2921353 - How to Generate Read Audit Report

• What is Read Audit?
• Setting Up Read Audit.
• How to Enable Read Audit?
• How to Generate Read Audit Report?
• How long is Read Audit data retained?
• What is the expected time to generate the report?

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

SAP SuccessFactors HCM Suite

Read Audit

Read auditing capabilities enable you to track access to sensitive personal data.

Companies store a wide range of personal data about people, from the basic information (such as name and date of birth) to the potentially sensitive information (such as national ID or ethnicity). Your data protection and privacy policy may require you to keep track of who has accessed sensitive personal data.

SAP SuccessFactors provides a read audit function that enables you to determine who has accessed the sensitive personal data of employees or external candidates at your company.

Note : Not all personal data, nor all personally identifiable information, is necessarily considered sensitive. Read auditing is only available for small number of records that we've identified as sensitive.

    

Setting Up Read Audit

Set up the read audit function so that you can track access to sensitive personal data.

Also, configure read audit in each module and allow read access logging for the Sensitive Personal Data(SPD) fields.

Prerequisites

With the 1H 2020 release, read audit reporting is enabled by default in all Preview and Production systems, in all data centers.

Procedure

• Enable the read audit function in Admin Center.
• Add user exceptions for technical user accounts, such as API users, so that they are excluded from read audit logs and read audit reports.

Tip : To avoid unnecessary impacts to system performance and prevent large amounts of irrelevant information in read audit reports, exclude API users that regularly process large amounts of data and don't correspond to a real person.

   

Enabling Read Audit

Enable read audit logging so that authorized users can create audit reports tracking read access to sensitive personal data.

Prerequisites

You have the following role-based permissions:

• View Read and Change Audit Configuration
• Edit Read and Change Audit Configuration
• Generate Read Audit Reports

Procedure

1. Go to Admin Center > Manage Audit Configuration.
2. On the Read Audit tab, switch on the Read Access Logging option.
3. Choose Save.
4. You get a message telling you that the activation process has started. It usually takes about 24 hours.
5. Come back to Manage Audit Configuration later to verify that the toggle switch is enabled. If so, it means that the process is complete.
6. If you use Onboarding 1.0, also go to Onboarding 1.0  Settings  Features  Data Protection and Privacy and click Activate to enable Read Audit

Allowing Sensitive Personal Data(SPD) fields:

1. Go to Admin Center > Manage Audit Configuration > Read Audit.
2. On the Manage Audit Configuration page for read audit, choose View Details in the Allowable Sensitive Personal Data Fields section.

   A list of fields that can be configured as sensitive personal data fields displays. You can see a green tick after the fields already configured as sensitive.

3. Review the quota and already configured sensitive personal data fields and decide which ones to configure as sensitive in the next step. Use the table below to find the detailed configuration tasks for your module.

   To configure sensitive fields for...	Follow this task
   User Management	For system administrators: Configuring Read Audit in Business Configuration UI For company provisioners: Configuring Read Audit in Succession Data Model
   Compensation	Configuring Read Audit in Compensation
   Employee Central	For MDF-based objects: Configuring Read Audit in the Metadata Framework (MDF) For HRIS fields: Configuring Read Audit in Business Configuration UI For Global Benefit: Configuring Read Audit in Global Benefits For Payment Information objects: Configuring Read Audit for Payment Information
   Employee Profile	For system administrators: Configuring Read Audit in Business Configuration UI For company provisioners: Configuring Read Audit in Succession Data Model
   Onboarding	Configuring Field Objects for Read Audit in Onboarding
   Onboarding 1.0	Configuring Read Audit for Fields in Onboarding 1.0
   Recruiting	Important Considerations for Configuring Sensitive Fields in Recruiting

    
4. Choose Go to Configuration Page and configure the sensitive personal data fields for each module.
5. When you finish, choose Reload to update the configuration status for the list.

      

Creating a Read Audit Report

Create a read audit report to see who has accessed sensitive personal data about a given person.

• Prerequisites
• Read audit is enabled in your system.
• You have Generate Read Audit Reports permission.

    

Procedure

1.  Go to Admin Center  -> Read Audit Reports  -> Create Read Audit Report.

2.  Select the type of user you want to create a report for.

Note: You can create a read audit report for up to 10 users.

• For an individual employee, a group of employees*, or an onboardee in Onboarding 2.0, choose Person Search.
• For an external candidate for jobs at your company, choose External Candidate Search.
• For a new hire onboardee in Onboarding 1.0, choose Onboardee Search.
• A dialog opens where you can configure the report settings.

3.  Specify the person you want to report on.

• For the Person Search, you have two choices
  
  • To see who has accessed sensitive personal data about a specified person, select Read On Subject User and use the Person search to specify the employee.
  • To see whose sensitive personal data a specified person has accessed, select Read By User/Data Operator and use the Person search to choose the employee.

• For the External Candidate Search, use the External Candidate search to specify the candidate.
• For the Onboardee Search, use the Onboardee search to specify the new hire in Onboarding 1.0.

*3.1 Define the target group you want to include in the report:

To select multiple users, it is required to use Person Search. When specifying the person:

• Click on the right corner of the users' field.
• A new tab will open, expand the 'Advanced Search Options'.
• Fill in the desired criteria to define the group of employees (for example: define a specific region at the location field, and the wished department in the corresponding field) > Press Search.
• You can select some or all users inside the defined group.

     

4.   Select the modules and functional areas you want to include in the search.

Note: To optimize system performance, limit your search to only the required data. The more modules you choose, the longer the report takes to compile.

5.   Configure the time range you want to report on, up to a maximum of 31 days (from 2H 2024 release on, maximum of 31 days instead of 30 days).

Remember: Audit reports cover a maximum time range of 31 days. If you want to audit a longer period of time, create multiple reports. 

6.    Submit the request to generate a report

    

Results

The report may take just a few minutes to prepare or, if there’s a lot of data, it can take longer. You receive an email notification when the report is complete (or if it has failed).

Next Steps 

Wait to receive an email notification and use the link provided, within 48 hours, to go directly to the page where you can view and download the report in CSV format.

Remember

• Audit reports are automatically purged after 48 hours. Be sure to check the report you are interested in within 48 hours of generation and archive it if necessary. Otherwise, you may have to run it again.Alternatively, if you don't want to wait for the email, you can always check job status and download completed reports by going to Read Audit Reports  Access Reports.

Read Audit Data Retention: The Read Audit data is stored indefinitely in our database, from the point it is enabled for an instance. This is unless the audit data is purged using DRM tools.

As part of 2H 2022 Release, we can now exclude up to 100 technical user accounts from Read Audit. Previously it was allowing to exclude only 10 technical user accounts.

This enhancement is included to improve the performance of generating Read Audit.

Notes:

• Read Audit reports scan and filter a very large audit dataset (often tens of millions of records). When a report query covers a wide timeframe, many users, or minimal filters, the system must examine and filter a large portion of that dataset, which increases processing time. This is expected behavior and not an indication of a system fault. Reports that require scanning large volumes may run for minutes to hours depending on the selected timeframe, number of users, and system load.
• The Read Audit features are disabled in Sales Demo systems due to the generated data volume, so you will not be able to view the "Read Audit" functionality under Manage Audit Configuration. 

• Help Guide - Configuring Read Audit
• Help Guide - Enhancements to Change Audit and Read Audit
• Help Guide - Creating a Read Audit Report | SAP Help Portal

Read Audit, Generate Read Audit, Setting up Read Audit, Create Read Audit, PLA-45420, Creating a Read Audit Report, sf, sfsf , sf sf, SuccessFactors, SuccessFactor, Success Factor, bizx , KBA , LOD-SF-PLT-RAL , Read Access Logs , How To

SAP SuccessFactors HXM Suite 2005 ; SAP SuccessFactors HXM Suite 2205