Objective: To showcase the user and developer experience on using and implementing the SAP GUI Logging Solution for Windows.
About Product: SAP UI Logging for windows will help to log/record all the activities/actions on the SAP GUI transaction code by the user. It logs every input or action or user entered value on the screen. Based on the logged data we can write our own rules to raise violations. It is going to be very difficult task to restrict or monitor users by authorization objects based on transaction codes based on the role, level, organization unit or any other parameters. SAP UIL will give a lot of ease in monitoring the access of sensitive transaction codes by the users and to identifying the data leaks.
How it works: Assume that we have a list of transaction codes which are required for the logging.
These transaction codes are maintained in the SAP UIL specific configuration tables and it enables SAP UIL to log the activities happening on that particular transaction code.
Customer can choose any field (any number of fields) on the screen for each transaction code (like company code, Personnel Area) for logging.
For ex: let’s assume that if the user belongs to Company Code “CCode 1” and is only allowed to view the sales data belonging to their own company code. SAP UIL will enable the customer who wants to monitors the activities of all the users and want the list of users who are violating this rule.
Whenever the user gives any other company code (which they are not supposed to view) on the transaction code and hits execute sales, SAP UIL will log all the information like transaction code, time, sy-uname, input values etc. Using the log data we can write our own rules to identify user and their company code and which company code data has been viewed.
Configuration:
/LOGWIN/IMG transaction code is used for enabling SAP UIL solution, transaction code and maintain mapping for the fields (which are required for the logging) of the transaction code. The data will be stored in the following configuration tables.
It is very easy to generate the configuration entries for a transaction code to enable logging. All we have to do is to execute the program ‘/LOGWIN/GENERATE_MAP_ENTRIES ‘with the required transaction code.
Internal Log:
Once the transaction code is activated of logging, on every activity on this transaction code the logged data will be stored in Temporary/Internal Log Tables.
External Log:
So far we have activated the SAP UIL, maintained the transaction code for logging and also stored the internal log. Next step is to convert internal to external log by custom coding.
External log is nothing but refining, filtering, converting and transforming the internal log data into customer’s choice database table. Creating the external log table is completely customer’s choice if the SAP UIL provided external log doesn’t fit their need. Customer might not be interested in all the logged data; they might be only interested in only those fields which will help them to raise the violations. In the above example which I have given in “how it works” section, logging of only company code field is enough and customer might only want to save the user information and user accessed information in two different tables and then can compare table-1-company code (user information or user company code) to table-2-company code (user entered company code in transaction code) and then raise violation or trigger email if both company codes are not equal. Customer can create multiple database tables, completely depends on the requirement on how to raise violations.
Transaction Code: /LOGWIN/TSF_TO_EXT will collect all the internal logs and transforms it to external log. You can implement a new class and redefine ‘store_data’ method of /LOGWIN/CL_DATA_HANDLER to implement your own code and save it in your own database tables. Methods available in this class can be used to determine how you want to arrange your structure of the data.
Example for a simplified structure: All the header information and including a name/value pair table (which contains the field required for logging and its value). The structure of the data depends on how you want to receive data from the transformation program. Once the structure is in simpler format of internal log, further derivations can be done on the available data. Example for this case is, you have a user id of the user who accessed the transaction code (sy-uname), but before saving it to the external log, customer wants his immediate manager details that sort of logic can be written in separate method considering this is going to be common for the internal log records.
BADI’s:
The following BADIs will help you to manipulate/change the data or to derive any other value during the transformation of internal log to external log.
Important Programs and Transaction codes:
Points to remember:
Demo Run with screen shots and explanation:
Activation of SAP UI Logging:
Transaction Code: /LOGWIN/IMG – Check/Tick Activates the SAP UIL.
Configuration:
Transaction Code: /LOGWIN/IMG - Maintain Transaction code and
execute/access the transaction code.
Now execute the program /LOGWIN/GENERATE_MAP_ENTRIES. A lot of configuration entries can be found. Let take an example of transaction code ‘CJ30’. I am only interested in one screen, so I have deleted the rest of entries for performance. In this screen/view, I have the field which is required for the logging.
Let us now see what we have in GUI fields for the above screen. I have removed all the entries/fields which are not required for the logging. I am only interested in POSID, so I have maintained mapping value. You can also see EXCLUDE FIELD, if you select this field the logging will not happen, but consider the code will have to loop on these fields to determine whether this field is required for the logging or not.
Mapping Value: POSID is one of the fields in the external log table. When we are building the name/value pair table during transformation, the user entered value will be assigned to the structure of the external log table field; this is like an easy mapping. If we have BUKRS, CCode or any other name on the transaction code then we can map all these fields to one by having single mapping value.
Internal Logs:
Transaction Code: /LOGWIN/SHOW_LOG - In the below screen shot you will have all the information that is required. Transaction code, user name, time stamp, PBO or PAI event.
In the below case, I can tell that the user has used sales order number 13112 in the VA03 tcode. PAI event actually tells me that the user has executed the transaction.
External Logs:
The below tables are only for information purpose. I want to store all the header information along with user’s manager personnel number and user’s company code.
Table 1: User Information:
Table 2: Accessed Information:
If you remember, I have shown you the transaction code CJ30 configuration.
I will save the POSID from internal log, derive company code from POSID, parent guid
is same as guid in the user information table, I am splitting one structured
information into two. Now, all I have to do is to compare
ZDT_LOG_USER-COMPANY_CODE to ZDT_LOG_ACCESS-COMPANYCODE.
If these two fields are not equal then we will raise a violation.
Conclusion:
I personally experienced how SAP UIL avoided lot of authorization work and helped in audits. It improves data security, great control during audits and identifying data leaks.
SAP UIL captures every action, every round trip and not even a single action is missed. Just by looking at the internal log we can visualize what exactly the user has tried to do, what and whose data is viewed.
SAP UIL can give the users free hand in accessing transaction code who are often wait to get proper authorizations and at the same time customers can monitor all the systems and access of sensitive information across the organization without even categorizing.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
13 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
5 |