Read Audit Tool in SuccessFactors
(Employee Central)
SuccessFactors has a very powerful tool which can be useful for audits, data protection and also allows you to investigate in the event of permissions being incorrectly assigned, allowing someone access to data they shouldn’t have. However to be able to use it, you need to set it up based on your requirements
These steps show you how to enable to logging and I recommend having this setup sooner rather than later. You aren’t able to enable the feature and then view retrospective reads.
Permissions
You will need to enable the permissions to be able to set up the Read Audit:
- Admin Centre Permission / Edit Read and Change Audit Configuration
- Admin Centre Permission / View Read and Change Audit Configuration
- Admin Centre Permission / Generate Read Audit Reports
In addition, you will also need access to Manage Business Configuration
Once you have the required permissions, you need to enable the Tool.
Go to Manage Audit Configuration
This is also where you can enable the Change Audit Logging, my personal preference is to also enable this feature so that it is running, rather than realise later that I need it but it wasn’t enabled.
Enabling the Read Audit
Select the Read Audit option then tick both boxes to ‘on’, you will see an explanation of each feature at the side. After selecting them, click on Save
This will now trigger the process to start recording, note that this can sometimes take a while to enable.
If you have any API’s that you want to exclude from the logging;
On the same screen, select Read Audit User Exceptions and ‘Add User Exceptions’ as required. It is not recommended to add anyone other than API’s onto this list.
What to Audit?
I always make a point to my customers here, ‘what is a read’ well quite simply it means that the data in the field ‘loaded’ on the screen. It doesn’t actually prove that it was read. Take for example a field that you might have at the top of People Profile, as soon as you load the profile the field appears on the screen and the system will mark that it was read.
There is a better way to utilise this tool.
My recommendation is to use read audit in conjunction with masked fields.
For those who might not be familiar with masked fields, it is simply a field that shows as ****** until you click on the ‘Show’ button, like in the Disability Status below
Masked Fields
Just a couple of thoughts and notes on field masking.
- You can have fields masked without them being audited. Consider a traditional office space, a person is logged onto SuccessFactors and someone approaches their desk, potentially a number of confidential fields are on the screen. You can review all of the fields in your system and utilise masking to safeguard your data from accidental viewing.
- If you enable masking on fields, be aware that these fields will no longer appear in SuccessFactors table (ad-hoc) reporting. If you need to report on these fields you should re-build any reports as Canvas Reports.
How to add a field to Read Audit (and how to mask)
In the example below, I will show how to make Date of Birth Masked and Read Audited, you can simply repeat for each field required;
Navigate to Manage Business Configuration and to the portlet (HRIS Element) that contains the field;
Select Take Action/Make Correction then Details for the field required;
Find the field Masked and set it to Yes
Find the field Log Read Access and set it to True
Then Finish and Save
That’s it! From this point any one who clicks on the ‘Show’ button for the Date of Birth Field will be logged that they viewed it.
Submitting the Read Audits
Once set up, you can trigger a read audit by navigating to Read Audit Report, selecting Create Read Audit Report and filling in the Person Search
Selecting Read On Subject User lets you see who may have viewed fields of a specific user.
Selecting Read By User/Data Operator lets you see fields that were viewed by a specific user.
Your audit request will now be sent to the server for processing. To view your reports click on Access Reports and download
You will now see in your report the details of who read the data, when it was read and which field(s) were read.
Other Considerations
- At the time this document was created, read audit data is pushed to the database every 8 hours. After a user accesses sensitive personal data in an instance, if can take up to 8 hours for the audit log to appear in a read audit report.
- With the above in mind, ensure to run audits ‘the day after’ the incident to ensure you capture all possible reads.
- Audit Files are generally kept for 48 hours then deleted from the system.
- When viewing the ‘Time’ of any audits, factor in that this may be different to your own time zone
- When navigating to the Read Audit pages, if you see a screen stating ‘coming soon’ reach out to SAP for them to enable the feature.
Full guide and information regarding other Audit features can be found in the SAP Guide Implementing and Managing Data Protection and Privacy;