RE: [sap-hr] SSN Masking

Posted by Admin at

Share this post:

0 Comments

Posted by gregrobinette (Principle Consultant)
on Apr 26 at 12:10 PM

Mark as helpful

The first step is to identify where it is properly used and where its
exposure needs to be controlled. Assuming that the HR users will be
authorized to view and utilize the personal identifying information data
including the social security number the focus will be toward system users
that have access to view the social security number outside of the HR user
base.

In a standard system with no specific provisions for protecting the social
security number every infotype header usually will present the social
security number as a default setting.

Even when the user is authorized to display or change infotype 0002 the
social security number is rarely ever changed and should be eliminated from
the view whenever possible. The exposure of the Name and social security
number to casual viewers should be minimized. Every person passing by a
monitor with the standard display has the potential to note the name and
social security number on display.

For the HR SAP users, this group is usually authorized to see and use the
social security number and other key personal identifying information data;
there are steps that should be taken to help protect the employee social
security number. The hiding of the social security number within the
standard infotype header is a key step to minimize the casual viewing of the
social security number by passer's by, working partners, or anyone who may
glance at the screen.

The delivered search helps for looking up people include the social security
number as a standard. These standard displays and exposures of the social
security number should be examined to determine if they provide any business
value and if they are necessary

This vulnerability will occur in all PERNR related search helps.

The steps to limit the exposure of personal identifying information are
found in the Implementation Guide (IMG) to Configuration. The settings are
found in two areas. The infotype header definition nodes and the search help
nodes. Adjusting them to achieve a better data protection is relatively
simple but does require a minimal understanding of the infotype header
structure and the way search helps are defined.

First navigate to the IMG using transaction code SPRO. Open the Personnel
Management Node. Open the Personnel Administration Node. Select the
Customizing User Interface Node. Execute the Change screen header selection.

Execute the 'header structure per infotype' node. This brings up the headers
that are assigned to the various infotypes. It is important to determine the
headers that have the social security number or SAP field PERID included in
their definition. These are the headers that will need to be changed.

The social security number is stored in the PERID filed on infotype 0002 the
Personal Data infotype.

In the Header Definition the header modifier is linked to location
information for the display of the field in the header. It also specifies
the infotype and the fields form the infotype. To remove the social security
number or PERID from the header simply delete the related field entries for
the header modifier. This removes the social security number from the
headers.

Make sure you look for the headers in all your screens. The header in the
screens for PPOME and PPOSE include the social security number or PERID as
standard functionality.

Find the header assigned in the PPO** screens by selecting one of the fields
in the sub screen. Use the F1 key to access the help for that field. Access
the technical details for the field. The program name is displayed.

Greg Robinette, CISM

757-407-7683 or 434-263-6942

Fax: 757-204-2038

From: Benking via sap-hr [mailto:sap-hr@Groups.ITtoolbox.com]
Sent: Monday, April 26, 2010 11:50 AM
To: gregrobinette
Subject: RE:[sap-hr] SSN Masking

Posted by Benking
on Apr 26 at 11:52 AM

<http://it.toolbox.com/api/ContentVote/3464177/1/1/> Mark this reply as
helpfulMark as helpful

As of now, we are only concerned about PA20 screen and none of the other
t-codes/reports. Any suggestion, how to go about doing this for PA20? Other
posts are talking about user exits. Also, I was thinking, if we can create a
custom auth obj for field PERID and secure it? Is that feasible? if so, how
can we do it? I am not a security guy.

---------------Original Message---------------
From: gregrobinette
Sent: Monday, April 26, 2010 11:37 AM
Subject: SSN Masking

> HREXPERT has an article on screening the SSN.
>
> Basically you take it off any headers and screens and associate them with
> user group that are assigned to the user parameters. Then you remove the
> field from all search helps. It is more complicated than that but this is
> the basic process. It does not secure the value as there is no
authorization
> object that currently does that. I did hear a rumor at the SA{HR2010
> conference that EHP5 will have an auth object for that field.
>
>
>
> Greg Robinette, CISM
>
> 757-407-7683 or 434-263-6942
>
> Fax: 757-204-2038

__.____._

gregrobinette
SAP HR Enthusiast

Contributed 100 posts in a group to earn a Bronze Achievement

Related Content

White Papers

Get Confident in Java EE with Real-World Experience

More White Papers...

In the Spotlight

Your SAP Security is at Risk...Learn How to Stay Protected. Read the free white paper from SenSage

View this thread online
Manage group e-mails
Create an FAQ on this topic
Tell us what you think
Unsubscribe from discussion

_.____.__

SAP Library - Find your answers

Grab this WidgetYou can show more than 5 recent posts using this simple blogger widget by Nitesh KOthari at Wolverine Hakcs.

Click on more Feeds rss Most Popular

More ?This is SAP books Best Buy section. Click on the pics below to check more on the best SAP books.

Click on more to know more about such productsSAP Chat Room

More ?These are the Recommended products from SAP OSS Notes Team

Click on more to see more such downloadsRecommended