Skip to Content

Dear all,

In the context of General Data Protection Regulation (GDPR) in the EU (European Union) region, we explored tools to monitor and log the read access to sensitive data

We have used simple use case recording / logging the access to USR02 table via SE16 transaction code.

What is Read Access Logging (RAL)?

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy.

Main Purposes of Read Access Logging

Read Access Logging is often required to comply with legal regulations or public standards such as data privacy, for example in banking or healthcare applications. Data privacy is about protecting and restricting access to personal data. In some countries, data privacy regulations even require that access to certain personal data be reported. Companies and public institutions may also want to monitor access to classified or other sensitive data for their own reasons. If no trace or log is kept on who accesses data, it is difficult to track the person(s) responsible for any data leaks to the outside world. Read Access Logging provides this information.

Read Access Logging is always based on a logging purpose that is freely defined according to the requirements of an organization (for example, data privacy). This logging purpose is then assigned to each log entry as an attribute, which allows the log data to be classified and organized according to the logging purpose. For example, various archiving rules or reportings can be created based on logging purposes.

The Read Access Logging framework can thus be used to fulfill legal or other regulations, to detect fraud or data theft, for auditing purposes, or for any other internal purpose.

How it works?

The Read Access Logging framework (RAL) allows customers to trace which data was sent out of the system, by enabling remote communication and user interface infrastructures to log access to sensitive data. When an application/transaction is started, the Read Access Logging configuration is read it indicates whether the current remote-enabled function module, Web service operation, Dynpro or Web Dynpro UI element is log-relevant. The RAL configuration defines which fields and elements should be logged. Knowing this, the requested field and element values are set for logging. Finally, the log data is written to the database. It can then be viewed via the Log Monitor.

1969086 – Availability of Read Access Logging and prerequisites (kernel and SAP GUI version)

Supported Channels

Read Access Logging is currently limited to the following channels:

 

  • Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgFRC)
  • Dynpro
  • Web Dynpro
  • Web services

 

Remote Function Calls (RFC)

We can log server and client side of RFC-based communication

Dynpro

We can log Dynpro UI elements and ALV grid-based user interfaces.

Web Dynpro

We can log context-bound UI elements of Web Dynpro-based user interfaces.

Web service calls

We can log consumer and provider side of Web services-based communication

 

Entities Used During Configuration

Log purpose

Each RAL configuration requires a logging purpose. It groups the log events you want to record byuse case and reason for recording

Log domain

Log domains define the semantic meaning of the data elements that will be captured during the log recording. This helps auditors understand the data recorded in the log results

Log context

Log context is the key field that other visible fields are related to within the logging session

Log group

A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose)

Log condition

Conditions are the rules you can define to decide when the fields in the log group are logged

Read Access Logging (RAL) Configuration

 

SRALMANAGER providing access to

  • Read Access Logging Configuration
  • Data logged with Read Access Logging
  • Administrative LogIn addition,

Read Access Logging is integrated into the archiving framework to allow automated archiving of older log entries.

Read Access Logging is integrated in the Transport Framework of the AS ABAP.

Using transaction SRALMANAGER, we could start a Web Dynpro-based application shown in a browser window

The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client

http://<hostname>:8000/sap/bc/webdynpro/sap/sralmanager?sap-language=EN

 

Note: We need activate the respective RAL services from the SICF

Configure RAL

The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client

Parameter sec/ral_enabled_for_rfc =1 (default is 0) has to be enabled in the profiles

 

Use Case

Log table ‘USR02’ access via SE16

To log read access to data, you must define three settings:

  1. Logging purpose – A way to classify each log entry. For example, “Privacy” or “Finance records.” Each log entry is based on a logging purpose.
  2. Logging domain – A way to classify and group each field that appears in a log entry. For example, “HR – User data” or “Finance – Sales data”.
  3. Configuration – You configure Read Access Logging to determine what read access to data is logged and under which conditions.
  4. Recordings – Manage recordings of application user interfaces.
  1. Create Logging purpose

Context

Read Access Logging is always based on a logging purpose that is freely defined according to the requirements of an organization. It describes why specific data is logged. In the configuration, you specify the logging purpose and each log entry in the log is assigned its purpose as an attribute. This allows the log data to be organized according to the logging purpose. For example, various archiving rules or reporting’s can be created based on logging purposes.

The Read Access Logging framework can thus be used to fulfill legal or other regulations, to detect fraud or data theft, for auditing purposes, or for any other internal purpose.

 

Procedure

  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Logging Purposes on the Administration tab.
  2. Choose Create.
  3. Specify an ID, a name, and a description.

To save space on the database, the ID is limited to 10 characters. We recommend you use an abbreviation of the purpose name. The purpose name will be displayed on all UIs.

4. Save the logging purpose.

2. Create Create Log Domain

Context

Within an application, the data to be logged must be defined on a semantic level, before the actual fields and rules are defined. This is done by creating log domains as semantic descriptions of semantically identical or related fields that have different technical representations. In Read Access Logging manager, you first define a log domain. During the configuration, you assign a log domain to each field to be logged.

 

For a log domain, you specify a name and a business area that the data element is related to. It is necessary because different applications might use the same log domain. For example, a log domain “account” might be something different in the Human Resources application than it is in the Banking application.

 

Procedure

  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Log Domains on the Administration tab.

You can search for, display, create, edit, and delete log domains.

  1. To create a new log domain, choose Create.
  2. Specify a name, a business area and an optional description.

The Business Area can be freely defined, and it functions as a type of namespace for the data element.

The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the log domain.

4. Choose Create.

3. Create Recording

Procedure

Note that the value of the fields that are displayed on the UI during the recording (the so-called sample values) become visible in the recording. The sample values and UI labels help the administrator to easily identify the fields during configuration. However, you can edit or delete the sample values. For example, if you find it more helpful for the administrator, you can replace them with a description of the field. You can also search for one or more recordings and clear all sample values at once. Just select one or more recordings from the search results and choose Clear Sample Values.

 

  1. In Read Access Logging manager (transaction code SRALMANAGER), on the Administration tab, choose Recordings.

You can search for, display, create, edit, delete, or transport recordings.

  1. To create a new recording, choose Create.
  2. Choose either Dynpro or Web Dynpro, depending on the user interface type you want to record/log.
  3. Specify a name, and a description.
  4. Choose Create.

The recording is created, and the recording started. You can now start the user interface you want to record. The recorder stays in the Recording state until you stop it (choosing theStop Recording icon). You can restart the recording at a later point in time by choosing the Start Recording icon. The State column reflects the current state of the recording.

6. Start the Dynpro or Web Dynpro application that you want to record.

Note

If the application is already open when you create the recording, you must restart it. The check to whether Read Access Logging is activated or not is performed when an application is started.

7. Right-click (Web Dynpro) or Ctrl +right-click (Dynpro) each field that you want to collect for the recording and choose Read Access Logging  Record Field  from the context menu

8. To remove a field from a recording, right-click the field and choose  Read Access Logging  Remove Field from Recording .

9. When you have recorded all fields, close the application and return to Read Access Logging Manager and choose Stop Recording in the list of recordings.

If you do not close the Web Dynpro session, the recording is locked and you cannot edit it

Now you have to record the Dynpro screen you want to log for RAL.

Go to SE16 and give the table name USR02 in the input field ‘Table Name’.

Now press “ctrl” key on your keyboard and right click on table name and choose Read Access Logging and click on Record Field.

After recording the fields come back to Recordings (in tx SRALMANAGER) stop recording. See below figures for more details

After clicking on “Stop” the state of recording into “Finished”. Now choose display by clicking on “display icon”. Then you will see the recorded fields

 

4. Create Configuration

A Read Access Logging “configuration” contains the settings for logging read access to data. Whereas logging purposes and logging domains are just ways to classify and organize logs and the fields in them, configurations are the core of the setting up and maintenance of read access logging. You specify one or more configurations for the objects you want to log.

For each RAL configuration, you specify:

A log context.

A log context is the key field that other fields displayed within the logging session are related to. When Read Access is logged and the log context changes, previous values displayed for all other dependent fields are deleted from memory and new values are logged together with the log context. For example, the log context of a configuration for a HR application may be the employee number. As soon as a new employee number is entered, values for all other fields such as religion, salary, etc., no longer belong to the employee previously displayed. With the help of the log context, the values for the religion and salary fields are always logged with the correct employee number. The log context allows you to see all field values in their correct context.

One or more log groups

A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose). For example, in Web services, the fields are elements of the underlying Web service message; in Web Dynpro, the fields are UI elements of Web Dynpro applications; in Dynpro, the fields are the input/output fields of Dynpro screens.

One or more conditions (optional)

Conditions are the rules you define for when the fields in the log group are logged. Conditions contain expressions, which are built using select options.

Conditions are optional. If a log group contains no conditions, then every read access to the fields in the log group is logged.

5. Monitor

After successful configuration, we can monitor Log entries. To view logs, choose Read Access Log under Monitor tab. You can search for channel specific, date specific, user name specific logs.

Eg: go to SE16 and try to access the USR02 table with any user and check the below screen for logging details

 

 

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

Leave a Reply