How to Configure Read Access Logging in SAP
In this blog, you will see how to configure Read Access Logging (RAL) in SAP systems.
Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy.
Read Access Logging is currently limited to the following channels:
- Remote Function Calls
- Web Dynpro
- Web services
The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client. (see Figure 1 &2 to know how to enable RAL)
Log table ‘USR02’ access via SE16
To log read access to data, you must define three settings:
- Logging purpose – A way to classify each log entry. For example, “Privacy” or “Finance records.” Each log entry is based on a logging purpose.
- Logging domain – A way to classify and group each field that appears in a log entry. For example, “HR – User data” or “Finance – Sales data”.
- Configuration – You configure Read Access Logging to determine what read access to data is logged and under which conditions.
In addition, RAL for Dynpro and Webdynpro channels need another step called “Recordings”
Create Logging Purpose
- In Read Access Logging manager (transaction code SRALMANAGER), choose Logging Purposes on the Administration tab.
- Choose Create.
- Specify an ID, a name, and a description.
To save space on the database, the ID is limited to 10 characters. We recommend you use an abbreviation of the purpose name. The purpose name will be displayed on all UIs.
- Save the logging purpose.
A new logging purpose has been created. In each Read Access Logging configuration, you assign a logging purpose. When you define archiving rules, you can use the logging purpose as the basis.
Now you have finished creating the Logging Purpose for your use case. Then click on “Back” at top right of the screen to create next step (Log Domain).
Create Log Domain
- In Read Access Logging manager (transaction code SRALMANAGER), choose Log Domains on the Administration tab.
You can search for, display, create, edit, and delete log domains.
- To create a new log domain, choose Create.
- Specify a name, a business area and an optional description.
The Business Area can be freely defined and it functions as a type of namespace for the data element.
The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the log domain.
- Choose Create.
A new log domain has been created. When you create a configuration, you assign a log domain to each field to be logged. The log domain is displayed in the read access log and helps the log evaluator to understand the semantics of the field. It enables the evaluator to search for a given semantic field regardless of the technical representation or ID of this field.
- In Read Access Logging manager (transaction code SRALMANAGER), choose Recordings on the Administration tab.
You can search for, display, create, edit, and delete Recording.
- To create a new recording, choose Create.
- Specify a channel, a name, and a description.
The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the recording.
- Choose Create.
A new Recording has been created and its state is “Recording”. You can observe red “stop” icon and the state “Recording…” in below figure.
Now you have to record the Dynpro screen you want to log for RAL.
Go to SE16 and give the table name USR02 in the input field ‘Table Name’. Now press “ctrl” key on your keyboard and right click on table name and choose Read Access Logging and click on Record Field. After recording the fields come back to Recordings (in tx SRALMANAGER) stop recording. See below figures for more details.
Similarly, we can record all the fields that are to be logged.
Figure 17: Read Access Logging – State of Recording
After clicking on “Stop” the state of recording into “Finished”. Now choose display by clicking on “display icon”. Then you will see the recorded fields on following screen (as below).
A Read Access Logging “configuration” contains the settings for logging read access to data. Whereas logging purposes and logging domains are just ways to classify and organize logs and the fields in them, configurations are the core of the setting up and maintenance of read access logging. You specify one or more configurations for the objects you want to log.
For each RAL configuration, you specify:
- A log context.
A log context is the key field that other fields displayed within the logging session are related to. When Read Access is logged and the log context changes, previous values displayed for all other dependent fields are deleted from memory and new values are logged together with the log context. For example, the log context of a configuration for a HR application may be the employee number. As soon as a new employee number is entered, values for all other fields such as religion, salary, etc., no longer belong to the employee previously displayed. With the help of the log context, the values for the religion and salary fields are always logged with the correct employee number. The log context allows you to see all field values in their correct context.
- One or more log groups
A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose). For example, in Web services, the fields are elements of the underlying Web service message; in Web Dynpro, the fields are UI elements of Web Dynpro applications; in Dynpro, the fields are the input/output fields of Dynpro screens.
- One or more conditions (optional)
Conditions are the rules you define for when the fields in the log group are logged. Conditions contain expressions, which are built using select options.
Conditions are optional. If a log group contains no conditions, then every read access to the fields in the log group is logged.
- In Read Access Logging manager (transaction code SRALMANAGER), choose Configuration on the Administration tab. (see figure 19)You can search for, display, create, edit, and delete configurations.
- To create a new configuration, select a channel from Channel and choose Create. (see figure 20)
- Specify a recording name(which you created earlier) and choose Create (see figure 21)
- A new screen with sections viz. Log Context, Log Domain, Conditions etc. will be appeared. Now in Log Context, Choose Create (see figure 22)
- Specify a name and description and choose Create (see figure 22)
- Drag fields from channel fields and drop into Log Context and save your work by clicking on the button Save as Active (see figure 23)
- After creating a Log Context, now you have to create a Log Group. In Log Group, Choose Create
- Specify a name and description and choose Create (see figure 24)
- Drag fields from channel fields and drop into Log Group and save your work by clicking on the button Save as Active (see figure 25)
- Drag system fields into Log Group (if needed)
- In Conditions tab, choose CreateWithout condition, it will log all tables access not only USR02. To prevent logging other tables, you have to specify a condition. After creating the condition with a name and description, you have then to create an Expression (see figures 27, 28 & 29)
- Now again go to Log Group and uncheck the Without Condition checkbox and specify the condition (which is created above) (see figure 30 & 31)
- Click on Save as Active button (see figure 32)
After successful configuration, you can monitor Log entries. To view logs, choose Read Access Log under Monitor tab. You can search for channel specific, date specific, user name specific logs. (see Figure 33 & 34 )