During my work in AIF development I sometimes get questions from customers asking how different functionalities are working or what is best way to solve a specific requirement with SAP Application Interface Framework. From time-to-time I like to describe the solutions to the most common problems or new features in How-To-Guides. If you have a specific topic where it would be nice to have a How-To-Guide drop me a message with the topic request.
Due to the Data Protection and Privacy regulation in the EU it is necessary to ensure that sensitive data is handled correctly. Therefore, the read access to sensitive data handled in AIF messages can be logged to be able to answer the question who accessed specific data within a specified time frame.
How Does It Work?
The functionality can be used for new and existing interfaces. Read Log information can be collected on structure or on field level. This blog describes the logging on field level. The following steps must be executed.
1. Identify fields containing sensitive data.
The first step to be done is to identify the fields in the data structures containing sensitive data. Fields containing sensitive data can be contained in the RAW or SAP structure and in the Single Index Table which is used for the interface (for example: a field containing private information was defined as key field for the interface).
2. Define fields as Read Log relevant
After the identification of the relevant fields it is necessary to define those fields as relevant for read log in the AIF customizing (activity “Define Fields for Read Log” can be found in AIF customizing under Interface Development -> Additional Interface Properties).
To be able to define fields as read log relevant authorization /AIF/RAL_C is required.
3. Display the Read Log entries for the relevant fields
As soon as the value of a field is displayed which was marked as read access log relevant the data access is logged and can be seen in the corresponding transaction. The Read Log can be accessed via transaction /AIF/READ_LOG.
To ensure that not everybody has access to the logs a special authorization (/AIF/RAL) is necessary to be able to see the data in these transactions.
The following example describes how a field can be defined as Read Log relevant and how to see the logs with the information who and when accessed the sensitive data.
This example uses the SAP flight booking example.
In order to execute this example, you require an AIF interface. In this example, I’m using the file interface build in this example: How to process and monitor a simple file with AIF.
1. Identify Fields Containing Sensitive Data
Check the data structure of your interface for relevant fields. My interface uses a structure with customer information as RAW structure.
Field CUSTOMER_CREDITCARD is identified to contain sensitive data. For this field a Read Log is required.
2. Define Fields As Read Log Relevant
After having identified a field in the structure of the interface it should be marked as Read Log relevant in the AIF customizing.
Go to AIF customizing (transaction /AIF/CUST) –> Interface Development –> Additional Interface Properties and select activity Define Fields for Read Log.
In the following screen, select your namespace, interface and version.
On the next screen the RAW structure will be displayed. You can switch between RAW Structure, SAP Structure and the Single Index Table. For every structure / single index table it is possible to define read log relevant fields.
Double click on the LINES structure on the left-hand side of the screen. On the right-hand side of the screen, the fields contained in the structure are displayed.
Select field CUSTOMER_CREDITCARD and set the RAL relevant flag. Save your changes.
3. Display The Read Log Entries For The Relevant Fields
3.1 Create Log Entries
The log entries are created automatically in the moment when the data is displayed in AIF. To create some test data open the Monitoring and Error Handling (transaction /AIF/ERR) and select your interface.
Press execute. You are forwarded to the detailed Monitoring and Error Handling view.
Note: If you do not have test data, create a new test message for the interface.
Select a message in the Data Message view. Double click on the LINES structure in the Data Structure view. The data for the selected message will be displayed in the Data Content Section of the screen. The content of the private field CUSTOMER_CREDITCARD is displayed.
3.2 Display Read Log Entries
After having displayed the data, go to the Read Log Viewer and check for entries of your data access. The Read Log Viewer can be opened via transaction /AIF/READ_LOG or via the SAP Menu –> Cross-Application Components –> SAP Application Interface Framework –> Administration –> LOG –> Read Log Viewer.
In the Read Log Viewer, select Message Content and enter your Interface Details.
In the following screen, double click on the version number of your interface. On the right-hand side, the list with data access for the different private fields are displayed. In the list the information where the data was accessed, the interface details, details of the displayed field and the information when and from whom the data was accessed is displayed. The payload of the message is not displayed in the read log.
The message in the example contained two entries with credit card information. In the Read Log two log entries are displayed in the relevant time frame. One entry for each displayed line with sensitive data.
This is the way to enable the Read Log functionality of AIF for specific fields in the RAW structure of the interface.
This blog post gave an introduction on how to use the AIF read log functionality. This is a very simple interface and therefore not all possible options on how to use the read log are described here (SAP structure and index table and logging on structure leve have been skipped) .
Note: The functionality is available in the following AIF versions upwards: AIF 4.0 and onPrem 1709 SP02. For more information check out the AIF Master Guide of your AIF version.