SAP Knowledge Base Article - Public

2614355 - [Data Protection and privacy Compliance]: Read Access Log (RAL) functionality

Symptom

Your company stores a wide range of personal data on your users, some of which could be considered potentially sensitive (for example, Personal Information gender, SSN etc). In order to be compliant with your local data privacy laws, it’s important that you keep track of who has accessed such sensitive personal data. As of the Q1 2020 release, you can use the new read audit function to designate fields on the UI as sensitive, and then create reports which can audit/display the user information accessing sensitive data and the time during which the data is accessed.

This enables Data Protection Officers to quickly determine who has accessed the personal data of employees or external candidates at your company.

This RAL feature would be available in all SF dataCenter now.

Environment

SAP SuccessFactors HXM Suite

Reproducing the Issue

NA

Cause

NA

Resolution

How to enable and control new audit report functionality introduced with 1802 release of SAP Successfactors?

Audit Report functionality can be controlled by Role based permissions under Admin Center->Manage permission role-> "Admin Center permission" as highlighted below:

permission.JPG

  • View Read and Change Audit Configuration
  • Edit Read and Change Audit Configuration
  • Above two permissions will enable "Manage Audit Configuration" under admin center as shown below:

Read Audit.JPG

  • Note that switch will be on by default (with the 1H 2020 release, read audit reporting is enabled by default in all Preview and Production systems, in all data centers) and if you have "Edit Read and Change Audit Confiuration" permission granted via RBP, you will be able to switch-on or switch-off the RAL feature.

  • Generate Read Audit Reports
    • Above permission will enable highlighted options under admin center:

AC read audit report.JPG

How to generate Reports?

  • Go to Admin Center-> Read Audit Reports
  • Under "Create Read Audit Report" you would see various serch option available:

Create Read Audit reports.JPG

  • For Example:  If you wish to check if for a particular user A, personal information of Employee central Module has been accessed by whom within a specific range of time then you select "Person Search" and enter data accordingly as per your requirement:

Create Read Audit reports1.JPG

    • Read On Subject User: If you wish to check who all has read an information for USER A.
    • Read By User/Data Operator: If you wish to check what all are the sensitive data read by USER A
  • Once done, click on "Submit".
  • Now, go to "Access Report" tab and wait for job to be executed.

Access Report.JPG

  • Once completed, you can download the log and verify detail:

report csv.JPG

NOTE:

  • This audit report is valid for UI access and API access both ie.e sensitive data read either on UI or using API calls (read Operation).
  • Report generation functionality has not been turned on for Salesdemo instances.

See Also

Read Audit

Important Notes About Read Audit

Keywords

RAL; Read Access Log; GDPR; OData API Audit Log doesn’t support read audit logging; Read Audit doesn’t log access to sensitive personal data in API payloads, nor is this information available for read audit reports; , KBA , LOD-SF-PLT-RAL , Read Access Logs , How To

Product

SAP SuccessFactors HXM Suite all versions