EU’s regulation regarding to data protection and privacy known as General Data Protection Regulation (GDPR) came to a force on 25 May 2018. Briefly, it gives EU residents better protection and control of their personal data. It regulates how organization can handle the data (from perspective of collecting, storing, and transferring it). In addition, as well how they use the data. The organization in and outside the EU that process data of EU residents must follow the rule. In this post, I would like to summarize how the GDPR or other data protection laws can be supported by SAP BW systems. In further text, I just use term the BW that means BW and BW/4HANA as well.
The
SAP BW has so called Data Protection and Privacy (DDP) features which can help the organization comply with the GDPR.
There are following 4 areas of the DDP:
1 Read Access Logging
(RAL):
Is
used to log and monitor read access to sensitive data. It is contained within
NetWeaver Platform (ABAP Stack) infrastructure. It can be used to log access of SAP BW: Master
data maintenance, InfoProvider administration (“Display Data” e.g. function in
t-code RSA1, t-code LISTCUBE etc.), PSA and table maintenance (t-codes SE16,
SM320 etc.) and Update simulation. In the SAP BW, it is recommended to use LOPD authorization based read access
logging for transactional data. The BW provides a mechanism for logging all
LOPD relevant access to data in reporting and planning applications. The LOPD
only works only with new Authorization Concept (called Analysis Authorization) that
was introduced in BW 7.x. It does not work with 3.x Authorization Concept (that
one was based on authorization objects). Following Analysis Authorizations are
checked when data in BW is accessed: Reporting
in all BEx
front ends (BEx Analyzer in MS Excel, Web reporting,
F4 help, Planning applications
(Integrated Planning and
BW-BPS), BW interfaces that
read data (RSDRI,
RSCRM_BAPI, open hub
service), Most data
sources in Analysis
Process Designer (APD).
The
name LODP comes from Spanish data protection law, which was introduced after
year 2020. Basically; the LOPD is
logging all these above-mentioned activities and stores the information in its
tables:
RSECLOPDLOGC
- Store for LOPD Logs
RSECLOPDLOGF
- LOPD Protocol: Filter
RSECLOPDLOGH
- LOPD Log: Control Data
RSECLOPDLOGI
- LOPD Log: Details
RSECLOPDQFILTER
- Filter within Queries
RSECLOPDQIOBJ
- LOPD-Relevant Objects Within Queries
RSECLOPDQSTAT
- LOPD-Relevant Objects Within Queries
Moreover
below are basic costuming tables of the
LOPD:
RSECLOPDIP
- InfoProviders registered as
relevant for the LOPD
RSECLOPDIOBJ
- groups of InfoObjects are registered that represent LOPD relevant access
The
LOPD logs can be reviewed in t-code RSECPROT. In case LOPD is enabled in the BW
system all access to LOPD-relevant InfoProviders and queries done by all user
are documented in here.
2 Information report:
SAP
BW provide tools supporting users to analyze usage of sensitive information (e.g.
where-used list, master data maintenance).
3 Deletion of personal
data:
Sensitive
data can be selectively deleted in SAP BW. Where-used list to support identification
of InfoProviders containing the values to be deleted is provided. Possibility to
automate regular deletion tasks of transactional data within Process Chains.
4 Log changes to
personal data:
Track
changes to master and transactional data. Audit and Change Logs available to monitor
changes to transaction data.
On
top of the LOPD in the newest version of the SAP BW (7.5 or BW4/HANA) SAP has
provided tool so called Data Protection
Workbench (t-code RSDPP) - DPW.
The DPW manages identification of sensitive data and selective deletion of
corresponding transactional and master data records. SAP Information Lifecycle
Management (ILM) ensures data retention management in operational systems (ERP
like SAP’s ECC or S4/HANA) from data protection & privacy compliance
perspective. The framework of the ILM allows persisting notifications of
deleted (personal) data during ILM processes (e.g. deletion of personal data).
These ILM notifications are then replicated from operational system to BW. Technically
the notifications are loaded to BW’s Data Store Object, via DataSources. There is a mapping of SAP ILM object (e.g.
‚Sales Order‘) to BW DataSources (in the latest B4/HANA 1.0 and 2.0 systems
there can extraction be based on CDS views). Finally, in the BW there is DPW.
It provides data protection notifications, which contain information about ILM
events based on ILM objects (for example, data archiving or data destruction
for a business object instance, like a sales order) mapped to
application-specific data sources. So sensitive data is identified and their
corresponding transactional and master data records are selective deleted.
More
information:
933441 - Frequently asked questions on BW
(BW/4HANA) and read access logging for data protection
2590321 - Upgrade recommendations to support
GDPR compliance
901648 - LOPD and data protection compliance
in BW 7.0
2748685 - Business Suite Data Protection
Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)
2824456 - SAP S/4HANA Data Protection
Notifications for SAP BW/4HANA and SAP Business Warehouse (SAP BW)
2642676 - NW 7.50 - BEx 7.x Java runtime –
deletion of data - excluding personal user
Introducing the Data Protection
Workbench of SAP BW/4HANA 2.0