The global and independent platform for the SAP community.

Are you compliant or are you testing anyway?

DIN, DSGVO and auditors notwithstanding: operational practice still shows in very many, especially medium-sized, companies that the topic of compliance often ends at the edge of the productive systems.
Peter Höroldt, Dragonfly
April 28, 2020
[ 234022315, Kamira]
This text has been automatically translated from German to English.

But what about the handling of personal and other business-critical data on non-production systems? Unless strict authorization management, similar to that for production systems, clearly structures access to sandboxes and QA systems, the door is still wide open to the technical possibilities of unintentional data leakage.

The authorization system

Our experience shows that internal as well as external developers often get relatively easy access to QA systems, usually with much more extensive permissions than they would ever get in the production environment.

After all, testing should be carried out with fully comprehensive real data. This is because reduced, but logically consistent data sets only allow a functional consistency that also covers all real special cases and makes reliable performance statements to a limited extent.

In addition, they can also only be achieved with extensive configuration work and also require relatively long export/import lead times.

Copy and clone

This is why many companies rely on the homogeneous system copy or system clone. Because system copies have never been easier, more frequent and faster than today. QA and test systems are built and/or updated at the proverbial push of a button, especially in conjunction with comparatively inexpensive and "easily procurable" cloud environments.

This is generally a good thing. However, this means that complete databases, including personal and other business-critical data, are increasingly accessible to unauthorized persons. If these systems are also under the radar of data protection officers and the DSGVO (keyword:

right to information, or: "in which systems are which of my personal data stored?"), in case of doubt, several violations of current laws and internal as well as external compliance requirements can be found at the same time.

There are only a few ways to get a grip on this. First, strict limitation of the number of systems and consistent deletion of personal and other critical data - in our view, clearly contrary to the objective of these systems.

Secondly, strict implementation of authorization concepts analogous to the productive environments - and the associated restriction of the working ability and efficiency of developers, consultants, testers.

Third, persistent data anonymization ensures that such systems no longer offer sensitive and business-critical data - in our view, this is the best way forward, provided that the "logical ability to work" of the data is still guaranteed.

This means that these systems no longer carry critical real data, but continue to offer data sets that look real and are logically consistent. Age structures should generally remain similar, regional distributions as well as other clusterings/segmentations.

Financial data records, IBAN or checksums for credit cards should be calculated just as correctly as street addresses are assigned to correct postal codes. And a few more critical cases.

All of these logical dependencies should be taken into account initially during anonymization, and not just within one system in the business process chain, but across all systems and databases in the entire business process. The fact that other application platforms are sometimes involved in addition to SAP systems should also be more than just kept in mind.

Templates for all

The good thing about this is that the data models of most major application vendors are known. And so providers like us with Libelle DataMasking have mature templates on board that already cover a large part of these requirements. Available out of the box, immediately usable and also incrementally expandable.

In the entire subject area of compliance, the construction site "critical data in non-production systems" can thus be regulated comparatively simply and quickly with regard to internal and external specifications, without restricting the ability of consultants and developers to work.
Peter Höroldt, Dragonfly

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular Ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.