-
SAP Note
Header Data
Symptom
ATENTION! THIS NOTE IS AN ENGLISH VERSION OF NOTE 394999. The
regulation of security measures for electronic files that contain
personal data, approved by the Real decreto 994/1999 from June 11
and published by the BOE on June 25, 1999 demands in its CHAPTER IV
(High- level measures), Article 24, the registration of access to
data classified as high-level data. The RRHH module for R/3 Spain
stores a series of high-level data, such as the degree of handicap
of the employee, which is why it is necessary to implement a
mechanism of registration of access to these data which complies
with the Article 24 of the mentioned regulation:
l "From each access will be kept, at least, the identification
of theuser, the date and time at which the access has taken place,
the file that was accessed, the type of access and whether it was
granted or denied.
l In case the access has been granted, it will be necessary to
keep the information that permits to identify the accessed
record.
l The mechanisms that allow to register the data specified in
the previous paragraphs will be under direct control of the person
responsible for security, and it won't be allowed under any
circumstances to deactivate them.
l The minimum record keeping period will be two years.
l The assigned responsible for security will be in charge of
reviewing the registered control information and elaborating a
report of the performed revisions and the detected problems at
least once a month."
The implementation time for these measures is of two years
counting from the promulgation of aforementioned regulation for
high-level data, which means that the time ends on June 25, 2001.
SAP delivers the functionality of accessing protected data by means
of HR SP ES18.1. Consult Note 115907 in which the actual
availability date of this HR SP is indicated. At present SAP
considers that the following data stored in the system are
high-level data, even though there always is some margin for
interpretation. In the description of the solution it is described
how to add/remove fields in the registration system by means of
parametrization:
High-level data stored in infotypes:
P0004-SBPRO: Degree of handicap of the employee from infotype
004 P0057-UFUNC: Union to which the employee is affiliated
P0062-FAMNU: Degree of handicap of the employee from infotype 0062
Q0021-MINSV: Degree of handicap of a family member of the employee
from infotype 0021 Q0061-IDSEG: Contract key from infotype 0061.
This information carries indirect information about handicap of an
employee if it has a contract key assigned which is specific for
handicapped Q0062-NDM33: Degree of handicap of a family member from
infotype 0062, visible when displaying the screen with the
breakdown of family members relevant for IRPF. Q0062-NDM65: ditto
Q0062-NDM33. Q0480-IDSEG: Contract key from infotype 0016 starting
from version 4.5 for the same reason explained for Q0061-IDSEG
P2001-AWART: Type of absence from infotype 2001, one can infer
information related to the employee's health and data about the
work absence profile of the employee Attention: To record accesses
to IT 2001 it is necessary to implement customer code and the user
exit for infotypes indicated in the section "Description of the
solution". P0008-LGART: The infotype 008 could contain wage types
where one could infer high-level data. To record the access to
these wage types it is necessary to implement the record in the
user exit for infotype customer as described in the section
"Description of the solution". P0015-LGART: see description of
P0008-LGART P0014-LGART: see description of P0008-LGART
1109725 - CONSULT.: Registration of access to high-level
data
Version 4 Validity: 02.03.2009 - active Language English
Released On 02.03.2009 21:45:20 Release Status Released for
Customer Component PA-PA-ES Spain
PY-ES Spain
Priority Correction with high priority Category Consulting
Other Components
-
High-level data stored in TemSe files
The access will only be recorded if the records are listed
explicitly by pressing the corresponding button or double-clicking
the initial unstructured list. The system deletes the high-level
data from the initial list to avoid having to keep access record
for the simple act of viewing the list, from which usually one does
not extract specific information for this kind of field. Warning:
The massive visualization of TemSe records such as the type 2
records from model 190 causes a massive access recording, and in
case of the model 190 3 entries per each record. PES1909902-DISCA:
Viewing of TemSe files with data for the model 190, degree of
handicap of the employee. Formats for regions 51, 52 and 99
PES1909902-DIS_65: ditto PES1900002-DISCA, for the degree of
handicap of a descendent of an employee PES1909902-DIS_100: ditto
PES1900002-DIS_65 PES1909902-AS_DIS65: ditto PES1909902 but for the
degree of handicap of an ascendent of the employee
PES1909902-AS_DIS100: ditto PES1909902-AS_DIS65 PES1909902-DISCA:
Viewing of TemSe files with data for the model 190, degree of
handicap of the employee. Formats for regions 01, 20, 31 and 48
PES1900002-DIS_65: ditto PES1900002-DISCA but for the degree of
handicap of a descendent of an employee. Formats for regions 01,
20, 31 and 48 PES1900002-DIS_100: ditto PES1900002-DIS_65.
PESREDDAT-CONTRATO: Social Security contract key in FAN or AFI
file. This field has the following particularity: The DAT records
that carry the information of the contract by employee are listed
separately from the TRA records that identify the employee, which
is why it is impossible to relate the visualized contract with the
employee, unless the file contains one or a few employees. At
present it is recorded that one user has viewed the DAT record
list, without specifying to which employee they correspond.
Data stored in the payroll results cluster
The viewing of data in the payroll results cluster can also be
considered an access to high-level data, in case the contract key
is stored in the SV table, or the handicap degree of the employee
is stored in the table ST. The version delivered in the HR SP
ES18.1 however does not cover the recording of these data, but by
implementing the correction n 12 from Note 0375597 you can obtain
this functionality, except for version 4.6C which will be delivered
in HR SP ES19. The fields which are considered as high-level in the
standard parametrization are the following ones: PC225-PESOC:
Social Security contract key in table SV PC226-FAMNU: degree of
handicap of the employee saved in ST table PC207-LGART: When
viewing the table RT one could infer information regarding the
payment of union fees. In the standard, an entry for PC207-LGART in
table T5EL4 has been included, which triggers an access recording
for this kind of data when one views them in table RT. ATTENTION:
From HR SP ES21 also the reading of payroll results done by
programs RPCEDTE0 (payroll receipt), RPCKTOE0 and RPCLJNE0 is
recorded. Due to the fact that most clients are not interested in
recording access to payroll results because of the high number of
records this entails, the entry in table T5EL4 corresponding to
field PC207-LGART will be ELIMINATED. If you wish to record this
kind of access you will need to restore this entry using the view
V_T5EL4. Access to high-level data by means of transactions SE16 or
SM30
In case a user has authorization to use transaction SE16 in a
productive system, he or she will be able to view to content of any
table in the database, in particular the tables PAxxxx which
contain the data related to infotypes. It is not planned to deliver
a system for recording accesses to data through transaction SE16,
since no user should have access to this transaction in a
productive system. Thus, it is necessary to revise the
authorization profiles to discard the possibility to access
high-level data via SE16. There is no standard view where one could
view high-level data by means of transaction SM30. It is
recommended to check the system to eliminate the possibility that
customer views exist which allow this access and block or delete
them if they exist. The solution available until HR SP ES22 does
not allow the recording of attempts to access high-level data.
Starting with HR SP ES22 a new user exit will be available in the
infotype authorization system which will allow you to make this
kind of recording.
Other Terms
&LOPD, LPD, LORTAD
-
Reason and Prerequisites
Legal Change, Ley Orgnica 15/99, Real Decreto 994/1999,
Solution
Innovations
1. 16/10/2002: Paragraph 12 in section "Steps to follow during
implementation of new functionality" has been created, where it is
described how to archive the access records, avoiding the
uncontrolled volume increase in table T5EL1.
2. 16/10/2002: Changes introduced with HR SP ES22
a) Starting with HR SP ES22 the program for management and
viewing of access records (RPULORE0)offers the possibility of
selecting access records by company to which the employee whose
data have been accessed belongs to. The use of this option may
decrease significantly the performance of the record viewing,
because the process of determining the company based on the
employee's NIF is relatively slow.
b) In addition, there is the possibility of deleting redundant
records, where a record is considered as redundant when recorded
only a fixed number of seconds after a first identical one.
c) Paragraph 11 in section "Steps to follow to implement new
functionality" has been created, with the description of the steps
to follow in order to record access attempts denied by the
authorization control in transactions PAxx and to record access to
infotypes not covered by the standard mechanism (for example
0008,0014 and 2001).
d) Paragraph 13 in section 'Steps to follow to implement the new
functionality' has been created, and explains the possibility of
establishing an authorization control specific for the execution of
the record management program RPULORE0.
3. 08/2003: Changes introduced with HR SP ES23
a) The key of the table T5EL1 has been expanded, incorporating
the field MODNO (system R/3, external mode index) in which the
number of the mode the user is using is stored, considerably
reducing the possibility of blocks and waiting times due to shared
resources from T5EL3 and T5EL1. This field can be viewed by means
of the list run by program RPULORE0, in its third column.
Steps to follow to implement new functionality
1. Load HR SP ES18.1. By loading this HR SP the system for
access recording is automatically active, saved in infotype 0004
(Handicaps) which requires an additional parametrization process
described later in this document.
2. Perform an access to infotype 0062 in which the employee's
handicap field (P0061-FAMNU) has not been hidden, by means of table
T588M.
3. Execute program RPULORE0, Display option, with the Test
checkbox selected. Make sure that an entry has been listed for your
user, with date and time of the access to the logical file 001 =
Degree of handicap of the employee.
4. Hide field P0061-FAMNU by means of table T588M, access
infotype 0062 and make sure that no access record for this field
has been registered in program RPULORE0. Repeat this procedure for
infotypes 0016 (from 4.5B) 0021 (dynpro 2004), 0057 (dynpro 2004)
and 0061.
5. Activate feature P0004 and copy the entry for the variable
key 04 from table T588M which is delivered in client 000, so that
the new dynpro 2004 is used for infotype 0004.
6. Generate a file for model 190 (program RPC190E0) and display
the type 2 records in this file. Check with program RPULORE0 that a
record has been created for the logical file 0001 = degree of
handicap of the employee and 0002 = degree of handicap of a family
member for each type 2 record that has been displayed.
7. If you have developed ABAP Queries that include any
high-level data fields, it will be necessary to modify the
functional area adding the following ABAP code in the event 'Phrase
treatment' for infotype Pnnnn and field xxxx:
loop at Pnnnn where begda le pn-endda and endda ge pn-begda.
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_STRUC' EXPORTING
p_struc_field = 'Pnnnn-xxxx' p_pernr = pnnnn-pernr EXCEPTIONS ERROR
= 1 OTHERS= 2. IF SY-SUBRC 0. ENDIF. endloop. * commit
work."[Opcional]
The record will only be produced if the combination field/table
Pnnnn/xxxx is kept in table T5EL4 (view V_T5EL4) with its
corresponding assignment to a logical file.
-
If you need to record access to a field which is not maintained
in this table, you can maintain the combination field/table
whenever the name of the table starts with Z. If that is not the
case, it is recommended to use the following ABAP code instead of
making an entry in table T5EL4 which violates the entry range of
SAP:
Version 3.1I loop at Pnnnn where begda le pn/endda and endda ge
pn/begda. CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC' EXPORTING
p_ficid = 'mmmm' p_pernr = pnnnn-pernr EXCEPTIONS ERROR = 1 OTHERS=
2. IF SY-SUBRC 0. ENDIF. endloop. * commit work."[Optional]
Versions higher than 3.1I loop at Pnnnn where begda le pn-endda and
endda ge pn-begda. CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC'
EXPORTING p_ficid = 'mmmm' p_pernr = pnnnn-pernr EXCEPTIONS ERROR =
1 OTHERS= 2. IF SY-SUBRC 0. ENDIF. endloop. * commit
work."[Optional] where mmmm is the logical file identifier
according to table T5EL2 (View V_T5EL2) provided by SAP. If you
don't find an adequate identifier for the data to which you want to
record the access, you can create customer identifiers as long as
they start with 9.
If you use a functional area that contains more than one
infotype with high-level data with queries that access only a
subset of these infotypes, a syntax error is produced due to the
use of table Pnnnn, where Pnnnn is the infotype that doesn't use
this query in particular.
In these cases it is necessary to use a more complex ABAP
code:
... data: begin of tab_infotypes occurs 0, name(7), FICID LIKE
T5EL2-FICID, end of tab_infotypes. field-symbols: type table, , , ,
. refresh tab_infotypes. TAB_INFOTYPES-NAME = 'PNNNN[]'."PNNNN es
p.e. P0061 TAB_INFOTYPES-FICID = 'aaaa'."aaaa = identifier as per
T5EL2 append tab_infotypes. TAB_INFOTYPES-NAME = 'PMMMM[]'."PMMMM[
es p.e. P0062 TAB_INFOTYPES-FICID = 'bbbb'. "bbbb = identifier as
per T5EL2 append tab_infotypes. ....Repeat for each one of the
existing infotypes loop at tab_infotypes. assign
(tab_infotypes-name) to . check sy-subrc is initial. CLEAR
TAB_INFOTYPES-NAME+5(2). assign (tab_infotypes-name) to . check
sy-subrc is initial. loop at into . assign component 'BEGDA' of
structure to . if sy-subrc ne 0. exit. endif. assign component
'ENDDA' of structure to . if sy-subrc ne 0. exit. endif. check le
pn-endda and ge pn-begda. assign component 'PERNR' of structure to
. if sy-subrc ne 0. exit. endif. call function
'HR_ES_PRODA_REG_DAT_METO_DIREC' exporting P_FICID
=TAB_INFOTYPES-FICID p_pernr = exceptions error = 1 others= 2. if
sy-subrc 0. endif.
-
endloop. * commit work."[Optional]
For those queries that may demand a substantial execution time,
it is recommended to uncomment the commit work line to make it
possible to free shared resources, more specifically from table
T5EL3 that could cause a time out error as a process waits until a
shared resouce is released by the other process. This line is
highly prohibitive for payroll executions since it eliminates the
LUW which is being processed and can cause data loss as a Rollback
becomes impossible.
To use this line or not is a decision to be made by the query
programmer. In any case it must be clear that it is a very serious
line if any update is being done in the BD and that it disrupts the
LUW (Logical Unit Work), as already mentioned, and eliminates any
Rollback mechanism.
8. If you have developed reports in ABAP that access high-level
data, you should modify the code to record the display of these
data using the function modules already mentioned.
9. If you have developed customer infotypes with high-level
data, it is also necessary to adapt their data taking as an example
the module PBO reg_proda from infotype 0061 (include MP006120).
10. Deactivation of access recording:
Use view V_T5EL4 to add/delete entries that cause the recording
of certain fields. If you wish to deactivate the recording of
display of DAT segments, it suffices to delete the entry in table
PESREDDAT, field CONTRACT. Note that you can only manage the
recording of data which are saved by means of the function module
HR_ES_PRODA_REG_DAT_METO_STRUC, the records which are kept by
indicating directly the logical file identifier (module
HR_ES_PRODA_REG_DAT_METO_DIREC) cannot be deactivated by
parametrization. The standard does not use this module, that is,
all records can be deactivated. Since the entries are in SAP range,
you must check the status of table T5EL4 after each HR SP in case
you have modified it.
The entries in table T5EL4 will only have effect on the
infotypes/ dynpros prepared for that effect, which currently are
the following: infotipodynpro 00042004, 3004 (from ES19) 00212004
00572004, 3004 (from ES19) 00612000, 3004 (from ES19) 00622000
11. Access recording to high-level data in standard infotypes by
means of central authorizations user exit in transactions PAxx
In the following HR SP a new user exit has been delivered, which
is called up during the authorization control executed by the
infotype management transactions PAxx:
3.1ISAPKE31B0
4.0BSAPKE40A2
4.5BSAPKE4586
4.6BSAPKE4668
4.6CSAPKE4659
4.70SAPKE4704
This user exit can be used to record the access ATTEMPTS denied
by the system due to lack of authorization of the user to display
or modify an infotype record and to record access to infotypes
which are not covered by the standard, such as IT 0014, 0008 and
2001.
A peculiarity of the records performed by this user exit is that
it is possible to produce multiple records for one infotype access,
since the authorization control is called up several times during
this process. To avoid these records which are in principle
redundant, the access records management program (RPULORE0) offers
from HR SP ES22 the possibility to eliminate identical records when
the recording time (fieldsAS4DATE, AS4TIME) does not exceed a limit
expressed in seconds in the selection screen of program
RPULORE0.
Once HR SP ES22 is loaded it is possible to implement the
recording of access attempts by performing the following steps:
Versions up until 4.6B:
a) Use transaction CMOD to create a project for user exits for
infotypes if you still haven't created a project which contains the
extension PBAS0004 and assign this extension to it.
b) Navigate to component exit_sapfp50p_001 and then to include
zxpadu04 which you have to create if it doesn't exist. Then insert
the following code:
data: l_ioper like psyst-ioper,
-
l_infty_name(5) type c,
wa_i0008 like p0008,
i0008 like p0008 occurs 0 with header line,
lgaxx(5) type c value 'LGAxx',
xx(2) type n.
field-symbols: like i0008-lga01.
if rcode is initial. "Si el usuario no tiene autorizacin de
acceso
case level.
when 'W'."Write
L_IOPER = 'MOD'.
when 'R'."Read
L_IOPER = 'DIS'.
when others.
L_IOPER = 'DIS'.
endcase.
CONCATENATE 'P' INFTY INTO L_INFTY_NAME.
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_STRUC'
EXPORTING
P_STRUC_NAME= L_INFTY_NAME
P_PERNR = PERNR
P_IOPER = L_IOPER
P_AUTOR = 'N'
EXCEPTIONS
ERROR = 1
OTHERS= 2.
endif.
Versions from 4.6C:
a) Use transaction SE19 to create an implementation of the BAdI
HRPAD00AUTH_RECORD.
b) Insert the code that follows for the method
RECORD_AUTH_RESULTS
...
data: l_ioper type psyst-ioper,
l_infty_name(5) type c,
wa_i0008 type p0008,
i0008 type table of p0008,
lgaxx(5) type c value 'LGAxx',
xx(2) type n.
field-symbols: type p0008-lga01.
-
case level.
when 'W'."Write
L_IOPER = 'MOD'.
when 'R'."Read
L_IOPER = 'DIS'.
when others.
L_IOPER = 'DIS'.
endcase.
if rcode is initial. "If the user does not have access
authorization
CONCATENATE 'P' INFTY INTO L_INFTY_NAME.
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_STRUC'
EXPORTING
P_STRUC_NAME= L_INFTY_NAME
P_PERNR = PERNR
P_IOPER = L_IOPER
P_AUTOR = 'N'
EXCEPTIONS
ERROR = 1
OTHERS= 2.
endif.
In addition you must indicate in table T5EL4 the infotypes for
which you want to record the access attempts performing entries in
the following structure:
|STRUC| FIELD|ENDDA |BEGDA |FIPER|FIPID|FICID|
|Pnnnn| *|31.12. 9999|01.01.1900| | |xxxx |
where nnnn is the infotype for which the access attempt shall be
recorded and xxxx in the identification of the logic file according
to T5EL2
These entries are not delivered in the standard, but if you are
implementing the recording of access attempts it is recommended to
make the following entries using transaction SM30 and view
V_T5EL4
|P0004| * |31.12.9999|01.01.1900|||0001|
|P0021| * |31.12.9999|01.01.1900|||0002|
|P0061| * |31.12.9999|01.01.1900|||0004|
|P0062| * |31.12.9999|01.01.1900|||0001|
|P0057| * |31.12.9999|01.01.1900|||0003|
Infotypes 0008, 0014, 2001 have not been modified to record
access to high-level data, however it is possible to record this
access by means of implementing the following code in the new user
exit or access control BAdI.
Include the following code in the include zxpadu04 (versions up
until
46B) or in the implementation of BAdI HRPAD00AUTH_RECORD
(versions from 4.6C). Having included the code in the previous
section in order to record access attempts is a prerequisite.
-
if rcode = 'X'. "If the user has access to accede to IT
case infty.
when '0008'.
CALL FUNCTION 'HR_READ_INFOTYPE'
EXPORTING
PERNR= PERNR
INFTY= INFTY
BEGDA= BEGDA
ENDDA= ENDDA
TABLES
INFTY_TAB = I0008
EXCEPTIONS
INFTY_NOT_FOUND = 1
OTHERS= 2.
loop at i0008 into wa_i0008.
clear xx.
do.
add 1 to xx.
lgaxx+3(2) = xx.
ASSIGN COMPONENT LGAXX OF STRUCTURE wa_i0008 TO .
if sy-subrc ne 0.
exit.
endif.
IF = 'NNNN'. "'NNNN' is the high-level wage type
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC'
EXPORTING
P_PERNR= PERNR
P_FICID= 'xxxx' "xxxx file as per T5El4
EXCEPTIONS
ERROR= 1
OTHERS= 2.
IF SY-SUBRC 0.
ENDIF.
ENDIF.
ENDDO.
endloop.
-
when '0014'.
if subty = 'NNNN'." 'NNNN' is the wage type
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC'
EXPORTING
P_PERNR= pernr
P_FICID= 'xxxx' " xxxx file as per T5El4
P_IOPER= l_ioper
EXCEPTIONS
ERROR = 1
OTHERS= 2.
IF SY-SUBRC 0.
ENDIF.
endif.
when '0015'.
if subty = 'NNNN'. " 'NNNN' is the high-level wage type
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC'
EXPORTING
P_PERNR = pernr
P_FICID= 'xxxx' " xxxx file as per T5El4
P_IOPER = l_ioper
EXCEPTIONS
ERROR= 1
OTHERS= 2.
IF SY-SUBRC 0.
ENDIF.
endif.
when '2001'.
if subty = 'NNNN'. " 'NNNN' is the high-level wage type
CALL FUNCTION 'HR_ES_PRODA_REG_DAT_METO_DIREC'
EXPORTING
P_PERNR = pernr
P_FICID= 'xxxx' " xxxx file as per T5El4
P_IOPER = L_ioper
EXCEPTIONS
ERROR= 1
OTHERS= 2.
IF SY-SUBRC 0.
ENDIF.
endif.
-
endcase.
endif.
12. File of high-level data access records
The volume of data stored on table T5EL1 is very significant and
can affect the performance of the processes that record or store
access records. The record management program offers the
possibility to delete recors from the database, however the law
demands that the records are kept for two years, which can imply a
critical volume for some installations. In this case it is
recommended to list the existing records up to the moment and file
the generated list. This can be done by choosing the "File" option
in the printing dialog of the list (field ARTXT). Once the list is
filed you can delete the filed records by means of the option given
by program RPULORE0.
13. Authorization object for program RPULORE0
From HR SP ES22 the record management program controls if the
user has the authorization for the object S_APPL_LOG for fields
ALG_OBJECT = HRES, ALG_SUBOBJ = PRODA y ACTVT = 03 (display) or 06
(record editing).
Technical description of the solution
A set of database tables has been created to record the access
to high protection data and a program to evaluate these records.
Each access is recorded in table T5EL1, which has the following
fields: MANDT (key) : Client AS4USER(key): R/3 user NUREG (key) :
Number of recorded access FICID : Identifier of logic file accessed
AS4DATE : Access date AS4TIME : Access time TIACC : Access type
(display or copy 'V', change 'M', insertion 'C', deletion 'B')
TIREC : Type of access record (denied attempt 'N', or successful
access 'A'), this field has been included with HR ES22. In table
T5EL2 you can find the logic file identifiers with its
corresponding explanatory text, for example the identifier '0001'
'Degree of handicap of the employee'. The fields in this table are:
MANDT (key) : Client FICID (key) : Logic file identifier TEXTO :
Description of the identifier Table T5EL3 has also been cerated,
which contains the number of the last recorded access for a
specific user, with the intent to obtain a quick update of table
T5EL1 without having to determine the next record number by means
of a costly reading of the table. Table T5EL3 owes its existence
exclusively to technical reasons and does not contain data directly
related to the recording of high protection degree data. Finally
table T5EL4 has been created, which allows you to identify the
fields of structures or tables from the dictionary that are
considered high protection data and that will trigger a record in
table T5EL1 when accessed. The record of the access will only be
produced in those programs which have especially been modified for
that (infotype modulpools, TemSe file viewers, evaluation
programs). The structure of table T5EL4 is as follows: MANDT (key)
: Client STRUC (key) : Name of structure, for example P0061 FIELD
(key) : Name of field, for example FAMNU ENDDA (key) : Validity end
date BEGDA : Validity start date FIPER : Name of the structure
field indicated in field STRUC from which the personnel number of
the accessed employee can be extracted, for example PERN (from
structure P0061) FIPID : Analogous to field FIPER but for document
number FICID : Logic file identifier
Report RPULORE0
This report allows the evaluation of the generated records, by
user and in a given timeframe. Basically the data stored in table
T5EL1 are listed and combined with the explanatory text for each
logic file identifier indicated in table T5EL2. Additionaly this
program offers the possibility to delete from table T5EL1 data for
which the record keeping time has expired (currently after two
years). If you wish to delete data that are less than two years old
it is recommended to follow the instructions in paragraph 12 of the
previous section. This program should be used when there are
sinchronization problems between tables T5EL1 and T5EL3, by
selecting the reorganization option. If there is no need to
reorganize these tables, the program will indicate it with the
corresponding message by each user. From HR SP ES22 the display and
management program for access records (RPULORE0) offers the
possibility to select access records by Company to which the
employee whose data have been accessed belongs. The use of this
function may reduce considerably the performance of the data
displaying because the process of determining the company from the
employee's NIF is relatively slow. Finally, there is the
possibility to delete redundant records, where redundant record is
understood as a record identical to a previous one, which was
recorded a fixed number of seconds after the first one. If you wish
to perfom this data compression, select the corresponding option
and indicate the number of seconds for the interval. A record will
be considered redundant if it is identical to a previous one and
was recorded inside this interval after the previous one.
-
Validity
This document is not restricted to a software component or
software component version
References
This document refers to:
SAP Notes
This document is referenced by:
SAP Notes (4)
1576799 EHSM Incident Management non compliance to ROYAL DECREE
994 1101223 CONSULT.: LOPD - Reuse of Functions for
Qualifications-Exit
394999 CONSULT.: Registro de acceso a datos de nivel alto
394999 CONSULT.: Registro de acceso a datos de nivel alto
1576799 EHSM Incident Management non compliance to ROYAL DECREE 994
1101223 CONSULT.: LOPD - Reuse of Functions for Qualifications-Exit
1796452 LOPD:New'Creacin'actiontype
