Data Privacy and Protection for SAP

Data Privacy and Protection for SAP

Data Privacy and Protection for SAP is SAP Analytics Cloud application designed for all SAP customers for monitoring and reporting on access to sensitive data. Solution provides easy to use visualizations, dashboards and detailed reports for data access. Solution can easily guide you to the information who had accessed a given sensitive information /e.g. payroll/.


  • Data usage monitoring for your SAP system.
  • Automated reporting and alerting triggered by users accessing sensitive data.
  • Single approach covering SAP systems (access through SAP-GUI, RFC, WS (SAP ECC6, CRM, SAP S/4HANA).
  • Incident management and alerting - validation and monitoring of data usage.
  • Data usage overview dashboard and detail reports.


  • On-line and immediate information on data accessed by your SAP Users.
  • All SAP systems covered out-of the box.
  • Automatic identification of non-standard data access.
  • Monitoring and identification of potential fraud behavior.
  • Significant improvement for internal audit processes.

Solution scope

Solution is utilizing Read Access Logs from SAP ERP 6.0 and SAP S/4HANA which are enriched by additional data, translated to user language and transferred to SAP Analytics Cloud for reporting. Solution includes automatic log aggregation and translation feature, so log tables in primary systems are periodically cleaned. The architecture is prepared to include log information from all SAP solutions and thus solution can serve as one-stop shop for all information with regard to sensitive data access. Based on customer decision log data can be only stored on-site and visualized through SAP Analytics Cloud (real time access, no transfer of data to cloud) or fully transferred to SAP Cloud Platform.

Data access monitoring process

Data access logs are uploaded from primary system, each transaction is marked with a data sensitivity level, logs are also enriched by information such as user full name, user department etc. All information about the access to sensitive data are afterwards visualized utilizing SAP Analytics Cloud frontend.

From the top overview dashboard, user can access also deeper analysis, where data access can be analyzed from the perspective of:

  • Sensitive data area
  • User department
  • User role
  • Access time (working / non working hours)
  • Expected / unexpected level of usage

While for each particular usage of data, user can easily find out the full detailed information by simple double-click of filter (e.g by user full name)

Scope of services in delivery

The scope of Data Privacy and Protection for SAP is defined by SAP modules that are subject to Read Access Logging. During initial analysis, the existing standard and Z transactions is SAP ERP 6.0 or SAP S/4HANA are analysed. The transactions that are showing sensitive data to users are identified and catalogued into data severity levels.

In solution implementation as the first topic Read Access Logging functionality is enabled on SAP system for all transactions identified in the analysis phase. For log data extraction O-Data service is deployed (part of Data Privacy and Protection for SAP standard content). This service is also translating the log and acting as filter for data which should not be visible in final reports. As second prerequisite the standard data model is deployed in HANA / SAP Cloud Platform (standard data model is part of Data Privacy and Protection for SAP standard content). The third and final component of implementation is the deployment of standard reporting model in SAP Analytics Cloud for Data Privacy and Protection.

Testing phase is initiated with full key user training on the platform operation. Solution documentation is delivered together with the solution training. In testing Phase log data are evaluated based on testing transactions. Potential changes to RAL setup and O-Data service setup can be implemented.

In the Go-Live preparation the full log history from RAL activation is loaded into solution and solution handover to support at customer level is executed.

Scope constraints:

  • The described activation of content is limited to SAP ERP 6.0 or SAP S4/HANA.
  • After the initial content activation other sources of logs can be added in solution.
  • Adding SAP Business Warehouse, yCommerce, yMarketing and SAP Success Factors is handled within a simplified service delivery, duration 3-4 weeks per listed system.