Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Audit data for reading.

Former Member

‎06-20-2012 6:00 PM

0 Kudos

Hello,

We want to audit our system with the SAP Audit Log. We want to know who have seen some records (sensible data) , is it possible to audit a table for consulted records (just select)? Something like the option “Log data changes” in the SE11, but without changes, just reading.

Thanks in advance,

Regards,

Walde Requena

5 REPLIES 5

Former Member

‎02-26-2013 12:10 AM

0 Kudos

Walde,

We're trying to do the same.  Did you receive a response or work out to audit 'reads'?

Thanks,

Tony Denns

Former Member
In response to Former Member

‎02-26-2013 9:34 AM

0 Kudos

Hello Tony,

As far as I know, it is not possible using just the SAP application. So, the solution that I found was to implement a tool. There are Database tools (from partners), like Oracle Audit Vault and there is a SAP tools called UILog that we are testing, it seems to me a very good solution, because you can trace all the data transferred to the user SAPGUI. This tool is not available through marketplace, it was presented to us by our SAP commercial.

I hope it helps.

Regards,

Walde Requena

Former Member
In response to Former Member

‎02-26-2013 9:44 AM

0 Kudos

I would not rely on the SAPGui, as the SAPGui does not have to be attached to read data from SAP..

A better option IMO would be to use the implicit enhancement points at the start an end of function modules / subroutines of the data browsers. For programs with LDBs you can also easily add the enhancement to the LDB and then not care where the call is coming from.

AT START-OF-SELECTION you read the importing parameters and the values in the selection fields and options or the select itself and save them into a table on the application server side. You can then also alert when things like USR02 or infotype 8 show up in the selections.

But whether all this hassle is worth it I still have my doubts... dont grant them access if they should not have it.

Cheers,

Julius

mvoros
Active Contributor
In response to Former Member

‎02-26-2013 10:45 PM

0 Kudos

Hi Julius,

I agree with you that I would not rely on client regarding security. I also have no idea what UILog is. But theoretically, you could have a SAP GUI proxy in front of your system and inspect what is being sent between SAP GUI and system. I wrote a simple proxy in Python that does this. I wanted to use it for playing with DIAG protocol, not for login of data transferred to clients.

As other people said, there is no silver bullet provided by SAP. Some SAP modules do log access to data (HR and credit card details come into my mind). For others, you can try to build your own logging but it might be really hard for some modules.

Cheers

Former Member
In response to Former Member

‎02-27-2013 9:23 AM

0 Kudos

Hi all,

Maybe I didn’t explain correctly, Uilog is a SAP tool and is not installed in the client side, it is an add-on that trace all the information that is passed to the SAPGUI by the server. Exactly as Martin said, it is for inspect what is being sent between SAP GUI and system and the information remains in the SAP database. It don’t rely on SAPGUI.

I hope it helps.

Regards,

Walde Requena