Skip to Content

Dear all,

In the context of General Data Protection Regulation (GDPR) in the EU (European Union) region, we explored tools to monitor and log the read access to sensitive data

We have used simple use case recording / logging the access to USR02 table via SE16 transaction code.

What is Read Access Logging (RAL)?

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy.

Main Purposes of Read Access Logging

Read Access Logging is often required to comply with legal regulations or public standards such as data privacy, for example in banking or healthcare applications. Data privacy is about protecting and restricting access to personal data. In some countries, data privacy regulations even require that access to certain personal data be reported. Companies and public institutions may also want to monitor access to classified or other sensitive data for their own reasons. If no trace or log is kept on who accesses data, it is difficult to track the person(s) responsible for any data leaks to the outside world. Read Access Logging provides this information.

Read Access Logging is always based on a logging purpose that is freely defined according to the requirements of an organization (for example, data privacy). This logging purpose is then assigned to each log entry as an attribute, which allows the log data to be classified and organized according to the logging purpose. For example, various archiving rules or reportings can be created based on logging purposes.

The Read Access Logging framework can thus be used to fulfill legal or other regulations, to detect fraud or data theft, for auditing purposes, or for any other internal purpose.

How it works?

The Read Access Logging framework (RAL) allows customers to trace which data was sent out of the system, by enabling remote communication and user interface infrastructures to log access to sensitive data. When an application/transaction is started, the Read Access Logging configuration is read it indicates whether the current remote-enabled function module, Web service operation, Dynpro or Web Dynpro UI element is log-relevant. The RAL configuration defines which fields and elements should be logged. Knowing this, the requested field and element values are set for logging. Finally, the log data is written to the database. It can then be viewed via the Log Monitor.

1969086 – Availability of Read Access Logging and prerequisites (kernel and SAP GUI version)

Supported Channels

Read Access Logging is currently limited to the following channels:

 

  • Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgFRC)
  • Dynpro
  • Web Dynpro
  • Web services

 

Remote Function Calls (RFC)

We can log server and client side of RFC-based communication

Dynpro

We can log Dynpro UI elements and ALV grid-based user interfaces.

Web Dynpro

We can log context-bound UI elements of Web Dynpro-based user interfaces.

Web service calls

We can log consumer and provider side of Web services-based communication

 

Entities Used During Configuration

Log purpose

Each RAL configuration requires a logging purpose. It groups the log events you want to record byuse case and reason for recording

Log domain

Log domains define the semantic meaning of the data elements that will be captured during the log recording. This helps auditors understand the data recorded in the log results

Log context

Log context is the key field that other visible fields are related to within the logging session

Log group

A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose)

Log condition

Conditions are the rules you can define to decide when the fields in the log group are logged

Read Access Logging (RAL) Configuration

 

SRALMANAGER providing access to

  • Read Access Logging Configuration
  • Data logged with Read Access Logging
  • Administrative LogIn addition,

Read Access Logging is integrated into the archiving framework to allow automated archiving of older log entries.

Read Access Logging is integrated in the Transport Framework of the AS ABAP.

Using transaction SRALMANAGER, we could start a Web Dynpro-based application shown in a browser window

The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client

http://<hostname>:8000/sap/bc/webdynpro/sap/sralmanager?sap-language=EN

 

Note: We need activate the respective RAL services from the SICF

Configure RAL

The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client

Parameter sec/ral_enabled_for_rfc =1 (default is 0) has to be enabled in the profiles

 

Use Case

Log table ‘USR02’ access via SE16

To log read access to data, you must define three settings:

  1. Logging purpose – A way to classify each log entry. For example, “Privacy” or “Finance records.” Each log entry is based on a logging purpose.
  2. Logging domain – A way to classify and group each field that appears in a log entry. For example, “HR – User data” or “Finance – Sales data”.
  3. Configuration – You configure Read Access Logging to determine what read access to data is logged and under which conditions.
  4. Recordings – Manage recordings of application user interfaces.
  1. Create Logging purpose

Context

Read Access Logging is always based on a logging purpose that is freely defined according to the requirements of an organization. It describes why specific data is logged. In the configuration, you specify the logging purpose and each log entry in the log is assigned its purpose as an attribute. This allows the log data to be organized according to the logging purpose. For example, various archiving rules or reporting’s can be created based on logging purposes.

The Read Access Logging framework can thus be used to fulfill legal or other regulations, to detect fraud or data theft, for auditing purposes, or for any other internal purpose.

 

Procedure

  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Logging Purposes on the Administration tab.
  2. Choose Create.
  3. Specify an ID, a name, and a description.

To save space on the database, the ID is limited to 10 characters. We recommend you use an abbreviation of the purpose name. The purpose name will be displayed on all UIs.

4. Save the logging purpose.

2. Create Create Log Domain

Context

Within an application, the data to be logged must be defined on a semantic level, before the actual fields and rules are defined. This is done by creating log domains as semantic descriptions of semantically identical or related fields that have different technical representations. In Read Access Logging manager, you first define a log domain. During the configuration, you assign a log domain to each field to be logged.

 

For a log domain, you specify a name and a business area that the data element is related to. It is necessary because different applications might use the same log domain. For example, a log domain “account” might be something different in the Human Resources application than it is in the Banking application.

 

Procedure

  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Log Domains on the Administration tab.

You can search for, display, create, edit, and delete log domains.

  1. To create a new log domain, choose Create.
  2. Specify a name, a business area and an optional description.

The Business Area can be freely defined, and it functions as a type of namespace for the data element.

The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the log domain.

4. Choose Create.

3. Create Recording

Procedure

Note that the value of the fields that are displayed on the UI during the recording (the so-called sample values) become visible in the recording. The sample values and UI labels help the administrator to easily identify the fields during configuration. However, you can edit or delete the sample values. For example, if you find it more helpful for the administrator, you can replace them with a description of the field. You can also search for one or more recordings and clear all sample values at once. Just select one or more recordings from the search results and choose Clear Sample Values.

 

  1. In Read Access Logging manager (transaction code SRALMANAGER), on the Administration tab, choose Recordings.

You can search for, display, create, edit, delete, or transport recordings.

  1. To create a new recording, choose Create.
  2. Choose either Dynpro or Web Dynpro, depending on the user interface type you want to record/log.
  3. Specify a name, and a description.
  4. Choose Create.

The recording is created, and the recording started. You can now start the user interface you want to record. The recorder stays in the Recording state until you stop it (choosing theStop Recording icon). You can restart the recording at a later point in time by choosing the Start Recording icon. The State column reflects the current state of the recording.

6. Start the Dynpro or Web Dynpro application that you want to record.

Note

If the application is already open when you create the recording, you must restart it. The check to whether Read Access Logging is activated or not is performed when an application is started.

7. Right-click (Web Dynpro) or Ctrl +right-click (Dynpro) each field that you want to collect for the recording and choose Read Access Logging  Record Field  from the context menu

8. To remove a field from a recording, right-click the field and choose  Read Access Logging  Remove Field from Recording .

9. When you have recorded all fields, close the application and return to Read Access Logging Manager and choose Stop Recording in the list of recordings.

If you do not close the Web Dynpro session, the recording is locked and you cannot edit it

Now you have to record the Dynpro screen you want to log for RAL.

Go to SE16 and give the table name USR02 in the input field ‘Table Name’.

Now press “ctrl” key on your keyboard and right click on table name and choose Read Access Logging and click on Record Field.

After recording the fields come back to Recordings (in tx SRALMANAGER) stop recording. See below figures for more details

After clicking on “Stop” the state of recording into “Finished”. Now choose display by clicking on “display icon”. Then you will see the recorded fields

 

4. Create Configuration

A Read Access Logging “configuration” contains the settings for logging read access to data. Whereas logging purposes and logging domains are just ways to classify and organize logs and the fields in them, configurations are the core of the setting up and maintenance of read access logging. You specify one or more configurations for the objects you want to log.

For each RAL configuration, you specify:

A log context.

A log context is the key field that other fields displayed within the logging session are related to. When Read Access is logged and the log context changes, previous values displayed for all other dependent fields are deleted from memory and new values are logged together with the log context. For example, the log context of a configuration for a HR application may be the employee number. As soon as a new employee number is entered, values for all other fields such as religion, salary, etc., no longer belong to the employee previously displayed. With the help of the log context, the values for the religion and salary fields are always logged with the correct employee number. The log context allows you to see all field values in their correct context.

One or more log groups

A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose). For example, in Web services, the fields are elements of the underlying Web service message; in Web Dynpro, the fields are UI elements of Web Dynpro applications; in Dynpro, the fields are the input/output fields of Dynpro screens.

One or more conditions (optional)

Conditions are the rules you define for when the fields in the log group are logged. Conditions contain expressions, which are built using select options.

Conditions are optional. If a log group contains no conditions, then every read access to the fields in the log group is logged.

5. Monitor

After successful configuration, we can monitor Log entries. To view logs, choose Read Access Log under Monitor tab. You can search for channel specific, date specific, user name specific logs.

Eg: go to SE16 and try to access the USR02 table with any user and check the below screen for logging details

 

 

To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Arvind Warade

    Hello Pratap,

    We are not able to see Read Access Logging in drop down, the step where we check table USR02 (CTRL+Right Click), what could be missing here?

     

    (0) 
    1. Pratap Naidu Post author

      Hello Arvind,

      Please check if record button is active or not. In order to record Dynpro screen, we need this to be in record status, then only you could able to see the options after CNTRL + right click. Please check

       

      Regards
      Pratap

       

      (0) 
  2. Arvind Warade

    Thanks a lot for help Pratap.

    But I am not able to get Read Access Logging in drop down in first place, configured all required pre-requisites, based on available information.

    (0) 
  3. sylvester daudu

    Hi Pratap,

    Thanks for your detail steps. jobs well done!

    This will be very helpful for RAL implementation. Working on this in the dev environment.

    I think Arvind, has not enabled RAL in the current client after executing the tc SRALMANAGER hence RAL is not available in the drop down options.

    @Arvind have u enabled RAL ?

    (0) 
  4. sylvester daudu

    Hi Arvind,

    I just did in our dev system, and RAL is available, see below:

    Are you using SAP NetWeaver Application Server (AS) ABAP 7.40? I think RAL is a new functionality from 7.40. You could verify. Thanks

    (0) 
    1. sylvester daudu

      Hi Arvind,

      Sorry, I have been very busy. I should think so. I am doing things steps by steps in our Dev system.  If I am successful, I will let you know. I am currently performing recording. Using the example here USR02 table via Se16 and accessing employee SIN number via PA0002 (infotype 0002). SIN is a critical employee data that everyone should not have access to.

      (0) 
  5. Peter Benech

    Nice tool, but can RAL capture also ALV List viewer fields besides the ALV Grid? And also SQVI and SAP Query output fields? Can it distinguish for example within ALV Grid, that the field value has been sent to the client, but not displayed (because the chosen layout keeps it hidden, therefore shall not be logged)?

    (0) 
  6. sylvester daudu

    If you can create the recording of that field, sure you should be able.

    In addition: Let me explain the statement below.

    Conditions are optional. If a log group contains no conditions, then every read access to the fields in the log group is logged.  During Configuration by default this is checked. If you want to keep record of log access view to the field, do not uncheck this box.

    This simply means that in configuration, There can be zero conditions (No Condition) and when this happen, there will be no EXPRESSION and there will be NO SELECT OPTION for expression.

    So every view access to the field recorded  in RAL will be logged if it is accessed.

    Example. I created recording for access to infotype 0002 via PA30. I recorded the SIN and DATE OF BIRTH fields. No Condition. RAL return a success result for every user who viewed infotype 0002 via PA30 for SIN number and Date of Birth. He did not record those who executed Transaction PA30.

    I am loving this tool. This is really nice.

    Thanks Pratap for this piece.

    (0) 
  7. Jonathan Winter

    Hello RAL experts,

    thanks a lot for the Guide!

    Can RAL log inputs as well? In my example case someone changes the storage temperature or shelf life of a material in MM02 (Material View: General Plant Data/Stor1). Can I track what value is typed in the fields or can I only see the value that was there before someone changes it?

    After a change is saved in that view the view is not shown again, which means it is not tracked. What does the Field Type at Configuration -> Log Group mean in that regard? Once I change the Field type from Output to Input it does not get displayed in the Monitoring view once I recreate my test case in MM02.

    Don’t get me wrong, I know it is called READ Access Logging, but I wondered what the field type stands for and logging inputs would be a great feature.

    Thank you for your help!

    Jonathan

    (0) 
  8. Hans-Peter Deppe

     

    Hello Pratap,

    I have  two questions:

    a) related to your SE16 example with table USR02:  Is also logged which data rows (user Ids in this case) were selected?

    b) I want to know in general which tables were accessed via SE16 (without any limitation on table names). How can this be achieved by RAL?

    Many thanks

    H.-P. Deppe

    IT Security expert at Bayer Business Services GmbH

     

    (0) 

Leave a Reply