Eben de Lange is head of the Enterprise Information Management product line at EPI-USE Labs. He led the team which designed, developed and released Query Manager 4, as well as playing a key role in the design and bringing-to-life of the Microsoft Excel Add-in for Query Manager.
Your SAP Human Capital Management (HCM) and Payroll data is highly confidential. Users often wish to send this data to other users via a Microsoft Excel spreadsheet for additional evaluation and visualization. It's critical that your reporting solution has the ability to either password protect or encrypt your sensitive HCM data.
Query Manager allows you to password protect and encrypt your Microsoft Excel files. This functionality adheres to the MS-OFFCRYPTO standard, which is regarded as a strong encryption and hasn't been broken yet.
When specifying your password or encryption, you can choose from the following options:
Query Manager offers the same password options for PDFs as detailed below.
The PDF settings allow you to configure different aspects supported by the PDF document standard, which typically includes the following:
The image below depicts the PDF settings screen with its default settings:
The user should note that Query Manager allows you to generate multiple PDF documents, and the PDF settings would typically apply to each document generated and the set of data contained within the document. Another important point to note is that the PDF settings work in conjunction with the output destinations defined on the Query selection screen in the 'Output settings' group.
Essentially, the PDF settings tell Query Manager some of the attributes used for the generated document and how the document password is communicated to the recipient, while the output destinations tell Query Manager where the generated document should go. As an example, we could configure the PDF settings to password protect the output document with a generated password, and send the password by text to the document recipient’s mobile number, while the PDF document is sent to their work email address.
PDF documents can typically contain sensitive information. Query Manager provides a number of ways to password protect the PDF documents generated by a report, and the following options are supported:
IMPORTANT: Please note that each password entry field has a confirmation field to ensure that you do not enter passwords incorrectly. In the event that the password entry and the password confirmation entry do not match an error message would be displayed to allow you to correct any incorrectly typed passwords.
PDF documents support a number of permissions that control what a recipient can do with the document once it is opened in a PDF viewer.
The image below depicts the PDF document permissions screen with its default settings:
IMPORTANT: Please note that some PDF viewers only apply these permissions if a password is specified to change these permissions. The 'change permissions' password thus becomes required once these permissions are changed in order to ensure that PDF viewers would apply the permissions consistently.
The following document permissions are supported:
The clear access permissions button will reset the access permissions to the Query Manager defaults. The Query Manager defaults assume that all documents generated contain confidential information and therefore the most restrictive permissions are set. This function does not clear the change permission password since it is required to ensure that the document access permissions are correctly enforced in different PDF viewers.
Password Notification and Notification Message
When some form of password protection is selected, the PDF settings dialog will allow you to configure one or more notification methods to automatically send an email or text message notification to the recipient of the document. It should be noted that this functionality requires that an email or text notification service is configured in transaction SCOT. Users should request that their Basis team configures this service if they want to make use of the Query Manager password notification functionality.
The user can configure one or more notifications in an ordered list that will be processed by Query Manager when the report is executed. The following needs to be configured for each notification defined:
Query Manager can send out multiple notifications for each document. In the event that multiple communication methods are defined but the data is not necessarily correct or missing, the user running the report could select to use either the first valid address encountered or simply send the password notification to all the defined channels to ensure the user does receive the password notification. The 'Notification behavior' option allows the Query user to select which one of these sending mechanisms to use.
The 'Notification message' settings allow you to configure the subject and content of the message that the recipient of the password notification would receive. The subject field allows you to enter special field values that would be replaced at run-time by Query Manager with some of the run-time fields available. The message editor also allows run-time fields to be added to the message body that would be replaced with values when the Query is run. The most important run-time field from the perspective of the PDF settings is the 'Document password' field, which would be replaced by the actual password configured under the 'Password' group.
IMPORTANT: When a generated password is used to protect documents, the 'Document password' field must be included in the notification message body in order to avoid the case where neither the sender nor the recipient knows what the password is. Query Manager generates random passwords and once the document is protected, the password is discarded from the Query runtime, so if the password is not sent out to a recipient, the document will remain protected and nobody would know what the password is. This is intentionally designed for security purposes.