Prevent Unauthorized Changes to Historical Time Master Data
- by Malcolm Dillon, Independent GRC and Security Consultant
- November 8, 2012
Using these simple steps, learn how to prevent unauthorized users from making changes to historical time master data. Once an employee enters time data and an employee’s manager or time administrator approves the submission, it is important that the employee can’t make any additional changes to those hours.
The Report for Time Leveling (RPTAPPU0) is an SAP standard report that creates test procedures for time infotype records. With this report, an authorized person can check the time data of an employee or group of employees and automatically release it if there are no queries.
One of the most obvious gaps in SAP ERP HCM system security is how to lock down historical data. With standard SAP security authorizations, if a user has access to a specific Personnel Administration (PA) infotype, this access applies to all past, present, and future data. The validity date of the record has no impact on the ability to access data.
This security issue becomes increasingly problematic with regard to time management. Time data typically needs to be modified only until it is relevant to payroll processing. Any historical data should only be modifiable to the central HR or time administrators.
By using a little-known piece of functionality — test procedures (infotype 0130) — companies can provide an additional layer of security that offers period-based protection of HR data. This protection only applies to changes of the protected data. User with view access can still see the historical records.
So what exactly is infotype 0130 (test procedures)? Infotype 0130 is a data record that indicates up to a specified date that the data related to the test procedure has been checked. Once you create an infotype 0130 record for a personnel number, the SAP system checks the validity date to see whether it is before or after the date of the test procedure. Without the necessary authorization, if the validity date is before the test procedure date, the system rejects any changes to that record.
Would you like to see this full item?