Password Protection and Encryption for your SAP HCM reports

April 30, 2019
Written by Eben de Lange - Lead Developer, Query Manager

Eben de Lange is head of the Enterprise Information Management product line at EPI-USE Labs. He led the team which designed, developed and released Query Manager 4, as well as playing a key role in the design and bringing-to-life of the Microsoft Excel Add-in for Query Manager.


Your SAP Human Capital Management (HCM) and Payroll data is highly confidential. Users often wish to send this data to other users via a Microsoft Excel spreadsheet for additional evaluation and visualization. It's critical that your reporting solution has the ability to either password protect or encrypt your sensitive HCM data.


Query Manager allows you to password protect and encrypt your Microsoft Excel files. This functionality adheres to the MS-OFFCRYPTO standard, which is regarded as a strong encryption and hasn't been broken yet.

When specifying your password or encryption, you can choose from the following options:

  • No password
  • The same password for all Excel files
  • Passwords that use employee or system data as part of the password (like Date of Birth or last name)
  • Generated passwords (which will be emailed to the users).


Query Manager offers the same password options for PDFs as detailed below.

The PDF settings allow you to configure different aspects supported by the PDF document standard, which typically includes the following:

  • Optional password protection of the document
  • Document access permissions to prescribe what recipients can do with the document content once it's opened in a PDF viewer
  • Communication settings on how the document password should be sent to the document recipient.

The image below depicts the PDF settings screen with its default settings:


The user should note that Query Manager allows you to generate multiple PDF documents, and the PDF settings would typically apply to each document generated and the set of data contained within the document. Another important point to note is that the PDF settings work in conjunction with the output destinations defined on the Query selection screen in the 'Output settings' group.

Essentially, the PDF settings tell Query Manager some of the attributes used for the generated document and how the document password is communicated to the recipient, while the output destinations tell Query Manager where the generated document should go. As an example, we could configure the PDF settings to password protect the output document with a generated password, and send the password by text to the document recipient’s mobile number, while the PDF document is sent to their work email address.

Password Protection
PDF documents can typically contain sensitive information. Query Manager provides a number of ways to password protect the PDF documents generated by a report, and the following options are supported:

  • No password protection: this is the default setting and the user will not have to provide a password to access the document contents.
  • Use the same password to protect all the documents generated by the report run: This option provides some level of security, but it will enable recipients of the document to potentially view documents intended for other recipients if they gain access to these documents. If the report generates only a single document, this option is ideal, since it’s simple and the single password could easily be communicated to recipients of the document.
  • Use a password extracted from a field value in the Query run: This option is ideal when you’re generating multiple documents containing personal information of recipients, since you could use a Query field value that contains a password that would be commonly known to the recipient such as their employee ID, date of birth or some form of national identity number. Query Manager will use the first filled field value encountered in the dataset intended for the document as the password.
  • Generate a password that is not known to the sender but that can be sent to the recipient using one or more notification methods: Query Manager will use the settings configured in the administration transaction (/use/qma) under the 'Global settings' option to generate a random password when the report is executed that is not known to the sender. This is the most secure option for sensitive information. When the generated password option is selected, the PDF settings require at least one password notification to be configured and a message that includes the document password field. See the next section for more information.

IMPORTANT: Please note that each password entry field has a confirmation field to ensure that you do not enter passwords incorrectly. In the event that the password entry and the password confirmation entry do not match an error message would be displayed to allow you to correct any incorrectly typed passwords.

Document permissions
PDF documents support a number of permissions that control what a recipient can do with the document once it is opened in a PDF viewer.
The image below depicts the PDF document permissions screen with its default settings:


IMPORTANT: Please note that some PDF viewers only apply these permissions if a password is specified to change these permissions. The 'change permissions' password thus becomes required once these permissions are changed in order to ensure that PDF viewers would apply the permissions consistently.

The following document permissions are supported:

  • The printing permission controls whether the recipient can print the document and what resolution is allowed for printing. Low-resolution printing would result in the output of images in the document at a lower quality. If your document contains important graphs, high-resolution printing is advised if you want recipients to be able to print these documents using high-quality printing resolutions.
  • The document change permission controls whether the recipient can modify the document and what type of modifications are allowed. The following options are available:
    • None: No document modifications are allowed.
      Filling in form fields and signing: The user is allowed to fill in input fields defined in the document and add signatures to the document if it contains signature fields.
    • Commenting, filling in form fields and signing: Includes the filling of form fields permissions but also allows the user to add annotations to the document.
    • Any except extracting pages: The user can perform any modification except the copying of document content since this is controlled by a separate permission.
    • Access permissions to the document content can be divided into full content access and access for visually impaired users that use screen reader software.
    • Enable copying of document content: This permission allows full access to the document content to other software running on the recipients' computer. When this option is enabled, access permission for screen reader software is always included and thus that option is enabled and grayed out.
    • Allow screen reader access for the visually impaired: This permission allows only access for screen reader software for the visually impaired. This option is only changeable if the 'Enable copying of document content' option is not selected.

The clear access permissions button will reset the access permissions to the Query Manager defaults. The Query Manager defaults assume that all documents generated contain confidential information and therefore the most restrictive permissions are set. This function does not clear the change permission password since it is required to ensure that the document access permissions are correctly enforced in different PDF viewers.

Password Notification and Notification Message
When some form of password protection is selected, the PDF settings dialog will allow you to configure one or more notification methods to automatically send an email or text message notification to the recipient of the document. It should be noted that this functionality requires that an email or text notification service is configured in transaction SCOT. Users should request that their Basis team configures this service if they want to make use of the Query Manager password notification functionality.
The user can configure one or more notifications in an ordered list that will be processed by Query Manager when the report is executed. The following needs to be configured for each notification defined:

  • The notification method to use to send the password notification: this can either be an email or a text message.
  • The source of the address value for the notification: this can either be a value entered in the PDF settings dialog or a Query field selected from the list of fields defined in the report like the employee email address from Infotype 105.
  • The actual value to use for the address: this is either a value entered directly or a Query field.

Query Manager can send out multiple notifications for each document. In the event that multiple communication methods are defined but the data is not necessarily correct or missing, the user running the report could select to use either the first valid address encountered or simply send the password notification to all the defined channels to ensure the user does receive the password notification. The 'Notification behavior' option allows the Query user to select which one of these sending mechanisms to use.

The 'Notification message' settings allow you to configure the subject and content of the message that the recipient of the password notification would receive. The subject field allows you to enter special field values that would be replaced at run-time by Query Manager with some of the run-time fields available. The message editor also allows run-time fields to be added to the message body that would be replaced with values when the Query is run. The most important run-time field from the perspective of the PDF settings is the 'Document password' field, which would be replaced by the actual password configured under the 'Password' group.

IMPORTANT: When a generated password is used to protect documents, the 'Document password' field must be included in the notification message body in order to avoid the case where neither the sender nor the recipient knows what the password is. Query Manager generates random passwords and once the document is protected, the password is discarded from the Query runtime, so if the password is not sent out to a recipient, the document will remain protected and nobody would know what the password is. This is intentionally designed for security purposes.

Learn More About Query Manager



Explore Popular Tags

Query Manager SAP SuccessFactors SAP HCM reporting SAP HCM HCM Reporting SAP Payroll SAP Reporting HCM SAP SuccessFactors Employee Central Payroll EPI-USE Labs SAP SuccessFactors Reporting reporting Intelligent HR and Payroll PRISM Payroll Document Builder Human Capital Management (HCM) Payroll reporting Query Manager Analytics Connector SAP Analytics Cloud SAP HCM Data SAP Query Microsoft PowerBI SAP SuccessFactors People Analytics SAP Payroll data Variance Monitor HR and Payroll data Tableau HXM Move Payroll Data SAP HCM Payroll SAP HR Reporting SAP HXM SAP S/4HANA SAP S/4HANA Private Cloud Edition (S/4 PCE) people analytics sap query hr Data Sync Manager Employee Central Payroll Journey to SAP SuccessFactors PRISM for HCM (Private Cloud Edition) PRISM free assessment SAP SAP ERP HCM SAP HCM On-Premise Solutions SAP HCM journey SAP and SuccessFactors HXM Reporting COVID-19 Cloud-based SAP HCM solutions Employee payroll HCM Productivity Suite HR SAP HCM/HXM SuccessConnect reporting solution ABAP DSM for HCM Employee Central Payroll Reporting Employee data GeoClock H4S4 Let's Talk HCM On-Premise Payroll Pay Recon SAP Data Warehouse Cloud SAP HCM Analysis SAP SuccessFactors HCM Journey SAP SuccessFactors Roadmaps SAP data privacy and compliance SuccessFactors Ultimate Guide: SAP HCM & Payroll Options data validation payroll control center Artificial Intelligence (AI) Data Sync Manager for HCM Digital transformation Employee Central GDPR HCM, HR OData PRISM for ECP PRISM for H4S4 Query Manager with Document Builder Real-time reporting and document creation SAP Analytics Cloud (SAC) SAP HCM On-premise SAP HCM for SAP S/4HANA On-Premise SAP HR SAP On-Premise customers SAP Payroll to the Cloud SAP Road maps SAP customers SAP data SAP data privacy & security Success Factors SuccessConnect 2019 Tax Reporting Transformation without re-implementation accurate payroll data certification custom infotype data source ebook on-premise SAP HCM s/4HANA Analytics solutions Automated reports Automation Cloud migrations DSM Object Sync for SuccessFactors Hybrid Data Secure Data Types Data analysis EPI-USE Labs’ solutions Employee Letters Employee communication Free HCM Assessment HR Journey HR employee reports Human Experience Management (HXM) Human Resources Human Resources data Hybrid Reporting SAP and SuccessFactors Hybrid SAP and SuccessFactors Hybrid reporting Hybrid reporting solution Integrated reporting SuccessFactors SAP Intelligent Enterprise Machine Learning (ML) Microsoft Excel News OData integration OM Object Sync On-Premise Payroll S/HANA Sidecar On-premise reporting Organization of the data PA People Analytics Workforce Planning Personalized documents Protect personal employee data Report Stories Reporting and analysis Robotic Process Automation (RPA) Robotic Process Automation framework S/4HANA Private Cloud Edition (PCE) SAP Data Privacy Suite SAP Data Security SAP ERP Payroll customers SAP HCM 2023 SAP HCM Roadmap SAP HCM and Payroll customers SAP HCM for S/4HANA SAP HXM 2021 SAP Mentors SAP SuccessFactors Hybrid SAP SuccessFactors Next-Gen Payroll SAP SuccessFactors Release updates SAP SuccessFactors Time Management SAP SuccessFactors Time Tracking SAP Wage Type Reporter SAP certified solution SAP migration SAPPHIRE 2018 SuccessFactors and the Intelligence Enterprise SuccessFactors' Employee Central Payroll TCO Calculator The Report Center The Road to People Analytics Time management Workforce Planning ad hoc data variances easy reporter high-speed, low-risk on-premise SAP data partner roadmap single reporting solution sq01 stories in SAP SuccessFactors People Analytics technology third party AI ALE STP report ASUG Accessing COVID-19 data Ad Hoc Query American Payroll Association (APA) Analytics Connector Analytics reports Analytics solution At-risk employees Australian Payroll Australian Tax Office (ATO) Automated analysis and pay run reconciliations Automatic HR reports BTP Best practice in BI Bots Business Analytics Business Intelligence COVID-19 statistics COVID-19 vaccinations Certified solutions ChatGPT Check for data replication errors Client Sync Cloud hosting SAP PCE Company Branding Compare legacy HR and Payroll data Comparing data Configuration Center Copy and mask test data Coronavirus Created timestamp Custom store Customer-specific infotypes DSAG Data Privacy Data Replication Data Sources Data Sync Manager (DSM) Data access Data privacy regulations Data production support issue solution Democratize data Description Diversity & Inclusion reporting DocuSign Document Building Dubai Dynamic data ECC EPI-USE ERP Education sector Electronic Signatures Embedded Analytics Edition Employee Central time Employee Central timesheets Employee NICs Employee Retention Analytics (ERA) Employee payment summaries Employee right to privacy Employer NICs Encrypt data FAQ Index Font Guidelines Gender Pay Gap
+ See More

Get Instant Updates

Leave a Comment: