In this blog, we'll focus on the possbile ways to log and trace user activities in SAP HCM system for Infotype changes, transactions, programs, tables, user activities,...
This log is used to get history of the PA infotypes. When you delimit or create a new infotype, the records are still existing in the database. But when you modify or delete records, the information is gone. This applies to R/3 activities and ESS/MSS or portal activities.
Solution is to log all the infotype changes with a view on the old and new data.
The customizing can be done for a change on the infotype or at a field level.
Remark: Read or Display access is not taken into account in this log. Solution would be a custom enhancement in the infotype user-exit (ZXPADU01 or BADI).
This log is "technically" actived by default on the system level but not running until the config tables are filled.
Infotype changes for objects (e.g. O, S, P, C, K,...) is also possible. This means that we can trace, for example, the object creation or the relationships modifications.
Technically this means all data under the HRP* tables.
The same remark applies here as for the PA log.
In specific cases, we want to monitor some specific programs. Reports that are needed on the system but that are "dangerous", accessing directly tables, providing mass process, etc
For each logged report, you can decide to trace dialog activities (foreground) or batch activities (background).
By default, more or less a thousand of standard reports are in the table but not active. You should also add your critical customer reports there.
In some cases, reports change directly tables. Sometimes, we don't know which report/transaction and user modified a table.
It is possible to trace all activities related to a database table using the technical log.
I have faced 2 specific uses of this log:
The user log is really often by default actived on the system. What depends is the logging period. Most of the time, the period is set to the 3 last months.
With this log we can know what program or transcation each user started.
This is a nice way to retrieve log for one user at a time. Because we have to double-click on each line and there is also a mix of report and program, so not really usable as report.
An alternative would be to create a custom report based on this function module such as this one:
This is a really nice tool to play Big Brother :wink:
We used this functionnality for the SOX audit and the GRC Segragation of duties. In order to decrease the number of conflicts, we used this log for a year, saving the results by user, user group, date (month) and transaction. We did a reengineering of the roles. We grouped the users by type of job/roles and compare their accesses, tranaction in the roles with the transaction that they really used.
This was a long process but with this we solved 95% of the conflicts without impacting (too much) the users and the company processes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |