2921353 - How to Generate Read Audit Report

• What is Read Audit.
• Setting Up Read Audit.
• How to Enable Read audit?
• How to Generate Read Audit Report?
• How long is Read Audit data retained?

SAP SuccessFactors HXM Suite

Read Audit

Read auditing capabilities enable you to track access to sensitive personal data.

Companies store a wide range of personal data about people, from the basic information (such as name and date of birth) to the potentially sensitive information (such as national ID or ethnicity). Your data protection and privacy policy may require you to keep track of who has accessed sensitive personal data.

SAP SuccessFactors provides a read audit function that enables you to determine who has accessed the sensitive personal data of employees or external candidates at your company.

Note : Not all personal data, nor all personally identifiable information, is necessarily considered sensitive. Read auditing is only available for small number of records that we've identified as sensitive.

Setting Up Read Audit

Set up the read audit function so that you can track access to sensitive personal data.

Also, configure read audit in each module and allow read access logging for the Sensitive Personal Data(SPD) fields.

Prerequisites

With the 1H 2020 release, read audit reporting is enabled by default in all Preview and Production systems, in all data centers.

Procedure

• Enable the read audit function in Admin Center.
• Add user exceptions for technical user accounts, such as API users, so that they are excluded from read audit logs and read audit reports.

Tip : To avoid unnecessary impacts to system performance and prevent large amounts of irrelevant information in read audit reports, exclude API users that regularly process large amounts of data and don't correspond to a real person.

Enabling Read Audit

Enable read audit logging so that authorized users can create audit reports tracking read access to sensitive personal data.

Prerequisites

You have the following role-based permissions:

• View Read and Change Audit Configuration
• Edit Read and Change Audit Configuration
• Generate Read Audit Reports

Procedure

1. Go to Admin Center  Manage Audit Configuration.
2. On the Read Audit tab, switch on the Read Access Logging option.
3. Choose Save.
4. You get a message telling you that the activation process has started. It usually takes about 24 hours.
5. Come back to Manage Audit Configuration later to verify that the toggle switch is enabled. If so, it means that the process is complete.
6. If you use Onboarding 1.0, also go to Onboarding 1.0  Settings  Features  Data Protection and Privacy and click Activate to enable Read Audit

Allowing Sensitive Personal Data(SPD) fields:

1. Go to Admin Center > Manage Audit Configuration > Read Audit.
2. On the Manage Audit Configuration page for read audit, choose View Details in the Allowable Sensitive Personal Data Fields section.

   A list of fields that can be configured as sensitive personal data fields displays. You can see a green tick after the fields already configured as sensitive.

3. Review the quota and already configured sensitive personal data fields and decide which ones to configure as sensitive in the next step. Use the table below to find the detailed configuration tasks for your module.

   To configure sensitive fields for...	Follow this task
   User Management	For system administrators: Configuring Read Audit in Business Configuration UI For company provisioners: Configuring Read Audit in Succession Data Model
   Compensation	Configuring Read Audit in Compensation
   Employee Central	For MDF-based objects: Configuring Read Audit in the Metadata Framework (MDF) For HRIS fields: Configuring Read Audit in Business Configuration UI For Global Benefit: Configuring Read Audit in Global Benefits For Payment Information objects: Configuring Read Audit for Payment Information
   Employee Profile	For system administrators: Configuring Read Audit in Business Configuration UI For company provisioners: Configuring Read Audit in Succession Data Model
   Onboarding	Configuring Field Objects for Read Audit in Onboarding
   Onboarding 1.0	Configuring Read Audit for Fields in Onboarding 1.0
   Recruiting	Important Considerations for Configuring Sensitive Fields in Recruiting

    
4. Choose Go to Configuration Page and configure the sensitive personal data fields for each module.
5. When you finish, choose Reload to update the configuration status for the list.

Creating a Read Audit Report

Create a read audit report to see who has accessed sensitive personal data about a given person.

• Prerequisites
• Read audit is enabled in your system.
• You have Generate Read Audit Reports permission.

Procedure

1.  Go to Admin Center  -> Read Audit Reports  -> Create Read Audit Report.

2.  Select the type of user you want to create a report for.

• For an individual employee or onboardee in Onboarding 2.0, choose Person Search.
• For an external candidate for jobs at your company, choose External Candidate Search.
• For a new hire onboardee in Onboarding 1.0, choose Onboardee Search.
• A dialog opens where you can configure the report settings.

3.  Specify the person you want to report on.

• For the Person Search, you have two choices
  
  • To see who has accessed sensitive personal data about a specified person, select Read On Subject User and use the Person search to specify the employee.
  • To see whose sensitive personal data a specified person has accessed, select Read By User/Data Operator and use the Person search to choose the employee.

• For the External Candidate Search, use the External Candidate search to specify the candidate.
• For the Onboardee Search, use the Onboardee search to specify the new hire in Onboarding 1.0.

4.   Select the modules and functional areas you want to include in the search.

Note: To optimize system performance, limit your search to only the required data. The more modules you choose, the longer the report takes to compile.

5.   Configure the time range you want to report on, up to a maximum of 30 days.

Remember: Audit reports cover a maximum time range of thirty days. If you want to audit a longer period of time, create multiple reports. 

6.    Submit the request to generate a report

Results

The report may take just a few minutes to prepare or, if there’s a lot of data, it can take longer. You receive an email notification when the report is complete (or if it has failed).

Next Steps 

Wait to receive an email notification and use the link provided, within 48 hours, to go directly to the page where you can view and download the report in CSV format.

Remember

• Audit reports are automatically purged after 48 hours. Be sure to check the report you are interested in within 48 hours of generation and archive it if necessary. Otherwise, you may have to run it again.Alternatively, if you don't want to wait for the email, you can always check job status and download completed reports by going to Read Audit Reports  Access Reports.

Read Audit Data Retention: The Read Audit data is stored indefinitely in our database, from the point it is enabled for an instance. This is unless the audit data is purged using DRM tools.

As part of 2H 2022 Release, we can now exclude up to 100 technical user accounts from Read Audit. Previously it was allowing to exclude only 10 technical user accounts.

This enhancement is included to improve the performance of generating Read Audit.

Notes

The Read Audit features are disabled in Sales Demo systems due to the generated data volume, so you will not be able to view the "Read Audit" functionality under Manage Audit Configuration. 

 

Link to Help Portal for More Information.

Configuring Read Audit

Read Audit, Generate Read Audit, Setting up Read Audit, Create Read Audit. , KBA , LOD-SF-PLT-AUDE , Enable Audit Framework , How To

SAP SuccessFactors HXM Suite 2005 ; SAP SuccessFactors HXM Suite 2205