Read Access Logging (RAL) for SAP NetWeaver Overview

SAP Product Management Security

Finding the Leak –Access Logging for Sensitive Data

© 2013 SAP AG or an SAP affiliate company. All rights reserved. 2

Disclaimer

This document does not constitute a legally binding proposal, offer, quotation or bid on the part of SAP.SAP assumes that the parties negotiate legally binding contracts relating to the subject of thisdocument in a later phase. Any and all information contained in this document is preliminary andsubject to change and shall not at any time be considered as binding. Especially preliminary is thedescribed solution, the scope and the pricing. SAP expressly reserves the right to make subsequentalterations to the content of this document. This document is exclusively based on the informationprovided to SAP by the customer and SAP’s understanding of the customer’s requirements. Changingthese requirements might also cause a change in system architecture or functionality. The contents ofthis document represent business secrets of SAP and must be handled in confidence by the customer.In particular, forwarding information to third parties is prohibited. This document and informationincluded in it must be used exclusively for the purposes of evaluating the possibility of future businesscooperation between SAP and customer. Any other use requires prior written consent from SAP. If theunderlying proposal is not accepted, all documents and all copies of these documents must bereturned to SAP immediately on demand or, if no request is made, destroyed within one month afterrejection or non-acceptance of our proposal. All brands, trademarks etc. used in this document,including the SAP signature and logo, are the property of SAP and may not be used without its expresswritten consent in advance.


Agenda

Why Use Read Access Logging?

The Way it Works

Read Access Logging in Detail

Summary


Customer Challenges with Data Access

Compliance with data privacy regulations

Compliance with industry standards (e.g. Basel suite for the banking industry)

Monitor the access to classified data or other sensitive data (such as informationabout company assets or salary data)

Monitor user actions on a need-to-know basis only, deleting the logs thereafter

SAP provides a solution that allows to log read access to sensitive data:

Read Access Logging


Use Cases for Read Access Logging (RAL)

John is a data security officer in a bank. Recentanalysis of stock transactions indicate malicious orderswith insider information about bank customers. Johnwas asked to investigate the issue and identify theinformation leak.

Chelsea is a compliance manager at a big retailer. Acustomer of the retailer has complained that hisaccount details were used to contact him on privateissues by an employee of the retailer. Chelsea now hasto check who had accessed the customer’s person-related data.


Read Access Logging Application

The Read Access Logging Application can be accessed via the transaction

SRALMANAGER providing access to• Read Access Logging Configuration• Data logged with Read Access Logging• Administrative Log

In addition, Read Access Logging is integrated into the archiving framework to allow automatedarchiving of older log entries.

Read Access Logging is integrated in the Transport Framework of the AS ABAP.


Read Access Logging with SRALMANAGER

Using transaction SRALMANAGER, you start a Web Dynpro-based application shown in a browserwindow. With SRALMANAGER, you can access both administration and monitoring functions ofRead Access Logging.


The Way it Works

The Read Access Logging framework (RAL) allows customers to trace which datawas sent out of the system, by enabling remote communication and user interfaceinfrastructures to log access to sensitive data.When an application/transaction is started, the Read Access Logging configuration isread.It indicates whether the current remote-enabled function module, Web serviceoperation, Dynpro or Web Dynpro UI element is log-relevant.The RAL configuration defines which fields and elements should be logged.Knowing this, the requested field and element values are set for logging.Finally, the log data is written to the database.It can then be viewed via the Log Monitor.


The Way it Works

Read Access Logging Framework

Configurations

Log conditions

Log writerLog data indatabase

Log monitor

Dynpro

Web Dynpro

API Channels

UI Channels

Web Service

RemoteFunction Call


Features

Read Access Logging (RAL) allows you to track data access:Who had access to the dataWhich data was accessedWhen was the data accessedHow was the data accessed (transaction or user interface)

Amount of detail to be logged is customizable based onUser interfaces used to access the dataOperations executed on remote APIsUsers using the remote APIs / user interfacesEntities and their content


Supported Channels

Read Access Logging supports the following channels:

Web DynproYou can log context-bound UI elements of Web Dynpro-based user interfaces.

DynproYou can log Dynpro UI elements and ALV grid-based user interfaces.

Remote Function Calls (RFC)You can log server and client side of RFC-based communication.

Web service callsYou can log consumer and provider side of Web services-based communication.


Entities Used During Configuration

Log purposeEach RAL configuration requires a logging purpose. It groups the log events you want to record byuse case and reason for recording.

Log domainLog domains define the semantic meaning of the data elements that will be captured during the logrecording. This helps auditors understand the data recorded in the log results.

Log contextLog context is the key field that other visible fields are related to within the logging session.

Log groupA log group is a collection of fields that are displayed in the same log entry (based on the loggingpurpose).

Log conditionConditions are the rules you can define to decide when the fields in the log group are logged.


Transport Integration

Read Access Logging entities canbe transported to other systems andclients

Logging purposesLog domainsConfigurationsUser interface recordingsUser exclusion listParameter for activation


Authorization – Template Roles to Work with Read Access Logging

Template roles Description Assigned authorizationobjects

SAP_BC_RAL_ADMIN_BIZ A template role for businessadministrators doing the configurationand monitoring

S_RAL_BLKL User exclusion listS_RAL_CLIS- En Disabling clientS_SRAL_CFG ConfigurationS_RAL_LDOM Log domainsS_RAL_PURP Logging purposesS_RAL_REC RecordingS_RAL_ELOG Administrative logS_RAL_LOG Log Data

SAP_BC_RAL_ADMIN_TEC For technical administrators responsiblefor archiving, maintaining the userexclusion list, en- and disabling client andmonitoring administrative log

(S_ARCHIVE) ArchivingS_RAL_BLKL User exclusion listS_RAL_CLIS En-/Disabling clientS_RAL_ELOG Administrative log

SAP_BC_RAL_ANALYZER A template role for Read Access Logginganalyzer

S_RAL_LOG Log Data

SAP_BC_RAL_SUPPORTER A template role for Read Access Loggingsupport engineer

See authorization objects assigned toSAP_BC_RAL_ADMIN_BIZ with displayactivity specification


Availability I

NW 7.40 SP0First shipment of framework and Web service channel

NW 7.40 SP2Shipment connection to archiving / ILM, RFC channel, Web Dynpro channel

NW 7.40 SP3Automatic transport of configurations

NW 7.40 SP4Shipment of Web Dynpro query logging, Dynpro + ALV grid channel

NW 7.31 SP9Same as NW 7.40 SP4


Availability II

NW 7.30 SP11Available as of 28.02.2014




For legacy releases, you can use the UI logging solution from SAP Custom Development services


Key Take-Aways !

• Read Access Logging supports you instaying compliant with data privacyregulations

• Logging access to sensitive data is madeeasy with the Read Access Loggingsolution

• Read Access Logging is deeply integratedinto SAP Netweaver


Further Information

Read Access Logging on SAP Community Networkhttp://scn.sap.com/docs/DOC-53843

SAP Insider Article about Read Access Logginghttp://scn.sap.com/docs/DOC-44006

Documentation on SAP Help Portalhttp://help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/content.htm?frameset=/en/54/69BBEAB2E94C93B9031584711D989D/frameset.htm

http://scn.sap.com/docs/DOC-53843

http://scn.sap.com/docs/DOC-44006

http://help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/content.htm?frameset=/en/54/69BBEAB2E94C93B9031584711D989D/frameset.htm

http://help.sap.com/saphelp_nw74/helpdata/en/54/69bbeab2e94c93b9031584711d989d/content.htm?frameset=/en/54/69BBEAB2E94C93B9031584711D989D/frameset.htm


© 2013 SAP AG or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, andSAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forthin the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany andother countries.

Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Date post:	20-Aug-2015
Category:	Technology
Upload:	sap-technology
View:	928 times
Download:	3 times

Read Access Logging (RAL) for SAP NetWeaver Overview

Technology