Prevent Unauthorized Changes to Historical Time Master Data

  • by Malcolm Dillon, Independent GRC and Security Consultant
  • November 8, 2012
Using these simple steps, learn how to prevent unauthorized users from making changes to historical time master data. Once an employee enters time data and an employee’s manager or time administrator approves the submission, it is important that the employee can’t make any additional changes to those hours.
Key Concept

The Report for Time Leveling (RPTAPPU0) is an SAP standard report that creates test procedures for time infotype records. With this report, an authorized person can check the time data of an employee or group of employees and automatically release it if there are no queries.

One of the most obvious gaps in SAP ERP HCM system security is how to lock down historical data. With standard SAP security authorizations, if a user has access to a specific Personnel Administration (PA) infotype, this access applies to all past, present, and future data. The validity date of the record has no impact on the ability to access data.

This security issue becomes increasingly problematic with regard to time management. Time data typically needs to be modified only until it is relevant to payroll processing. Any historical data should only be modifiable to the central HR or time administrators.

By using a little-known piece of functionality — test procedures (infotype 0130) — companies can provide an additional layer of security that offers period-based protection of HR data. This protection only applies to changes of the protected data. User with view access can still see the historical records.

So what exactly is infotype 0130 (test procedures)? Infotype 0130 is a data record that indicates up to a specified date that the data related to the test procedure has been checked. Once you create an infotype 0130 record for a personnel number, the SAP system checks the validity date to see whether it is before or after the date of the test procedure. Without the necessary authorization, if the validity date is before the test procedure date, the system rejects any changes to that record.

Malcolm Dillon

Malcolm Dillon is an independent SAP GRC and security consultant. He has over eight years of SAP security and audit experience.  He has worked on multiple SAP Access Control 5.3 implementation and upgrade projects.  HCM security role design and integration with SAP Access Control via HR triggers is his specialization. When he’s not spending time with his family, he can be found out on a local golf course.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.