Using BAdIs to Anonymize User Information in Process Observer (POB)
Data privacy may be a requirement when creating logs of you business processes. In this blog post I want to give some samples how you can anonymize user information using available BAdIs of Process Observer for Built-in Processes. In previous posts of the series, an overview and a description of the architecture of Process Observer are given.
First, let me introduce the BAdIs for manipulating logging data that are available for Process Observer:
BAdIs for BOR Event Processing only (green):
- Mapping of Business Object Repository Events to Tasks (POC_INSTR_MAP_EVT_TASK): You can use this BAdI to extend the mapping of Business Object Repository (BOR) events to tasks. The default mapping uses the information defined in Customizing for ‘Maintain Business Object Repository Instrumentation’
- Enrichment of Task Event Data (for BOR Events) (POC_MAIN_BA_EVENT): You can use this BAdI to enrich task event data for BOR events by using the customer includes provided in the interface structures.
BAdIs for Processing of all Events [including events via direct event API] (red):
- Enhance/Split Tasks (POC_MAIN_TASK): You can use this BAdI to enhance orsplit tasks. The BAdI is executed before the determination of the process definition or instance take place. [Not available in all SPs.]
- Enrichment of Task Log Data (POC_MAIN_BA_LOG): You can use this BAdI to enrich process log data before it is written to the process log. You can either write additional data to fields you add to the customer includes provided in the interface structures for the process log, or you can trigger the update of own tables from this BAdI.
Practically all of these events can be used to anonymize (or manipulate) process observer data that gets logged in the process log. In our example, we are using the ‘Enrichment of Task Log Data BAdI’ (POC_MAIN_BA_LOG) because it works for all events (BOR and direct), and because process definition mapping has already
taken place. So we can implement different anonymization strategies for different process definition (or business areas).
The business area concept was introduced to allow the grouping of process definitions, for example, to handle process definition similarly in BAdIs. Business Area information is available in the BAdI interfaces. Business Areas can be defined in Customizing for Process Observer (transaction POC_CUSTOMIZING):
A business area is then assigned to a Process Definition (header):
In the first example, you may just want to replace all SAP dialog users with a String ‘SAP dialog’ instead of logging the actual user ID. Therefore, the method IF_POC_BA_LOG_ENH~ENRICH of BAdI POC_MAIN_BA_LOG is implemented as follows:
* data definitions
FIELD-SYMBOLS: <fs_ba_log> TYPE POC_T_BA_LOG_DB.
DATA ls_logondata TYPE bapilogond.
* anonymize user data
LOOP AT ct_ba_log ASSIGNING <fs_ba_log>.
CALL FUNCTION ‘BAPI_USER_GET_DETAIL’
username = <fs_ba_log>–uname
cache_results = ‘X’
logondata = ls_logondata
return = lt_return.
IF ls_logondata–ustyp = ‘A’. “dialog user
<fs_ba_log>–uname = ‘SAP dialog’.
The result in the process monitor looks like this:
In the second example you may want to replace the user ID with the user’s org unit (ORGEH). A basic understanding of the
organizational management is very helpful here. If you want to implement this, it will be even more helpful if you understand how organizational management, which is a very flexible tool, is implemented in your organization.
The code for this can be found as a sample implementation IM_POC_MAIN_BA_LOG_SAMPLE of the BAdI definition POC_MAIN_BA_LOG
in class CL_POC_BA_LOG_SAMPLE2. This implementation is an example. It is based on the assumption that the current user is assigned to a position, object type S, which is assigned to an organization unit, object type O, or that the user is directly assigned to an organizational unit. This may or may not be true for your configuration and the first or “lowest” organizational unit to which the user is assigned may not be the organizational unit that you want in the log. Thus the example implementation is an example that should help you to implement
your requirement, but you need to do this very carefully to adjust to your requirements. Also, please consider that these operations can be quite time-consuming, so while there is a lot of buffering implemented, you need to look at the runtime.
The result in the process monitor looks like this:
You can see that the user name is replaced with the name of the organizational unit– ‘AK Company’
We hope that this little introduction gives you some more ideas on what manipulations you can do to the data logged by process observer. It is also possible to extend the log tables with customer fields and fill them in the given Enrichment of Task Log Data BAdI or even to write data into your own custom tables in the execution of the BAdI. This may be the subject of a new blog posting. However, just a warning here: Whenever you create a BAdI implementation, be aware that your code can seriously influence the logging (and therefore the system) performance. So always be careful of what you are doing!
Stay tuned for the next episode!