Data Storage Security
Data Storage
The payroll results are saved as compressed to an INDX-like table. In the standard system, access is protected using the read and write authorizations for the infotypes and the authorizations for the required cluster.
The Payroll data and the posting to Accounting are saved to the databases of SAP NetWeaver Application Server (AS) ABAP. Payroll uses the standard security concept of SAP NetWeaver AS ABAP for this.
The payroll results in the table PCL2
are protected using the authorization object P_PCLX
.
The posting data is stored in the table PPOIX
and other transparent tables. Access to the posting data is regulated using the report authorizations. For more information, see Authorizations.
Caution
Data stored in database tables can be displayed using the transactions SE16
or SE16N
even without an application-specific authorization check. To prevent this, you remove the authorizations for these transactions in productive systems or adjust them accordingly.
For more information, see SAP NetWeaver Library under Authorization Checks and in SAP NetWeaver Application Server ABAP Security Guide. For the SAP NetWeaver Application Server ABAP Security Guide, see SAP Service Marketplace at http://service.sap.com/securityguide
.
Using Logical Paths and File Names to Protect Access to the File System
Payroll saves data in files in the local file system. Therefore, it is important to assign explicit access to the corresponding files in the file system without access to other directories or files (also called directory traversal). This is achieved by entering logical paths and file names in the system that are assigned to the physical paths and file names. This assignment is validated at runtime. If access to a directory is requested that does not correspond to a stored assignment, an error occurs.
The following lists show the logical file names and paths that are used by Payroll, and the reports for which these file names and paths are valid:
Logical File Names and Path Names Used in Payroll
The following logical file names and logical file paths were created using transaction FILE
to facilitate the validation of physical file names:
Logical File Name |
Reports That Use These Logical File Names |
Logical File Path |
|---|---|---|
|
|
|
In addition, country-specific logical file names and file paths were created for some country versions. For more information, see the following sections of the Security Guide:
Activating Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding reports. Due to downward compatibility reasons, the validation is deactivated by default at runtime. To activate the validation at runtime, you maintain the physical path using the transactions FILE
(client-independent) and SF01
(client-dependent). To determine which paths are used by your system, you can activate the corresponding settings in the Security Audit Log.
For more information, see the following: