Read Access Logging

Many of you likely received emails in May this year with the mysterious abbreviation GDPR. It’s no secret that recently there’s been increasing talk about the importance of handling personal data responsibly, and about monitoring who has access to it. SAP keeps up with modern trends and offers us a tool for monitoring user activity related to access to various types of personal information. This tool is called Read Access Logging (RAL), and this article will cover it.

The vendor itself provides a solid answer:

See Read Access Logging

Definition

Read Access Logging (RAL) is used to monitor and log read access to sensitive data. This data may be categorized as sensitive by law, by external company policy, or by internal company policy. The following typical questions might be of interest for an application that uses Read Access Logging:Who accessed the data of a given business entity, for example a bank account?Who accessed personal data, for example of a business partner?Which employee accessed personal information, for example religion?Did anyone search, for example, if VIPs were admitted to hospital?Which accounts or business partners were accessed by which users?
These questions can be answered using information about who accessed particular data within a specified time frame. Technically, this means that all remote API and UI infrastructures (that access the data) must be enabled for logging. Read Access Logging is currently limited to the following channels, however:Remote Function Calls (sRFC, aRFC, tRFC, qRFC, bgFRC)DynproWeb DynproWeb services
For more information about the objects that can be logged for the different channels

In short, this is a continued way to monitor user actions in your system, but now at a more granular level—identifying which fields were involved and what values were entered. A notable advantage is that RAL works not only with regular ABAP programs but also with WebDynpro applications and web services.

See Activating Audit Logging for User-Launched Programs in the System

The main transaction for RAL configuration is SRALMANAGER.

See: Transaction Codes in Read Access Logging

• SRALMANAGER – Shows both Administration and Monitor tabs in RAL Manager
• SRALMONITOR – Shows only the Monitor tab
• SRALCONFIG – Shows only the Administration tab

Let’s start by enabling RAL for transaction PA20, so we can track which info-types users are viewing and for which personnel numbers. The setup instructions will be somewhat condensed to keep it focused.

See Defining Logging Purposes

Context
Read Access Logging is always based on a logging purpose that is freely defined according to the requirements of an organization. It describes why specific data is logged. In the configuration, you specify the logging purpose and each log entry in the log is assigned its purpose as an attribute. This allows the log data to be organized according to the logging purpose. For example, various archiving rules or reportings can be created based on logging purposes.

The Read Access Logging framework can thus be used to fulfill legal or other regulations, to detect fraud or data theft, for auditing purposes, or for any other internal purpose

See:  Defining Log Domains

Context
Within an application, the data to be logged must be defined on a semantic level, before the actual fields and rules are defined. This is done by creating log domains as semantic descriptions of semantically identical or related fields that have different technical representations. In Read Access Logging manager, you first define a log domain. During the configuration, you assign a log domain to each field to be logged.

For a log domain, you specify a name and a business area that the data element is related to. It is necessary because different applications might use the same log domain. For example, a log domain "account" might be something different in the Human Resources application than it is in the Banking application.

See: Channel-Specific Information
See: Creating Recordings

After creating a Recording, go to transaction PA20 to specify the fields to monitor. In the backend system, launch PA20, place the cursor on the desired field, and Ctrl + right-click. In the context menu, choose Read Access Logging → Record Field.

The recorded fields will now appear in your Recording’s configuration.

See: Configuring Read Access Logging

The following video demonstrates the steps required to activate logging for multiple fields in PA20.

Make sure RAL is activated in the client you are working with.

Run the test under user RLA_DEMO.

N.B. To view logs, select Raw Database as the data source.

See: Monitoring the Read Access Log

Another case worth considering is enabling RAL for the WebDynpro application HRESS_A_PTARQ_LEAVREQ_APPL. To save space, this will be covered in two short videos.

N.B. Logging field activation in WebDynpro is analogous to Dynpro—Ctrl + right-click on the field.

See Sap Note 2053988 - RAL Dynpro Channel: Further information on logging
See also See also: pdf version of Sap Note 2053988 - RAL Dynpro Channel: Further information on logging