI,  RSCRM_BAPI,  open  hub  service),  Most  data  sources  in  Analysis  Process  Designer (APD).

The name LODP comes from Spanish data protection law, which was introduced after year 2020. Basically; the LOPD is logging all these above-mentioned activities and stores the information in its tables:

RSECLOPDLOGC - Store for LOPD Logs

RSECLOPDLOGF - LOPD Protocol: Filter

RSECLOPDLOGH - LOPD Log: Control Data

RSECLOPDLOGI - LOPD Log: Details

RSECLOPDQFILTER - Filter within Queries

RSECLOPDQIOBJ - LOPD-Relevant Objects Within Queries

RSECLOPDQSTAT - LOPD-Relevant Objects Within Queries

 

Moreover below are basic costuming tables of the LOPD:

RSECLOPDIP - InfoProviders  registered  as  relevant for the LOPD

RSECLOPDIOBJ - groups of InfoObjects are registered that represent LOPD relevant access

 

The LOPD logs can be reviewed in t-code RSECPROT. In case LOPD is enabled in the BW system all access to LOPD-relevant InfoProviders and queries done by all user are documented in here.

 

2 Information report:

SAP BW provide tools supporting users to analyze usage of sensitive information (e.g. where-used list, master data maintenance).

 

3 Deletion of personal data:

Sensitive data can be selectively deleted in SAP BW. Where-used list to support identification of InfoProviders containing the values to be deleted is provided. Possibility to automate regular deletion tasks of transactional data within Process Chains.

 

4 Log changes to personal data:

Track changes to master and transactional data. Audit and Change Logs available to monitor changes to transaction data.

 

On top of the LOPD in the newest version of the SAP BW (7.5 or BW4/HANA) SAP has provided tool so called Data Protection Workbench (t-code RSDPP) - DPW. The DPW manages identification of sensitive data and selective deletion of corresponding transactional and master data records. SAP Information Lifecycle Management (ILM) ensures data retention management in operational systems (ERP like SAP’s ECC or S4/HANA) from data protection & privacy compliance perspective. The framework of the ILM allows persisting notifications of deleted (personal) data during ILM processes (e.g. deletion of personal data). These ILM notifications are then replicated from operational system to BW. Technically the notifications are loaded to BW’s Data Store Object, via DataSources.  There is a mapping of SAP ILM object (e.g. ‚Sales Order‘) to BW DataSources (in the latest B4/HANA 1.0 and 2.0 systems there can extraction be based on CDS views). Finally, in the BW there is DPW. It provides data protection notifications, which contain information about ILM events based on ILM objects (for example, data archiving or data destruction for a business object instance, like a sales order) mapped to application-specific data sources. So sensitive data is identified and their corresponding transactional and master data records are selective deleted.

 

More information:

933441 - Frequently asked questions on BW (BW/4HANA) and read access logging for data protection

2590321 - Upgrade recommendations to support GDPR compliance

901648 - LOPD and data protection compliance in BW 7.0

2748685 - Business Suite Data Protection Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)

2824456 - SAP S/4HANA Data Protection Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)

2642676 - NW 7.50 - BEx 7.x Java runtime – deletion of data - excluding personal user

Introducing the Data Protection Workbench of SAP BW/4HANA 2.0

Data Protection Workbench for SAP BW/4HANA   

Data Protection Workbench for SAP BW              

No comments: