Monitoring Access to Sensitive Data using SAP RAL

The disclosure of up to 200,000 classified documents belonging to the NSA by Edward Snowden in 2013, together with the release of over 750,000 U.S Army cables, reports and other sensitive information by Bradley Manning in 2010, has drawn attention to the need to control and monitor access to confidential data in corporate systems. For this reason, the general availability of the latest version of the SAP NetWeaver Application Server in May could not have been more well-timed.

NetWeaver AS ABAP 7.40 includes a new component known as Read Access Logging (RAL) to register and review user access to sensitive data. The momentum for RAL is driven not only by well-publicised information leakages but data protection requirements impacting industries such as e-commerce, healthcare and financial services. RAL is also in demand with organisations that have a relatively open authorization concept and therefore are more susceptible to data misuse. Aside from enabling organisations to verify user access to sensitive data and respond to potential abuses before they lead to the mass exfiltration of information, RAL acts as a deterrent for such abuse if users are aware that their actions are logged and monitored.

RAL supports calls though RFC, Dynpro, Web Dynpro and Web service channels. It is not enabled by default and therefore must be activated by selecting the Enable Read Access Logging in Client parameter in the Administration tab of the RAL Manager accessed via transaction SRALMANAGER. However, prior to enabling RAL, customers should follow several predefined configuration steps using the SAP_BC_RAL_CONFIGURATOR and SAP_BC_RAL_ADMIN_BIZ roles and associated authorization objects delivered by SAP. The first involves defining logging purposes to create logical groupings of log events based on the specific requirements of the organisation.  The second step is creating log domains to group related fields. For example, a domain for customer-specific information could be created to band together fields such as address, date-of-birth, SSN, etc.

Steps one and two establish the overarching structure for log information. The actual fields to be logged are identified during step three through recordings of sessions in supported user interfaces. Once identified, fields are assigned to log conditions and domains in step four. SAP will initiate RAL when the Enable Read Access Logging in Client parameter is selected which represents the final step of the configuration process.

Logs can be accessed through transaction SRALMONITOR or the Monitor tab of SRALMANAGER. Log entries include attributes such as time of the entry, user name, channel, software component, read status, client IP address and details of the relevant application server. Extended views provide more detail of log events than default views. The log monitor supports complex searches of events and filtering by multiple parameters.

RAL configuration settings can be exported to other systems through an integrated transport manager accessed through transaction SRAL_TRANS. Furthermore, logs can be archived using standard Archive Administrative functions in SAP NetWeaver via transaction SARA.

Although RAL is currently only available in NetWeaver AS ABAP 7.40, a release is planned for version 7.31 in the near future. Layer Seven Security can enable your organisation to leverage the full benefits of Read Access Logging and safeguard confidential information in SAP systems. To learn more, contact our SAP Security Architects at or call 1-888-995-0993.

Leave a Reply

Your email address will not be published. Required fields are marked *