Skip to Content

Introduction:

Read access logging is one of the powerful tool to secure data. With help of this SAP out-of-the box solution, you can monitor data that is being accessed via SAP Dynpro, WebDynpro, RFC and Web-service channels.

 

In this document, I would like to share step-by-step guide to configure Dynpro application. Please check SAP Note 1969086 for release information of Read access logging. You need to have specific roles to configure the application.


Steps to configure Dynpro application:

1. Access Read access logging screen with SRALMANAGER transaction code

     /wp-content/uploads/2015/05/1_705284.png

 

2. Click on Logging Purposes

Note: A way to classify each log entry. For example, “Privacy” or “Finance records”.

    

3. Click on “Create”

4. Enter data and click on “Create” to close pup-up

/wp-content/uploads/2015/05/3_705286.png

5. You can see new purpose in “Purposes” screen. You can delete it or change name and description of it.

     Note: You may want to re-use existing “purpose” for your configuration.

     /wp-content/uploads/2015/05/4_705287.png     

6. Come  to home screen and click on “Log domains”

     /wp-content/uploads/2015/05/5_705288.png

 

7. Click on “Create”

     Note: This is where you define semantic identification of data, before the actual fields and rules are

     defined

 

8. Enter data in below fields and click on “Create” to close pop-up

     /wp-content/uploads/2015/05/6_705289.png

9. You will see newly created domain in “Log Domains” screen

     /wp-content/uploads/2015/05/7_705290.png

10. Come back to the home screen.

 

11. If you want to configure Read access logging for “SAP GUI screens” or “WebDynpro” screens then you should record fields of those screens – before actual configuration. To do that, click on “Recordings”

     Note: This step is not required for RFC or Web-service channel.

     /wp-content/uploads/2015/05/8_705291.png

 

12. Click on “Create” to start new recording.

 

13. Select the “Channel” from drop down and any new name for recording as shown below.

     /wp-content/uploads/2015/05/9_705292.png

14. Click on “Create” to close the pop-up. As you can see under “State” column – Recording is active for system (all SAP GUI transactions/screens)

     /wp-content/uploads/2015/05/10_705293.png

15. Go to the application (SAP Dynpro) to which you want to enable read access logging. In this guide, we are going to configure RAL for small application where we can see Salary/PII data for given Employee ID.

 

16. Input Screen: Do “Ctrl+Right Click” on the field input to record the field.

      /wp-content/uploads/2015/05/11_705294.png

 

17. Output screen: Do “Ctrl+Right Click” on each field that you want to record.

     /wp-content/uploads/2015/05/12_705295.png

 

18. You can use “Remove field from Recording” option to remove the field from recording.

Note: You need not to press “Ctrl” for table columns. Also, there is no additional configuration/development required to get “Record Field” option in context menu.

 

19. Go back to SRALMANAGER or “Recordings” screen of the Read Access Logging and turn of “Recording” by clicking on “stop” icon   (State will be modified to “Finished”)

/wp-content/uploads/2015/05/13_705296.png

 

20. You can click on   icon to start recording once again.

 

21. Click on “Open Recording” or   icon. You will notice all fields that you recorded are now available here along with technical paths.

      /wp-content/uploads/2015/05/14_705297.png

 

22. Come back to home screen and click on “Configuration”

     /wp-content/uploads/2015/05/16_705298.png

23. Select “Dynpro” for channel drop down

     /wp-content/uploads/2015/05/18_705299.png

 

24. Click on “Create” to create new configuration. Select the new recording that you created and click on “create” to close this pop-up

      /wp-content/uploads/2015/05/19_705300.png

 

25. You will see screen like below

     /wp-content/uploads/2015/05/20_705301.png

 

25.1. Log Context:

The log context is the UI element that other UI elements within the logging session depend on.

SAP help link for more details:

https://help.sap.com/saphelp_nw74/helpdata/en/fd/4d2551b7dd2314e10000000a44176d/content.htm

 

25.2. Log Groups:

List of fields for which you want to enable read access logging

25.3. Conditions:

You can apply conditions for read logging. Ex: Exclude user ABCUSER from logging

25.4. Field List:

List of fields that you recorded (or list of interface parameters in case of RFC or Webservice), Messages, Ok Codes and system fields for user name, screen title and transaction code

 

26. Create new context by clicking on “create” icon

 

27. Enter below details and click on ‘create’ to close popup

      /wp-content/uploads/2015/05/22_705303.png

28. Drag and drop the fields from “Field list” to Log context

     /wp-content/uploads/2015/05/23_705304.png

Select ‘Input’ from dropdown (or whichever is appropriate for your application)

     /wp-content/uploads/2015/05/24_705305.png

 

29. Click on ‘Save as Inactive’

 

30. Click on “create” under Log Group section to create new log group

 

31. Enter below data and select Log purpose that you created (or an existing one). Click on create to close popup.

      /wp-content/uploads/2015/05/27_705309.png

 

32. Drag and drop the fields that you want log. You can do it for all the fields that you records and system fields.
Note: You need not to log fields that added to Log Context here.

      /wp-content/uploads/2015/05/28_705310.png

As shown above, you can select “Without Value” if you don’t want to log the data that was accessed.
Set the field type based on the application UI field.
Choose correct Log Domain.
“Exclude if initial” the field is not logged if its value is initial to save space in the database.

 

33. Click on “Save as active” button

     /wp-content/uploads/2015/05/29_705311.png

 

34. Now, click on “create” button under “Conditions” section

 

35. Enter below data and click on “create” to close

      /wp-content/uploads/2015/05/31_705313.png

 

36. Click on ‘create’ button under “Expressions”. Enter name and click on ‘create’

 

37. Drag & drop the fields from ‘Field List’ and create condition

/wp-content/uploads/2015/05/33_705321.png

38. After creating one or more conditions based on the fields available in field list, you can “Save and Activate” the whole configuration

 

39. Go to “Monitor” tab and click on “Read Access Log” link

     /wp-content/uploads/2015/05/35_705322.png

 

40. Select the ‘Raw Database’ from data source drop down. You can select ‘Expanded database’ when you want to access logs from other systems/clients (this require additional configuration)  

.     /wp-content/uploads/2015/05/36_705323.png

 

41. You can leverage flexible search criteria that is available with ‘save’ option to see your log details

      /wp-content/uploads/2015/05/37_705325.png

 

42. You will see logs under ‘Search Result’

 

43. Select one of the log to see log data details

/wp-content/uploads/2015/05/39_705326.png


Conclusion:

This is E2E basic configuration for sample application. However, we can increase the scope of configuration with log context, log groups and conditions based on the application that we are dealing with. You can configure the webdynpro application with same approach.

 

Regards,

Naveen Inuganti

 

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Sridhar Somasundaram

    Hello,

    Is it possible to log the actions taken in document download, upload, print in a Document Info record (DIR), I tried doing recording but could record the actions on the documents which are attached to a DIR. Please support.

    Thanks,

    (0) 
  2. Murugesan Eswaran

    Hi Naveen,

     

    Thank you for a good blog.

    Can you share your inputs on how to enhance the Log data with extra information (ie other than the fields recorded) ?

    Regards,

    Murugesan

    (0) 
    1. Naveen Inuganti Post author

      You can always go back to recording i.e. associated with your log context and enhance it first. Then you can enhance your log context and log domain with those additional fields.

       

      Regards,

      Naveen

      (0) 

Leave a Reply