Objective: To showcase the user and developer experience on using and implementing the SAP GUI Logging Solution for Windows.
About Product: SAP UI Logging for windows will help to log/record all the activities/actions on the SAP GUI transaction code by the user. It logs every input or action or user entered value on the screen. Based on the logged data we can write our own rules to raise violations. It is going to be very difficult task to restrict or monitor users by authorization objects based on transaction codes based on the role, level, organization unit or any other parameters. SAP UIL will give a lot of ease in monitoring the access of sensitive transaction codes by the users and to identifying the data leaks.
How it works: Assume that we have a list of transaction codes which are required for the logging.
These transaction codes are maintained in the SAP UIL specific configuration tables and it enables SAP UIL to log the activities happening on that particular transaction code.
Customer can choose any field (any number of fields) on the screen for each transaction code (like company code, Personnel Area) for logging.
For ex: let’s assume that if the user belongs to Company Code “CCode 1” and is only allowed to view the sales data belonging to their own company code. SAP UIL will enable the customer who wants to monitors the activities of all the users and want the list of users who are violating this rule.
Whenever the user gives any other company code (which they are not supposed to view) on the transaction code and hits execute sales, SAP UIL will log all the information like transaction code, time, sy-uname, input values etc. Using the log data we can write our own rules to identify user and their company code and which company code data has been viewed.
/LOGWIN/IMG transaction code is used for enabling SAP UIL solution, transaction code and maintain mapping for the fields (which are required for the logging) of the transaction code. The data will be stored in the following configuration tables.
- /LOGWIN/PARAM – Global Parameters for UI Logging of SAP GUI –
- /LOGWIN/CMP_CNF – Configuration for SAPGUI
- /LOGWIN/MAP_FLD – Field Mapping
- /LOGWIN/MAP_FLDT – Field Mapping Texts
- /LOGWIN/MAPVIEW – Mapping for Views
- /LOGWIN/MAPVIEWT – Mapping for View Texts
It is very easy to generate the configuration entries for a transaction code to enable logging. All we have to do is to execute the program ‘/LOGWIN/GENERATE_MAP_ENTRIES ‘with the required transaction code.
Once the transaction code is activated of logging, on every activity on this transaction code the logged data will be stored in Temporary/Internal Log Tables.
- /LOGWIN/RECBASIC – Intermediate Log Records
- /LOGWIN/REC_DATA – Storage of Name/Value as Cluster Table
- /LOGWIN/REC_INF – Additional Information for UI Objects
So far we have activated the SAP UIL, maintained the transaction code for logging and also stored the internal log. Next step is to convert internal to external log by custom coding.
External log is nothing but refining, filtering, converting and transforming the internal log data into customer’s choice database table. Creating the external log table is completely customer’s choice if the SAP UIL provided external log doesn’t fit their need. Customer might not be interested in all the logged data; they might be only interested in only those fields which will help them to raise the violations. In the above example which I have given in “how it works” section, logging of only company code field is enough and customer might only want to save the user information and user accessed information in two different tables and then can compare table-1-company code (user information or user company code) to table-2-company code (user entered company code in transaction code) and then raise violation or trigger email if both company codes are not equal. Customer can create multiple database tables, completely depends on the requirement on how to raise violations.
Transaction Code: /LOGWIN/TSF_TO_EXT will collect all the internal logs and transforms it to external log. You can implement a new class and redefine ‘store_data’ method of /LOGWIN/CL_DATA_HANDLER to implement your own code and save it in your own database tables. Methods available in this class can be used to determine how you want to arrange your structure of the data.
Example for a simplified structure: All the header information and including a name/value pair table (which contains the field required for logging and its value). The structure of the data depends on how you want to receive data from the transformation program. Once the structure is in simpler format of internal log, further derivations can be done on the available data. Example for this case is, you have a user id of the user who accessed the transaction code (sy-uname), but before saving it to the external log, customer wants his immediate manager details that sort of logic can be written in separate method considering this is going to be common for the internal log records.
The following BADIs will help you to manipulate/change the data or to derive any other value during the transformation of internal log to external log.
- /LOGWIN/BADI_SAPGUI_LOGGING: Methods available in this BADI can help you to restrict the creation of internal logs. For ex: If you want to avoid all the PBO events from logging, you can write your custom code here.
- /LOGWIN/DB_ACCESS_BADI: Methods available in this BAdI will help you to access the Temporary Log Data, if you want to avoid the creation of temporary logs based on the data that is going to be stored in /LOGWIN/REC_INF data. The information available here is at very granular level.
Important Programs and Transaction codes:
- Program: /LOGWIN/CLEAR_LOG will clear all the logs from the internal log tables.
- Program /LOGWIN/GENERATE_MAP_ENTRIES will generate configuration entries.
- Transaction code: /LOGWIN/SHOW_LOG is the most useful transaction code to view all the logged data stored in the 3 internal log tables in one screen.
- Transaction Code: /LOGWIN/TSF_TO_EXT is used to convert and send or save the internal log table to external log table.
Points to remember:
- Always clear the internal log created by SAP UIL once the transformation (internal log to external log) is done. This will help to reduce a lot of memory size consumed by the internal log tables.
- Always clear the external log once the violations are raised or at least in regular intervals.
- Maintain the user ids in /LOGWIN/USER table if you want to avoid logging of specific users.
- It’s good to have one more table to identity only the users who are required for the logging. This table can be configuration table where you can maintain company codes or organization units and only those users falling under these company codes or org units are required for logging. This sort of logic can be implemented before or after transformation.
- Maintain only those configuration entries which exactly resolve your purpose. For ex: A transaction code will have multiple sunscreens or fields and the customer is only interested in a field on a specific screen, it will be great on performance if we maintain only that information in the configuration table by avoiding the logging on unnecessary screens.
- Turn off SAP UIL during System Upgrades.
Demo Run with screen shots and explanation:
Activation of SAP UI Logging:
Transaction Code: /LOGWIN/IMG – Check/Tick Activates the SAP UIL.
Transaction Code: /LOGWIN/IMG – Maintain Transaction code and
execute/access the transaction code.
Now execute the program /LOGWIN/GENERATE_MAP_ENTRIES. A lot of configuration entries can be found. Let take an example of transaction code ‘CJ30’. I am only interested in one screen, so I have deleted the rest of entries for performance. In this screen/view, I have the field which is required for the logging.
Let us now see what we have in GUI fields for the above screen. I have removed all the entries/fields which are not required for the logging. I am only interested in POSID, so I have maintained mapping value. You can also see EXCLUDE FIELD, if you select this field the logging will not happen, but consider the code will have to loop on these fields to determine whether this field is required for the logging or not.
Mapping Value: POSID is one of the fields in the external log table. When we are building the name/value pair table during transformation, the user entered value will be assigned to the structure of the external log table field; this is like an easy mapping. If we have BUKRS, CCode or any other name on the transaction code then we can map all these fields to one by having single mapping value.
Transaction Code: /LOGWIN/SHOW_LOG – In the below screen shot you will have all the information that is required. Transaction code, user name, time stamp, PBO or PAI event.
In the below case, I can tell that the user has used sales order number 13112 in the VA03 tcode. PAI event actually tells me that the user has executed the transaction.
The below tables are only for information purpose. I want to store all the header information along with user’s manager personnel number and user’s company code.
Table 1: User Information:
Table 2: Accessed Information:
If you remember, I have shown you the transaction code CJ30 configuration.
I will save the POSID from internal log, derive company code from POSID, parent guid
is same as guid in the user information table, I am splitting one structured
information into two. Now, all I have to do is to compare
ZDT_LOG_USER-COMPANY_CODE to ZDT_LOG_ACCESS-COMPANYCODE.
If these two fields are not equal then we will raise a violation.
I personally experienced how SAP UIL avoided lot of authorization work and helped in audits. It improves data security, great control during audits and identifying data leaks.
SAP UIL captures every action, every round trip and not even a single action is missed. Just by looking at the internal log we can visualize what exactly the user has tried to do, what and whose data is viewed.
SAP UIL can give the users free hand in accessing transaction code who are often wait to get proper authorizations and at the same time customers can monitor all the systems and access of sensitive information across the organization without even categorizing.