Storing Personal Information in LDAP/AD or in SAP HR module

LDAP can store sensitive information, but it is not recommended to store sensitive personal information in LDAP from a security point of view. This information should go to some HR information system like SAP HR module, or you can also develop a middleware to store this information securely. You can use EMP ID to track this information back to middleware or LDAP.

Storage Options for Personal Information

When designing enterprise systems, you have several options for storing employee personal data ?

LDAP/Active Directory Approach

LDAP (Lightweight Directory Access Protocol) and Active Directory are primarily designed for authentication and basic user attributes. While they can store personal information, they lack advanced security features required for sensitive HR data like salary details, performance reviews, or confidential personal information.

SAP HR Module Approach

The SAP HR module provides robust security, audit trails, and compliance features specifically designed for human resources data. It offers role-based access control and encryption for sensitive employee information.

* SAP HR Infotype example for employee personal data
INFOTYPES: 0002.  " Personal Data
DATA: p0002 TYPE p0002.

SELECT SINGLE * FROM pa0002 INTO p0002
  WHERE pernr = '12345'
  AND begda LE sy-datum
  AND endda GE sy-datum.

Middleware Integration Example

A common approach is using Employee ID as a reference key between systems ?

<EmployeeReference>
   <LDAP_ID>john.doe</LDAP_ID>
   <EMP_ID>12345</EMP_ID>
   <HR_System>SAP_HR</HR_System>
   <PersonalData_Location>Secure_Middleware</PersonalData_Location>
</EmployeeReference>

Conclusion

For enterprise security, store authentication data in LDAP/AD and sensitive personal information in dedicated HR systems like SAP HR module, linking them through Employee IDs for proper data segregation and security compliance.