Skip to Content

The Read Access Logging (RAL) tool allows you to monitor and log read access to sensitive data. It covers the following SAP technologies.

– RFC

– Webservices

– Web Dynpro ABAP

– Dynpro (SAP GUI)

RAL can be accessed using the SAP transaction SRALMANAGER. There are mainly two components of RAL, an Administration part and a Monitor part.

In this document I will briefly explain about the Recording functionality in RAL.

Step 1

Login ECC and go to transaction sralmanager.


/wp-content/uploads/2014/09/pic1_551170.jpg

RAL will get displayed in the browser. Select ‘Recordings’.

/wp-content/uploads/2014/09/pic2_551174.jpg

Step 2

Click on Create button.

/wp-content/uploads/2014/09/pic3_551175.jpg

Enter the channel, give Recording name and description.

/wp-content/uploads/2014/09/pic4_551176.jpg

It would be in recording mode when you click on Create button, if not select the Play button.

/wp-content/uploads/2014/09/pic5_551177.jpg

Now go to the ECC and enter transaction which you are recording.

Pic6.jpg

Select the field to be recorded and CTRL+RIGHT CLICK. Then select Record field under Read Access Logging in the context menu.

/wp-content/uploads/2014/09/pic7_551181.jpg

You will get a message saying that “Field ‘RFKI1-GPART’ has been added to the recording ‘FPI1’ “

If you are re-recording then the following message will be displayed.

Pic8.jpg

After recording the relevant fields, go back to SRALMANAGER and stop the corresponding recording.

/wp-content/uploads/2014/09/pic9_551183.jpg

To view the details of recording use the Lens button.

/wp-content/uploads/2014/09/pic10_551184.jpg

List of recorded fields will be displayed as below.

Pic11.jpg

Step 3

For configuring details such as log domain, log context of the recorded fields click on Configuration in RAL.

Pic12.jpg

Search the already existing configuration by providing the recording name. If does not exist create new configuration

/wp-content/uploads/2014/09/pic13_551163.jpg

Create Log group.

/wp-content/uploads/2014/09/pic14_551164.jpg

Drag and drop the recorded fields from the field list to Log group.

/wp-content/uploads/2014/09/pic15_551189.jpg

You can add the log domain by searching corresponding field.

/wp-content/uploads/2014/09/pic16_551190.jpg

Now Save as Active. Done with the recording.

/wp-content/uploads/2014/09/pic17_551191.jpg

/wp-content/uploads/2014/09/pic18_551192.jpg

Step 4

To test the recorded transaction, go to the tcode and enter values to the recorded fields.

/wp-content/uploads/2014/09/pic19_551193.jpg

/wp-content/uploads/2014/09/pic20_551194.jpg

Once the values have entered go to RAL and select the second tab Monitor.

/wp-content/uploads/2014/09/pic21_551195.jpg

Click Read Access Log and enter the user name and date/time in the search criteria.

/wp-content/uploads/2014/09/pic22_551196.jpg

You can find the list of entries with the recorded values of the user.

/wp-content/uploads/2014/09/pic23_551197.jpg

Select the entry based on time and you can see the values entered in the transaction.

/wp-content/uploads/2014/09/pic24_551198.jpg

These are the steps involved in RAL to track and monitor the transactions.

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Narayanan k.b

    Nice Document .

    Is there any way available to measure the performance implication of the same?
    I mean where the logs are stored and its growth etc .

    Thanks

    (0) 
  2. sylvester daudu

    Hi Nandakumar,

    Thank for your piece on adding a transaction code to RAL. I enjoyed it.

    Please could you help clear the below?

    I thought, we normally unchecked the Without Condition Check box to define, and assign conditions and expressions during configurations?

    By default, Without Condition is checked, meaning no condition and expressions are defined. If a log group contains no conditions, then every read access to the recorded fields in the log group is logged. This is mostly used when we want to record every access to data like viewing table with values. E.g. accessing PA0002 table via SE16.  Am I right?

    Please what happened to the Without condition checked box for transaction code e.g. FPI1 you illustrated with?

    Also, please, how did you identified the corresponding field to be searched to add the log domain?  At what stage or window is this search performed to add the log domain?

    In your example, do you have existing log Domain that you associate FPI1 to?

    I thought is advisable to create log domain before recording and Configuration, so that we can associate the Log Domain appropriately.

     

    Thanks

    Sylvester

     

    (0) 

Leave a Reply