Authorizations for Data Privacy Decrypt

To ensure that Data Privacy Decrypt is not used by unauthorized users, the Z:ASE_DPRV_DECRYPT role is included in the scope of delivery.

This role is located in the SAP® Components CD in the SmartExporter SAP Components\Templates\Role Templates directory and can be uploaded, derived and copied in the SAP profile generator (TA PFCG). If you have downloaded the SmartExporter version, you can find the file in the SAP Components\SmartExporter SAP Components\Templates\Role Templates directory in the download package.

Use this role to define which user is authorized to decrypt data in SAP®. Users who are allowed to run the /AUDIC/SE_DECRYPT transaction can decrypt all data that was encrypted by the SmartExporter Data Privacy functionality. This implies that the authorization for the /AUDIC/SE_DECRYPT transaction may only be given to persons who are allowed to see all encrypted data also as plain text.

The users of the Windows tool SmartExporter Data Privacy DecryptClosed A Windows tool that makes it possible to decrypt SAP® data, that was encrypted using the SmartExporter Data Privacy functionality. This tool can also be used by persons to decrypt data who neither have access to the SAP® system nor use SmartExporter. To decrypt data the corresponding decryption key has to be requested from the SAP® administrator. have to request a key from the SAP® administrator to be able to decrypt data.

 

Note:

You have to proceed with utmost care when allocating the authorization or issuing decryption keys to make sure that you comply with the data protection regulations at all times. It is the company’s responsibility to make sure that unauthorized persons have no opportunity to decrypt encrypted data. For this purpose your company should define an internal data privacy concept that exactly specifies which authorizations are allocated to which person. Set up this concept in close consultation with your data protection officer.

The SmartExporter functionalities offer secure encryption methods and the possibility to later decrypt all the encrypted data. The effectiveness of the data protection regarding encrypted data in your company depends on the defined data privacy concept and its implementation. Security gaps may occur if either the data protection concept or its implementation is deficient.

 

At the minimum the following persons should be considered in the data protection concept:

  1. Data protection officer:

    The data protection officer defines which data is to be considered as sensitive data. He also defines who may only see sensitive data as encrypted text and who may see it as plain text.

  2. SAP® administrator:

    The SAP® administrator implements the guidelines defined by the data protection officer in compliance with the data protection concept.

    The administrator uses the /AUDIC/SE_DPRV transaction to create the Data Privacy profiles defining which SmartExporter end user may see certain data only as encrypted text.

    He defines which SAP® user may use the /AUDIC/SE_DECRYPT transaction to decrypt data.

    He provides the users of the Windows tool SmartExporter Data Privacy DecryptClosed A Windows tool that makes it possible to decrypt SAP® data, that was encrypted using the SmartExporter Data Privacy functionality. This tool can also be used by persons to decrypt data who neither have access to the SAP® system nor use SmartExporter. To decrypt data the corresponding decryption key has to be requested from the SAP® administrator. with a decryption key, after checking that the user is authorized to see the data as plain text. If necessary, he obtains the approval of the data protection officer first.

  3. SmartExporter end user who may see sensitive data as plain text:

    He can extract sensitive data as plain text.

  4. SmartExporter end user who may only see sensitive data as encrypted text:

    He can extract sensitive data only as encrypted text. If he wants to decrypt data, he has to request a decryption key from the SAP® administrator.

 

Pay special attention to the following points to prevent data protection violations:

  1. Persons who should only run a decryption once, should not be given a key that allows them to decrypt all encrypted data from e.g. a specific SAP® system or client. In these cases an encryption with a unique key is to be preferred.
  2. Users who are allowed to run the /AUDIC/SE_DECRYPT transaction can decrypt all data that was encrypted by the SmartExporter Data Privacy functionality. This implies that the authorization for the /AUDIC/SE_DECRYPT transaction may only be given to persons who are allowed to see all encrypted data also as plain text.
  3. Users who were given a decryption key by the SAP® administrator or any other SAP® user with the authorization to run the /AUDIC/SE_DECRYPT transaction may not pass this key on to other persons.