The sensitive nature of HR master data requires special attention of administrators. The author shows how R/3 can track the HR master data records viewed by a user. He also demonstrates how a user may thwart your efforts to distinguish snoopers from frequent master data users so that you can minimize such efforts.
Key Concept
Dear HR Expert,
Is there a way to tell if a user is “snooping” or just frequently viewing HR master data in R/3? Also, is there a report that shows which user has been viewing which personnel numbers?
Dear HR Expert,
Is there a way to tell if a user is “snooping” or just frequently viewing HR master data in R/3? Also, is there a report that shows which user has been viewing which personnel numbers?
Thanks for the question. Standard SAP report RPUAUD00 audits logged changes in infotype data by user or by personnel number, but it only tracks instances in which an actual data addition, change, or deletion was saved. Your question, however, is looking to go beyond the tracking of actual changes and instead to monitor the viewing of HR master data.
The good news is that R/3 functionality allows you to track the HR master data records that a user accesses, including those viewed but not saved. The bad news is that there are ways that users can reduce the effectiveness of this solution or remove their history altogether, making this tool somewhat less than optimal. I’ll first discuss the solution available and then warn you about the ways users can avoid having their history tracked.
First, here’s the good news. In R/3, the object history table SGOSHIST stores the audit records of a large number of objects accessed by user ID, including access to personnel numbers via HR transactions PA20, PA30, and PA40. The fields stored in table SGOSHIST are described in Table 1. You should note that the history stored in SGOSHIST is limited to the most recent access a user has made to a particular personnel number, and the table does not track the specific infotypes viewed or how long a user viewed them. For example, if you access the same personnel number every day, the audit data stored by SAP only shows the date/time stamp of your most recent viewing of that person’s master data.
| Client |
Client number that houses the data being
audited |
| SAPName |
SAP user ID of the user who has viewed the objects |
| Objkey |
Key for the object that was viewed. In the case of HR master data, this is the personnel number. |
| Objtype |
The technical entry for an object type in SAP's business object repository. For HR master data, the business object type representing a personnel number is BUS1065. |
| Logsys |
Logical system, or unique identifier of the system in your R/3 landscape |
| Time stamp |
Date/time that the record was last viewed, in YYYYMMDDhhmmss format. Time is stored in universal coordinated time (GMT), so to display the time stamp in your local time inan ABAP report, you need to convert the time before you display it. GMT is used for the time stamp to standardize your data if you are auditing users across multiple timezones. |
| Tcode |
Transaction code used to view or display the master data |
|
|
| Table 1 |
Descriptions of fields in table SGOSHIST |
|
Table contents from SGOSHIST can be viewed via table browser transactions such as SE16 or SE17. These transactions allow you to restrict your output by a particular personnel number or user name. If you do not have access to these transactions, the ABAP program code shown in Figure 1 on the next page is an example of a simple custom report created for the purpose of reporting on HR access from table SGOSHIST. This report selects just HR master data objects for output (Figure 2) and adds the name associated with the personnel number that was viewed for audit purposes.
Figure 2
Output screen from custom report on table SGOSHIST
The bad news in this scenario is that each R/3 user has the ability not only to view their own object history, but also to delete their history. Users also can make changes to their own user settings to prevent future history from being tracked in table SGOSHIST. Here’s how this can happen. Users can display their own object history by selecting the standard SAP menu path System>Object history. This provides a pop- up screen showing a listing from table SGOSHIST of objects they have accessed (Figure 3).
Figure 3
Object history pop-up from SAP menu path System>Object history
From this pop-up screen, users can disable tracking of their own object history in table SGOSHIST by clicking on the switch on/off object history icon or by pressing Shift+F1 (switch history tracking off) or Shift+F2 (switch history tracking on). When turning tracking off, users are presented with a validation screen that reminds them that in addition to turning tracking off, all history currently held in SGOSHIST for their user ID is purged (Figure 4). Obviously, the effectiveness of your reporting on this data is reduced by the users’ ability to delete their own history records.
Figure 4
Warning presented when switching object history off
To enable or disable object history tracking for a user, R/3 uses the user parameter SOBJHIST. When a user selects the “switch on/off object history” option, SAP inserts the SOBJHIST user parameter in that user’s own user profile. A parameter value of X is inserted to disable object tracking, while a blank entry in the parameter indicates tracking is active. Users can also change this user parameter if they have access to change their own user profile via transaction SU3.
The final caveat to this is that even if you have prevented your users from accessing their user profile by limiting their security to transaction SU3, they can still use the “switch on/off object history” icon in the System>Object history pop-up screen to toggle the value of the SOBJHIST parameter in their user profile. This means that a user who knows he is being tracked can switch his history tracking off, view HR master data records, and then toggle his history tracking back on.
This solution to the question you posed has its limitations, but hopefully this has shed some light on your ability to track viewing of HR master data by your users.
A.J. Whalen
A.J. Whalen has successfully combined more than two decades of global business expertise with in-depth experience in the strategic development, management, and delivery of large-scale projects and education for SAP ERP HCM. Prior to his current role as SAP Marketing Director at Velocity Technology Solutions, he served as lead consultant for several global SAP implementations and engagements as well as an SAP Conference Producer for Wellesley Information Services. A.J. has been invited to speak at nine annual SAP educational events and holds an MBA degree from the Stern School of Business at New York University.
You may contact the author at whalen.aj@gmail.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.
