How to Configure Read Access Logging in SAP

In this blog, you will see how to configure Read Access Logging (RAL) in SAP systems.

Introduction

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy.

Read Access Logging is currently limited to the following channels:

  • Remote Function Calls
  • Dynpro
  • Web Dynpro
  • Web services
Configure RAL

The transaction code for RAL is “SRALMANAGER”. After executing this transaction, make sure RAL is enabled in current client. (see Figure 1 &2 to know how to enable RAL)

Figure 1: In home view of RAL, click on “Enabling in Client” under Adminstration tab

Figure 1: In home view of RAL, click on “Enabling in Client” under Adminstration tab

 

Figure 2: Read Access Logging - Enabling in Client

Figure 2: Read Access Logging – Enabling in Client

Use Case

Log table ‘USR02’ access via SE16

To log read access to data, you must define three settings:

  • Logging purpose – A way to classify each log entry. For example, “Privacy” or “Finance records.” Each log entry is based on a logging purpose.
  • Logging domain – A way to classify and group each field that appears in a log entry. For example, “HR – User data” or “Finance – Sales data”.
  • Configuration – You configure Read Access Logging to determine what read access to data is logged and under which conditions.

In addition, RAL for Dynpro and Webdynpro channels need another step called “Recordings”

Create Logging Purpose
Procedure
  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Logging Purposes on the Administration tab.
  2. Choose Create.
  3. Specify an ID, a name, and a description.
    To save space on the database, the ID is limited to 10 characters. We recommend you use an abbreviation of the purpose name. The purpose name will be displayed on all UIs.
  4. Save the logging purpose.
Figure 3: Read Access Logging - Create Logging Purpose

Figure 3: Read Access Logging – Create Logging Purpose

Figure 4: Read Access Logging - Create Logging Purpose

Figure 4: Read Access Logging – Create Logging Purpose

 

Figure 5: Read Access Logging - Create Logging Purpose Popup

Figure 5: Read Access Logging – Create Logging Purpose Popup

Results

A new logging purpose has been created. In each Read Access Logging configuration, you assign a logging purpose. When you define archiving rules, you can use the logging purpose as the basis.

 

Figure 6: List of Logging Purposes

Figure 6: List of Logging Purposes

Now you have finished creating the Logging Purpose for your use case. Then click on “Back” at top right of the screen to create next step (Log Domain).

Create Log Domain
Procedure
  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Log Domains on the Administration tab.
    You can search for, display, create, edit, and delete log domains.
  2. To create a new log domain, choose Create.
  3. Specify a name, a business area and an optional description.
    The Business Area can be freely defined and it functions as a type of namespace for the data element.
    The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the log domain.
  4. Choose Create.

 

  Figure 7: Read Access Logging - Create Log Domains


Figure 7: Read Access Logging – Create Log Domains

 

Figure 8: Read Access Logging - Create Log Domain

Figure 8: Read Access Logging – Create Log Domain

 

 

Figure 9: Read Access Logging - Create Log Domain Popup

Figure 9: Read Access Logging – Create Log Domain Popup

 

Results

A new log domain has been created. When you create a configuration, you assign a log domain to each field to be logged. The log domain is displayed in the read access log and helps the log evaluator to understand the semantics of the field. It enables the evaluator to search for a given semantic field regardless of the technical representation or ID of this field.

 

Figure 10: List of Log Domains

Figure 10: List of Log Domains

 

Create Recording
Procedure
  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Recordings on the Administration tab.
    You can search for, display, create, edit, and delete Recording.
  2. To create a new recording, choose Create.
  3. Specify a channel, a name, and a description.
    The description is later displayed in the detailed view of the read access log and might be helpful for the person evaluating the log to identify the recording.
  4. Choose Create.
Figure 11: Read Access Logging - Create Recordings

Figure 11: Read Access Logging – Create Recordings

 

 

Figure 12: Read Access Logging - Create Recording

Figure 12: Read Access Logging – Create Recording

 

 

Figure 13: Read Access Logging - Create Recording Popup

Figure 13: Read Access Logging – Create Recording Popup

Results

A new Recording has been created and its state is “Recording”. You can observe red “stop” icon and the state “Recording…” in below figure.

 

Figure 14: Read Access Logging - List of Recordings

Figure 14: Read Access Logging – List of Recordings

 

 

 

Now you have to record the Dynpro screen you want to log for RAL.

Go to SE16 and give the table name USR02 in the input field ‘Table Name’. Now press “ctrl” key on your keyboard and right click on table name and choose Read Access Logging and click on Record Field.  After recording the fields come back to Recordings (in tx SRALMANAGER) stop recording. See below figures for more details.

Figure 15: Read Access Logging - Record Dynpro Screen Fileds

Figure 15: Read Access Logging – Record Dynpro Screen Fileds

 

Similarly, we can record all the fields that are to be logged.

Figure 16: Read Access Logging - Record Dynpro Screen Fileds

Figure 16: Read Access Logging – Record Dynpro Screen Fileds

 

RAL_17

Figure 17: Read Access Logging - State of Recording

Figure 17: Read Access Logging – State of Recording

Figure 17: Read Access Logging – State of Recording

After clicking on “Stop” the state of recording into “Finished”. Now choose display by clicking on “display icon”. Then you will see the recorded fields on following screen (as below).

 

Figure 18: Read Access Logging - Detailed screen of Recording

Figure 18: Read Access Logging – Detailed screen of Recording

 

Create Configuration

A Read Access Logging “configuration” contains the settings for logging read access to data. Whereas logging purposes and logging domains are just ways to classify and organize logs and the fields in them, configurations are the core of the setting up and maintenance of read access logging. You specify one or more configurations for the objects you want to log.

For each RAL configuration, you specify:

  • A log context.

A log context is the key field that other fields displayed within the logging session are related to. When Read Access is logged and the log context changes, previous values displayed for all other dependent fields are deleted from memory and new values are logged together with the log context. For example, the log context of a configuration for a HR application may be the employee number. As soon as a new employee number is entered, values for all other fields such as religion, salary, etc., no longer belong to the employee previously displayed. With the help of the log context, the values for the religion and salary fields are always logged with the correct employee number. The log context allows you to see all field values in their correct context.

  • One or more log groups

A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose). For example, in Web services, the fields are elements of the underlying Web service message; in Web Dynpro, the fields are UI elements of Web Dynpro applications; in Dynpro, the fields are the input/output fields of Dynpro screens.

  • One or more conditions (optional)

Conditions are the rules you define for when the fields in the log group are logged. Conditions contain expressions, which are built using select options.

Conditions are optional. If a log group contains no conditions, then every read access to the fields in the log group is logged.

 

Procedure
  1. In Read Access Logging manager (transaction code SRALMANAGER), choose Configuration on the Administration tab. (see figure 19)You can search for, display, create, edit, and delete configurations.
  2. To create a new configuration, select a channel from Channel and choose Create. (see figure 20)
  3. Specify a recording name(which you created earlier) and choose Create (see figure 21)
  4. A new screen with sections viz. Log Context, Log Domain, Conditions etc. will be appeared. Now in Log Context, Choose Create (see figure 22)
  5. Specify a name and description and choose Create (see figure 22)
  6. Drag fields from channel fields and drop into Log Context and save your work by clicking on the button Save as Active (see figure 23)
  7. After creating a Log Context, now you have to create a Log Group. In Log Group, Choose Create
  8. Specify a name and description and choose Create (see figure 24)
  9. Drag fields from channel fields and drop into Log Group and save your work by clicking on the button Save as Active (see figure 25)
  10. Drag system fields into Log Group (if needed)
  11. In Conditions tab, choose CreateWithout condition, it will log all tables access not only USR02. To prevent logging other tables, you have to specify a condition. After creating the condition with a name and description, you have then to create an Expression (see figures 27, 28 & 29)
  12. Now again go to Log Group and uncheck the Without Condition checkbox and specify the condition (which is created above) (see figure 30 & 31)
  13. Click on Save as Active button (see figure 32)

 

 

Figure 19: Read Access Logging - Create Configuration

Figure 19: Read Access Logging – Create Configuration

 

Figure 20: Read Access Logging - Create Configuration

Figure 20: Read Access Logging – Create Configuration

 

 

Figure 21: Read Access Logging - Create Configuration detail window

Figure 21: Read Access Logging – Create Configuration detail window

 

Figure 22: Read Access Logging - Create Log Context Popup

Figure 22: Read Access Logging – Create Log Context Popup

 

 

Figure 23: Read Access Logging - Dragging channel fields into Log context

Figure 23: Read Access Logging – Dragging channel fields into Log context

 

Figure 24: Read Access Logging - Create Log Group Popup

Figure 24: Read Access Logging – Create Log Group Popup

 

 

Figure 25: Read Access Logging - Details of Log Group

Figure 25: Read Access Logging – Details of Log Group

 

 

 

  Figure 26: Read Access Logging - Activate Log Group


Figure 26: Read Access Logging – Activate Log Group

 

Figure 27: Read Access Logging - Create Condition

Figure 27: Read Access Logging – Create Condition

 

 

Figure 28: Read Access Logging - Create Expression under Conditions

Figure 28: Read Access Logging – Create Expression under Conditions

 

 

Figure 29: Read Access Logging - Create Expression details

Figure 29: Read Access Logging – Create Expression details

 

 

Figure 30: Read Access Logging - Activate Log Group without Condition

Figure 30: Read Access Logging – Activate Log Group without Condition

 

Figure 31: Read Access Logging - Assign Condition to Log Group

Figure 31: Read Access Logging – Assign Condition to Log Group

 

 

Figure 32: Read Access Logging - Activate Configuration

Figure 32: Read Access Logging – Activate Configuration

 

Monitor

After successful configuration, you can monitor Log entries. To view logs, choose Read Access Log under Monitor tab. You can search for channel specific, date specific, user name specific logs. (see Figure 33 & 34 )

 

Figure 33: Read Access Logging - View Logs

Figure 33: Read Access Logging – View Logs

 

RAL_34

Figure 34: Read Access Logging – Log detaills

 

 

 

There are no comments yet, but you can be the first



Comments are closed.

Copyright © 2013 Sowra Info Solutions. All rights reserved.