cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Logging of Read access performed by users

Former Member

on ‎05-21-2008 7:42 AM

0 Kudos

Hi all

There are some audit requirements whereby the client wants to have a log whenever certain 'sensitive' data fields are queried/viewed by users.

The business case here is that if there is a leak of information, they wish to capture who were the people that had viewed this information (even if they are authorized to do so).

Just to give you guys an example, the bank account maintained in Infotype 0008 (Table PA0008) might be sensitive. So, if there is a leak, they might want to know who all the users were that viewed the bank account number for an employee in the last month.

There might not be many data fields that are termed sensitive, so any method of achieving this will be ok. Is there any way in standard SAP or any external product that achieves this?

A promt response will be appreciated.

Thanks and Regards

Joy Kaushish

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
‎06-05-2008 9:01 AM
0 Kudos

Hi Joy,

Did you find a way to get list of users who view sensitive data(PA30).If you have a solution could you please post it here.

Thanks

Venkat

Show replies
Show replies
Former Member
‎06-09-2008 3:29 AM
0 Kudos

Hi Venkat

We havent really testing this approach out yet but I think this is what we will be going on with:

To log access made to Infotypes through transactions like PA30 and PP01, there are two user-exit/BADI (HRPAD00INFTY and HRBAS00INFTY) available that can be used such that whenever a user goes to the PA30 (PP01) screen and enters a u2018sensitiveu2019 Infotype in change or display mode, information such as the Pers no, IT, IT record, username of the user who viewed, date and time stamp can be added into a custom table.

However, note that these user exits will be executed every time a user wants to view an IT record screen. The user exit will then do the comparison of the IT that the user has accessed with every IT mentioned to be logged until a match is found and then the entry is created. If the list of ITs to be compared to is a lot, this user exit can lead to performance deterioration.

- Joy

former_member185954
Active Contributor
‎05-21-2008 12:13 PM
0 Kudos

Hello Joy,

Have a look at SM19/SM18/SM20 transactions, these will help you define Audit Logs. You can set appropriate filters as per your requirements.

Regards,

Siddhesh

Show replies
Show replies
Former Member
‎05-22-2008 2:52 AM
0 Kudos

Hi Siddhesh

The security audit log does not have any event class that logs the number of times a person viewed a 'critical' data field.

The closest logs are the table changes logs but they only capture the 'changes' made to the table and not the views executed on the table.

Regards

Joy

former_member185954
Active Contributor
‎05-22-2008 9:13 AM
0 Kudos

Hello Joy,

In that case you have two options :

1. Something like SAP Versa, i think it has been acquired by SAP these days. I think SAP Versa might have some tools.

2. ABAP Code to create some kind of custom event that gets triggered everytime someone opens the records in read mode and your ABAPer logs it into some Z Table.

Other than that, i don't think there is anything else.

Regards,

Siddhesh

Former Member
‎05-23-2008 10:09 AM
0 Kudos

yeah i guess using a user exit to record the log in a custom table everytime a IT is read is the best option.

However the concern here is that we cannot implement this for queries that are run that access the data field. This log will only capture the times that the transaction that displays the field was opened in read mode.

former_member185954
Active Contributor
‎05-23-2008 11:03 AM
0 Kudos

Another crude way is to use Trace files and put a filter ST05 is the transaction.

Activate SQL Trace with filter and include the table names that you think are sensitive.

Activate Trace daily and then switch it off to view it.

I know its crude, but it might give you what you need till your ABAP Code is ready.

Caution: Trace files have a tendency to grow on the filesystem, consult your Basis guys before you do all this.

Regards,

Siddhesh

Former Member
‎05-23-2008 11:26 AM
0 Kudos

hhmm.. thats another interesting approach... was taking a look at that and have a couple of concerns:

1. Does it let you include ONLY 5 tables at a time?

2. Why did you say that it needs to be activated daily and switched off daily? Shouldnt it be deactivated only when it the trace needs to be read from the system; and then activated back again once the trace has been read.

3. Any idea how long this trace is kept in the system? Is the previous trace deleted as soon as a new trace is activated or is this trace stored untill we manually delete them or archive them from the database.

Regards

Joy

former_member185954
Active Contributor
‎05-23-2008 11:46 AM
0 Kudos

Hello Joy,

Here are my answers to your questions:

1. Does it let you include ONLY 5 tables at a time? - don't know , check SAP Documentation on ST05

2. Why did you say that it needs to be activated daily and switched off daily? Shouldnt it be deactivated only when it the trace needs to be read from the system; and then activated back again once the trace has been read. - I am a BASIS guy so hate to see huge trace files , so it came out subconciously that you should switch off trace to view it so assuming that you will check daily, you would need to switch it off anyways.

3. Any idea how long this trace is kept in the system? Is the previous trace deleted as soon as a new trace is activated or is this trace stored untill we manually delete them or archive them from the database. - Traces are not stored in database i think, you can protect your trace from being overwritten

ST05 is the quickest way to do trace, however ST05 is considered to be performance trace.

However ST01 is called system trace and has multiple options.

Check this link:

http://help.sap.com/saphelp_47x200/helpdata/en/1f/83114c4bc511d189750000e8322d00/frameset.htm

Regards,

Siddhesh

Ask a Question