SAP Knowledge Base Article - Public

2634784 - GDPR - Read Audit in Advanced Reports (Realms)

Symptom

  • How does GDPR Read Audit feature applies in Advance Report?
  • How does Read Audit Logging applies to Realms Queries?
  • Does GDPR applies to Legacy ODS Reporting?

Environment

Advance Reporting (Realms)

Resolution

Read audit logging applies to all reports that contain sensitive data in advanced reports (realms).

We log read actions to the read audit log for sensitive data in advanced reports (Realms). Logging includes reports with sensitive fields that are used in grouped reports or  calculated columns. When there is more than one sensitive field, a log is registered for each sensitive field.


All sensitive fields accessed in a report are logged. This includes sensitive fields used in a grouped query, an aggregation or in a calculated column.


Null values are not logged. Exception to this rule is if the field is used in a calculation - then it is logged regardless of whether it is null or has a value.


When a report runs, all results in the report are logged even if user only views the first page (first 10 rows). In query designer, the preview fetches and logs the first 100 rows of the report even if the user sees only the first page (= first 10 rows).


During query design time, the user might preview a query multiple times. Normally, this results in new read logs being generated on each preview. But sometimes the query result is read from the cache to optimize the performance of the query designer. As a result, there might not be new logs created each time user previews the query result.
Exporting a query (also from the preview) always creates a new set of read logs.


If a sensitive field does not have proper configuration of the module name, functional area, and functional subarea, the report is not preview or run. The user sees a generic error on the screen.


Logs from Advanced Reporting log the same values for module name, functional area, and functional subarea as if the field was accessed via the modules. Only difference is that the "channel"-property in the log is "reporting" and that the “context” fields might be empty in certain cases.


Logs are stored temporarily in the Advanced Reporting report server and sent to the global storage of read logs. This process can delay the logs from appearing in the reports for read logs. Normally, this delay is not noticeable (few minutes). If the logs are not transferred to the global storage for more than three days, support is automatically notified. The logs are not lost, they are just not transferred to the global storage, and therefore not yet visible in the reporting tool that the data protection officer use to extract the logs.
When an Admin enables or disables read audit in the Admin Tool, the change is synced to the advanced reporting solution. There is a delay of 30-60 minutes in the synchronization process.


When a field is marked as sensitive in the source modules, this metadata needs to be synchronized to the Advanced Reporting solution. This synchronization can take up to 24 hours. Allow a day between marking a field as sensitive and validating that the field is being logged when accessed via advanced reporting.

NOTE - The Legacy Employee Central Reporting user interface and data model (Legacy ODS) does not support read audit and data blocking.

Keywords

Read Audit
GDPR
Realms
Advance Reporting
Data Privacy
Data Protection
Legacy ODS , KBA , LOD-SF-ANA-ODS , Advanced Reporting , How To

Product

SAP SuccessFactors HCM Core all versions