How to know when a SAP user read a File

Former Member · ‎02-02-2011

Hello,

The question is about a directory in the server where SAP is installed. The directory can be read by SAP (that is, by sidadm) because some SAP users need to access some files in the directory.

Even if some SAP users need to access the data we want to know when and who read the files. We have a third party tool that advises us when the file has been accessed by sidadm but we still don´t know which SAP user has done it

So the question is if there is a log in SAP where this information is registered. I checked in SM20 but didn´t found it.

Thanks,

Félix

Former Member · ‎02-02-2011

what is the transaction or program that accesses these directories. You can search based on that.

Former Member · ‎02-02-2011

Hi venkatesh,

Thanks for the quick reply.

I agree that in this way we monitor the "official" door for accesing the files but still there could be many other ways to access the files (AL11, custom programs, etc.) not monitored.

Of course these other accesses should be restrict by roles and good programing practices but still I´d like to implement (if possible) a second control.

Best regards,

Félix

mvoros · ‎02-02-2011

Hi,

I can think of only one method how to log it but I doubt it's practical for production environment. As you know you can control access to file using authorization object S_DATASET. This check is performed within kernel so it's always performed. So if you turn on authorization trace ST01 then you should be able to look for checks for S_DATASET and use it as log. There is no way how to restrict trace to just one object and running full trace in production environment is not a good idea.

Maybe remove authorization S_DATASET from all roles and when user starts to complaining then add them authorization and note down transaction and folder/files which are are accessed from this transaction. Later you can use it with combination of SM19 log to figure out who accessed that file.

Cheers

Former Member · ‎02-02-2011

SM20N and associated programs are usefull as an overview, but on their own not complete.

I built an overview cockpit which in addition also checks ST22, SM13, SM21 for specific messages, etc etc..

Specifically for access to the OS you have to additionally take care of access points which bypass the application layer's ability to log the access.

S_DATASET is the correct approach and there are some recent changes in this area as far as management of logical file paths are concerned. If you are a customer, you will have received this information already.

My recommendation would be to block all other access and force it via the application (S_LOG_COM in tcode SM69 or S_DATASET in ABAP).

For an example of what to globally block, see [SAP Note 1499244 for call 'system' infos|https://service.sap.com/sap/support/notes/1499244], but there are others.

Also search for the term "secinfo" and keep an eye out for the term "identical".

For the central note on DATASET operations see [SAP Note 1497003 for generic input validations|https://service.sap.com/sap/support/notes/1497003] and search for term "SPTH".

Take lots of camels and water with you!

Cheers,

Julius

Former Member · ‎02-03-2011

Martin, I would love to turn on the trace in Production but I guess that would be my last decision in the company

Julius, I like the approach of blocking all the accesses but the ones that are under control and maybe I could implement it in new systems. I will try to push this configuration in the next new system.

Thanks to all of you,

Best regards,

Félix