Secure Personal Data in SAP Access Control 10.1

  • by Joshu Madina, Associate Architect, SAP Labs India Pvt. Ltd.
  • April 7, 2017
Learn about different Information Lifecycle Management (ILM) objects for SAP Access Control and how these objects help secure personal data.

Learning Objectives

Reading this article, you will learn:

  • What personal data in SAP Access Control is and how to secure it
  • What SAP Access Control-specific Information Lifecycle Management (ILM) objects are
  • How to enable ILM for SAP Access Control
  • How to set up residence and retention rules for SAP Access Control based on ILM guidelines
  • Practical scenarios of the SAP GRC suite with ILM objects
Key Concept
By enabling Information Lifecycle Management (ILM) for SAP Access Control 10.1, you can block and then destroy personal data by setting up residence and retention periods. These periods are evaluated during data access in terms of SAP Access Control reports, workflow requests in the inbox, and search requests. The strategic goal SAP wants to achieve with ILM is to enable SAP users to comply with national legal requirements regarding the destruction of personal data in the context of SAP Access Control.

SAP Access Control doesn’t store any business partner data, but since it is used for analyzing data from connected SAP ERP and non-SAP ERP systems, that data can contain personal information. This type of data needs to be secured during the residence and retention periods, and then destroyed after it is no longer needed. The technical basis for data destruction is the SAP NetWeaver component for Information Lifecycle Management (ILM). ILM can be considered as a refined archiving solution that not only supports writing of data to an archive but also deleting of data from database tables. ILM enablement has been implemented for SAP Access Control in version 10.1 Support Package 15.

The synchronization of the authorization data (role/user/profiles/HR objects) from SAP ERP and non-SAP ERP systems to the SAP Access Control system includes user IDs, email IDs, telephone numbers, addresses, organizational assignments, and end users’ behavioral data. For example, logs stored in the system show what activities are performed by end users in different ERP systems, and they contain personal information.

I describe how SAP Access Control supports the ILM framework for retention management and how personal data can be blocked after the end of the residence time and destroyed after the end of the retention time.

Joshu Madina

Joshu Madina is an associate architect at SAP Labs India Pvt. Ltd. He has a total of 11 years of experience in software development. Since 2005 he has been working at SAP Labs and involved in various phases of development and maintenance of SAP Access Control 4.0, 5.3, 10.0, and 10.1. He has expertise in Emergency Access Management, Access Risk Analysis, Mitigations, Access Request, Business Role Management, and SAP security and authorization concepts.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.