PPM Administration stores user names and E-Mail addresses to assign user privileges in PPM. However, the user administration for PPM is handled by Administration ARIS and already described above. PPM log files may contain private data of ARIS users, such as IP addresses, MAC addresses, or user names. In order to comply with the General Data Protection Regulation (GDPR), please refer to the PPM Operation Guide. This guide explains in detail what kind of personal data is used and stored:
User data is managed centrally in the User Management Component (UMC) of PPM. When creating users manually, the following data is mandatory:
User name
First name
Last name
User data is also stored in the PPM Administration component to assign user privileges for PPM application and the imported process data. The following additional personal data can be stored:
E-Mail address
If users imported or synchronized using LDAP, additional personal data can be stored:
Telephone number
LDAP DN
ID
Picture
The User Management Component creates audit logs in an attached database. This provides a history of changes to functions, licenses, and access rights. For this purpose, user names and IP addresses are logged.
Even if users were deleted, user names are stored in a hidden attribute together with the time of deletion in order to log the changes. The hidden attributes are automatically deleted when upgrading to a new major version of the ARIS Infrastructure. These entries can be anonymized for deleted users.
User privileges related to PPM are managed in the PPM Administration. Here the following information is available for each user:
Mandatory:
Name (User Name from above)
Optional:
First Name
Last Name
E-mail address
User names and IP addresses are also stored for several purposes in log files: audit and trace logs for all components.
In addition, user names are also available in the PPM database to store the above mentioned PPM privileges, which are not available in UMC.
As a business process monitoring and analysis tool, PPM might also import personal data from processes extracted from external source systems such as SAP, CSV files, or database systems. These processes might contain personal information from which you can identify a person involved in the process monitored. This information depends on the data extracted from the source system and is subject to the customizing model used for this source system.