The Ruling that covers security measures with relation to automated files containing data of a personal nature, approved by Royal Decree 994/1999 of June 11^th and published in the Official Government Newsletter of June 25^th 1999, requires in CHAPTER IV (High Level Measures), Article 24, the registration of all accesses to data classified as high level.

The SAP Human Resources model for Spain stores a series of high level data, such as the degree of disability of the employee and other personal data. It is therefore necessary to implement a mechanism that records access to this data and covers the requirements shown in article 24 of the aforementioned Regulation:

1. "For each access, at least the user identification, the date and the time in which it was carried out, the file accessed, the type of access and whether it has been authorized or denied will be saved.
2. If the access has been authorized, it will be necessary to save the information that allows the accessed record to be identified
3. The mechanisms that allow the data mentioned in the above paragraphs to be recorded will be under the direct control of the relevant person responsible for security, without allowing them to be deactivated under any circumstances.
4. The minimum period of conservation of the recorded data will be two years.
5. The relevant person responsible for security will undertake the periodic revision of the recorded control information and will produce a report of the checks carried out and the problems detected at least once a month."

The time period for the implementation of the above measures is 2 years from the coming into effect of said regulation for high level data. In other words, this period of time runs out on June 25^th 2001.

SAP delivers the function of access to protected data through the HR SP ES18.1 support package. Please consult note 115907, in which the date of availability of this HR SP is specified.

Access to highly protected data is recorded through a set of tables. The corresponding entries can be seen through an evaluation program.

Each access is saved in the table Protocol of Access to Protected Data (T5EL1). This table records the following data regarding access:

• Client
• System user
• Recorded access number
• Identifier of logic file accessed
• Date of access
• Time of access

In the table Logic Files of Protected Data (T5EL2) you can find the identifiers of logic files with their corresponding explanatory text, for example, identifier 0001, Degree of Disability of the Employee. The fields in the table are:

• Client
• Identifier of logic file
• Descriptive text of the identifier

The table Last Recorded Access to Protected Data by User (T5EL3) contains the number of the last recorded access for a user. This table allows rapid maintenance of the T5EL1 table and its existence is entirely due to technical reasons. It does not contain data directly related to the saving of records of highly protected data.

Finally, the field Protected Fields in TemSe (T5EL4) allows you to enter the structure fields or tables considered highly protected data and which would trigger a record in the T5EL1 table if accessed. The access is only recorded in those programs that have been specially modified for this purpose. The T5EL4 table contains the following data:

• Client
• Name of the protected structure
• Name of the protected field
• End date of validity
• Start date of validity
• Name of the structure field shown in the field Name of the Structure, from which the personnel number of the employee in question can be taken, e.g. PERN (of the structure P0061)
• Name of the field shown in the field Name of the Field, from which the number of the document of the employee in question can be taken
• Identifier of logic file

The evaluation of the records generated by the user and in a given time interval are obtained via the program Evaluation of Access to Protected Data Protocol (RPULORE0).

It is basically a list of the data stored in the table Access to Protected Data Protocol (T5EL1) combined with the explanatory text for each logic file identifier shown in the table Logic Files of Protected Data (T5EL2).

This program also offers the possibility of deleting the contents of table T5EL1, data which it is no longer obligatory to conserve (currently once every two years).

Finally, this program should be used in case of synchronization problems between the T5EL1 and T5EL3 tables, selecting the reorganization option. If there is no need to reorganize these tables, the program will show this with the corresponding message.

You will find additional complete and up-to-date information in consultation note number 394999.