ARIS Data Protection (GDPR)
ARIS Data Protection (GDPR)
Contents
Contents ........................................................................................................................................................... I
3 Glossary ................................................................................................................................................. 20
4 Legal information................................................................................................................................. 21
4.1 Documentation scope............................................................................................................ 21
4.2 Support ..................................................................................................................................... 21
I
DATA PROTECTION (GDPR)
1
DATA PROTECTION (GDPR)
2
DATA PROTECTION (GDPR)
3
DATA PROTECTION (GDPR)
1.6 Collaboration
The user name is stored in Collaboration when a user creates a group, is coordinator of a
group, follows a group, likes a post, or writes a comment. These entries can be anonymized for
deleted users (page 8).
Warning
If you delete log files (page 16), Software AG might no longer be able to support you in order to
resolve software problems.
4
DATA PROTECTION (GDPR)
1.9 PPM
PPM Administration stores user names and E-Mail addresses to assign user privileges in PPM.
However, the user administration for PPM is handled by ARIS Administration and already
described above. PPM log files may contain private data of ARIS users, such as IP addresses,
MAC addresses, or user names. In order to comply with the General Data Protection
Regulation (GDPR), please refer to the PPM Operation Guide. This guide explains in detail
what kind of personal data is used and stored:
User data is managed centrally in the User Management Component (UMC) of PPM. When
creating users manually, the following data is mandatory:
§ User name
§ First name
§ Last name
User data is also stored in the PPM Administration component to assign user privileges for
PPM application and the imported process data. The following additional personal data can be
stored:
§ E-Mail address
If users imported or synchronized using LDAP, additional personal data can be stored:
§ Telephone number
§ LDAP DN
§ ID
§ Picture
The User Management Component creates audit logs in an attached database. This provides a
history of changes to functions, licenses, and access rights. For this purpose, user names and
IP addresses are logged.
Even if users were deleted, user names are stored in a hidden attribute together with the time
of deletion in order to log the changes. The hidden attributes are automatically deleted when
upgrading to a new major version of the ARIS Infrastructure. These entries can be
anonymized for deleted users.
User privileges related to PPM are managed in the PPM Administration. Here the following
information is available for each user:
Mandatory:
§ Name (User Name from above)
Optional:
§ First Name
§ Last Name
5
DATA PROTECTION (GDPR)
§ E-mail address
User names and IP addresses are also stored for several purposes in log files: audit and trace
logs for all components.
In addition, user names are also available in the PPM database to store the above mentioned
PPM privileges, which are not available in UMC.
As a business process monitoring and analysis tool, PPM might also import personal data from
processes extracted from external source systems such as SAP, CSV files, or database
systems. These processes might contain personal information from which you can identify a
person involved in the process monitored. This information depends on the data extracted
from the source system and is subject to the customizing model used for this source system.
6
DATA PROTECTION (GDPR)
7
DATA PROTECTION (GDPR)
Prerequisite
You have the User administrator function privilege.
Warning
Do not delete your system user. Having more than one system user can avoid problems. If
your single system user was deleted accidentally, create a new one by using the superuser.
The superuser cannot be deleted.
If you delete the default users system, arisservice, and guest, the Generate, if not available
option (ARIS Administration > Configuration > User management > Users >) is
automatically disabled and the users are no longer generated at startup with the last saved
password until you manually enable the option again. The superuser can recreate the other
default users (system, arisservice, guest) if they were deleted.
Procedure
1. Click Application launcher > Administration. ARIS Administration opens.
8
DATA PROTECTION (GDPR)
Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS must be running.
§ ARIS Server installation
§ Users need the function privileges License administrator, User administrator,
Technical configuration administrator.
§ Users need to login as superuser or they need either an ARIS Architect license or an
ARIS UML Designer license.
Procedure
1. Open a Command Prompt and navigate to:
ARIS installation path>/server/bin/work/word_umcadmin_< your installation size, for
example, s,m, or l>/tools/bin for Windows® operating systems
and
ARIS installation path>/cloudagent/bin/work/word_umcadmin_< your installation size,
for example, s,m, or l>/tools/bin for Linux operating systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-tenantmgmt.bat -t <URL of the server> anonymize -u <user name> -p <password>
-type user.
If a user group is deleted, the type is user group.
If the port used is other than the default ports 80 or 1080, add the port to the URL.
The audit logs are anonymized.
9
DATA PROTECTION (GDPR)
Warning
Make sure to only anonymize deleted users. If you anonymize existing users, the user names
are anonymized in all attributes, such as Creator, Last modifier, and the user names in
change list descriptions.
Prerequisites
§ ARIS Server Administrator is installed.
§ You know the credentials of the superuser, or you have the Server administrator function
privilege.
§ The database must be locked for other users.
Procedure
1. Click Start > Programs > ARIS > Administration > ARIS Server Administrator 10.0 if
you accepted the program group suggested by the installation program. Under a Linux
operating system, execute the arisadm.sh shell script instead. To do so, enter: su -c
arisadm.sh aris10. The command prompt opens and ARIS Server Administrator is
launched in interactive mode.
2. Establish a connection to the server and tenant:
Syntax: server <server name>:<port number> <tenant> <user name> <password>
Example: server arissrv:1080 default system manager
3. Enter: userwipeout <dbname>|all <user>,<user>
User identifications of one or multiple users are deleted from one or all databases. The
attributes Last modifier, Creator, and the user name in change list descriptions is set to
unknown.
10
DATA PROTECTION (GDPR)
Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS must be running.
§ The user you want to use to execute the anonymization must have write privileges.
Procedure
1. Open a Command Prompt and navigate to:
<ARIS installation path>/server/bin/work/work_apg_< your installation size, for example,
s,m, or l>/tools/bin for Windows® operating systems
and
/home/ARIS/cloudagent/bin/work/work_apg_< your installation size, for example, s,m,
or l>/tools/bin for Linux operating systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-admintool.bat -s <URL of ARIS document storage> -t <tenant name> anonymize -u
<user name> -p <password>.
If the port used is other than the default ports 80 or 1080, add the port to the URL.
The users are anonymized.
Please note:
If you delete only one user from the user list or from user groups that have access to the
folder and then anonymize the folder data, all actions related to the folder data are
anonymized. This means that the anonymization does not affect the data of the deleted user
only.
Before you delete a user, get the user ID of a specific user from the user details in the user
management.
In this case, add the following parameter with y-admintool.bat or y-admintool.sh:
-ownerName <owner of the folder> -ownerType USER
11
DATA PROTECTION (GDPR)
Prerequisites
§ The user was deleted in ARIS Administration.
§ ARIS Server is running.
Procedure
1. Open a Command Prompt and navigate to:
<ARIS installation path>/server/bin/work/work_apg_<s,m, or l>/tools/bin for Windows®
operating systems
or:
/home/ARIS/cloudagent/bin/work/work_apg_<s,m, or l>/tools/bin for Linux operating
systems.
2. Enter this command to import all documents into ARIS document storage of each tenant
you use, for example, default:
y-ageclitool.bat --apg <Process Governance endpoint> -ht <ID of the human task>
-p <password of the executer> * -t <tenant name> -umc <user management
endpoint> -u <user name of the executer>
The user name is replaced by the string anonymous.
12
DATA PROTECTION (GDPR)
Prerequisites
The user was deleted in ARIS Administration.
Procedure
1. Start ARIS Cloud Controller.
ACC is a command-line tool (see ARIS Cloud Controller (ACC) Command-Line Tool.pdf
(../../documents/3 Installation/31 Initial installation/312 Server/3121 Basic (Single
node)/ARIS Cloud Controller (ACC) Command-Line Tool.pdf)) for administrating and
configuring an ARIS installation. It communicates with ARIS Agents on all nodes.
To start ACC under a Windows operating system click Start > All Programs > ARIS >
Administration > Start ARIS Cloud Controller. If you have changed agent user
credentials you must enter the user name and/or the password.
To start ACC under a Linux operating system, execute the acc10.sh shell script instead.
To do so, enter: su -c acc10.sh aris10.
To get information about the usage of ACC commands, enter help or help <command>.
2. To anonymize, for example, the deleted y4711 user on ecp_m on the default tenant,
enter:
invoke anonymizeUser on ecp_m user.list="y4711" tenant.id="default"
Collaboration synchronizes every 24 hours. That means that the anonymization is not
immediately visible.
Activities of this Collaboration user, such as posts, comments, groups, are shown with
Anonymized user instead with the y4711 user name. If several users are anonymized a
number is added, such as Anonymized user 2.
13
DATA PROTECTION (GDPR)
Procedure
1. Open your browser and enter the URL:
syntax: http://<server name>:<port>/acc/ui
for example
http://aris10srv.eur.co.umg:1080/acc/ui
The infrastructure tenant's login dialog opens. The tenant cannot be changed. Having
performed a standard installation, the master tenant is the infrastructure tenant by
default.
2. Select the interface language.
3. Enter the system user's or the superuser's credentials.
4. Click Log in. The infrastructure tenant's node view is displayed. It gives an overview on
the node's runnables.
5. If you want to collect all log files, click More > Download log files.
6. If you want to collect log files of a specific runnable, move the mouse pointer to the
related row and click Download log file.
A ZIP archive created to be opened or saved.
If you cannot solve the problems and have a maintenance agreement, please send an error
description and the ZIP archives containing collected log files as well as the entire contents of
the log and config directories to the ARIS Global Support via Empower
(https://www.softwareag.com/corporate/services/support/default).
14
DATA PROTECTION (GDPR)
Procedure
1. Start ARIS Cloud Controller.
ACC is a command-line tool (see ARIS Cloud Controller (ACC) Command-Line Tool.pdf
(../../documents/3 Installation/31 Initial installation/312 Server/3121 Basic (Single
node)/ARIS Cloud Controller (ACC) Command-Line Tool.pdf)) for administrating and
configuring an ARIS installation. It communicates with ARIS Agents on all nodes.
To start ACC under a Windows operating system click Start > All Programs > ARIS >
Administration > Start ARIS Cloud Controller. If you have changed agent user
credentials you must enter the user name and/or the password.
To start ACC under a Linux operating system, execute the acc10.sh shell script instead.
To do so, enter: su -c acc10.sh aris10.
To get information about the usage of ACC commands, enter help or help <command>.
2. To collect log files, for example related to the abs_l runnable, enter:
collect log files for abs_l
To collect all log files, enter:
collect log files
or
collect logfiles
You can use additional parameters. To get information about the usage of ACC
commands, enter help or help <command>.
All log files are stored as a ZIP archive.
If you cannot solve the problems and have a maintenance agreement, please send an error
description and the ZIP archives containing collected log files as well as the entire contents of
the log and config directories to the ARIS Global Support via Empower
(https://www.softwareag.com/corporate/services/support/default).
15
DATA PROTECTION (GDPR)
Warning
If you delete log files (page 16), Software AG might no longer be able to support you in order to
resolve software problems.
In order to delete all log files, you must stop the related runnables to allow unhindered access
to all files. If you do not stop the runnables, some files may be locked and cannot be deleted.
Procedure
1. Start ARIS Cloud Controller (ACC).
2. To delete log files, for example related to the abs_l runnable, enter: delete log files for
abs_l
To delete all log files, enter: delete log files or delete logfiles
All log files that are not accessed by a runnable are deleted. Log files that were not deleted
are listed.
16
DATA PROTECTION (GDPR)
Prerequisites
You have the System administrator role.
Procedure
1. Start ARIS Risk and Compliance.
5. Click Edit in the row of the parameter you want to change. The Specify parameter
value dialog opens.
6. Copy the current value to the New value box.
7. Make the relevant changes, for example, change the value that is to be displayed for the
user ID.
8. Click OK.
The changes are immediately applied and stored in the database.
Click Reset in the row of the relevant parameter to reset the default value.
Now you can anonymize (page 18) users in ARIS Risk and Compliance.
17
DATA PROTECTION (GDPR)
Prerequisites
§ You have the System administrator role.
§ You have the ARCM administrator and the User administrator function privileges.
Procedure
1. Start ARIS Risk and Compliance.
2. Click Administration.
3. Click System management > Users. The list is displayed.
4. Select the option Yes for the Deactivated filter and click Apply filter. The
deactivated users are displayed.
5. Click the name of the user whose user data you want to anonymize. The form is displayed.
Example
A dismissed employee is deleted from ARIS Administration. Then the user data in ARIS Risk
and Compliance is refreshed with user data based on ARIS Administration/User Management
(Synchronize users with ARIS Administration/User Management). The user data is
deactivated in ARIS Risk and Compliance. However, there is still data containing the name of
this user, such as objects the user edited. This user data must be anonymized.
18
DATA PROTECTION (GDPR)
PPM DATABASE
Deleting a user from UMC will not automatically delete the user in PPM. You must delete the
user also in PPM. To do this, go to the PPM Administration –> User Privileges section, select
the user, and delete it. This will automatically delete the user also in the PPM database and all
his related assignments (process access rights, favorites etc.).
Warning
If you delete the log files, all logged data is lost and cannot be restored.
PROCESS DATA
You can disguise personal data embedded in process data to import into PPM. PPM provides
functionality for encoding special attributes and fields that contain personal data to be
extracted from the source system. The data is not visible in plain text in PPM afterwards. You
can revert this pseudonymization by providing the correct encryption key in the PPM UI. The
procedure is accessible only to PPM system administrators.
Note that after importing the process data and external data into PPM, you can no longer
change the included personal data. You must configure pseudonymization before importing.
19
DATA PROTECTION (GDPR)
3 Glossary
In the glossary you will find explanations of basic technical terms.
GDPR
The General Data Protection Regulation (GDPR) protects individuals’ personal data within the
European Union. It also regulates the export of personal data outside the EU. GDPR is a
regulation by the European Parliament, the Council of the European Union, and the European
Commission.
PERSONAL DATA
Any information related to an identified or identifiable data subject, such as a natural person.
CONTROLLER
Determines the purpose and means of processing personal data. (Role according to article 4
of the GDPR.)
PROCESSOR
Processes personal data on behalf of the controller (page 20). (Role according to article 4 of
the GDPR.)
20
DATA PROTECTION (GDPR)
4 Legal information
4.2 Support
If you have any questions on specific installations that you cannot perform yourself, contact
your local Software AG sales organization
(https://www.softwareag.com/corporate/company/global/offices/default.html). To get
detailed information and support, use our websites.
If you have a valid support contract, you can contact Global Support ARIS at: +800
ARISHELP. If this number is not supported by your telephone provider, please refer to our
Global Support Contact Directory.
21
DATA PROTECTION (GDPR)
ARIS COMMUNITY
Find information, expert articles, issue resolution, videos, and communication with other ARIS
users. If you do not yet have an account, register at ARIS Community.
PRODUCT DOCUMENTATION
You can find the product documentation on our documentation website.
In addition, you can also access the cloud product documentation. Navigate to the desired
product and then, depending on your solution, go to Developer Center, User Center or
Documentation.
PRODUCT TRAINING
You can find helpful product training material on our Learning Portal.
TECH COMMUNITY
You can collaborate with Software AG experts on our Tech Community website. From here
you can, for example:
§ Browse through our vast knowledge base.
§ Ask questions and find answers in our discussion forums.
§ Get the latest Software AG news and announcements.
§ Explore our communities.
§ Go to our public GitHub and Docker repositories and discover additional Software AG
resources.
PRODUCT SUPPORT
Support for Software AG products is provided to licensed customers via our Empower Portal
(https://empower.softwareag.com/). Many services on this portal require that you have an
account. If you do not yet have one, you can request it. Once you have an account, you can,
for example:
§ Download products, updates and fixes.
§ Add product feature requests.
§ Search the Knowledge Center for technical information and tips.
§ Subscribe to early warnings and critical alerts.
§ Open and update support incidents.
22