SAP Product Management Security
Finding the Leak –
Disclaimer
This document does not constitute a legally binding proposal, offer, quotation or bid on the part of SAP. SAP assumes that the parties negotiate legally binding contracts relating to the subject of this
document in a later phase. Any and all information contained in this document is preliminary and subject to change and shall not at any time be considered as binding. Especially preliminary is the described solution, the scope and the pricing. SAP expressly reserves the right to make subsequent alterations to the content of this document. This document is exclusively based on the information
provided to SAP by the customer and SAP’s understanding of the customer’s requirements. Changing these requirements might also cause a change in system architecture or functionality. The contents of this document represent business secrets of SAP and must be handled in confidence by the customer. In particular, forwarding information to third parties is prohibited. This document and information
included in it must be used exclusively for the purposes of evaluating the possibility of future business cooperation between SAP and customer. Any other use requires prior written consent from SAP. If the underlying proposal is not accepted, all documents and all copies of these documents must be
returned to SAP immediately on demand or, if no request is made, destroyed within one month after rejection or non-acceptance of our proposal. All brands, trademarks etc. used in this document,
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 3
Agenda
Why Use Read Access Logging?
The Way it Works
Customer Challenges with Data Access
Compliance with data privacy regulations
Compliance with industry standards (e.g. Basel suite for the banking industry)
Monitor the access to classified data or other sensitive data (such as information
about company assets or salary data)
Monitor user actions on a need-to-know basis only, deleting the logs thereafter
SAP provides a solution that allows to log read access to sensitive data:
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 5
Use Cases for Read Access Logging (RAL)
John is a data security officer in a bank. Recent
analysis of stock transactions indicate malicious orders with insider information about bank customers. John was asked to investigate the issue and identify the information leak.
Chelsea is a compliance manager at a big retailer. A customer of the retailer has complained that his
Read Access Logging Application
The Read Access Logging Application can be accessed via the transaction
SRALMANAGER providing access to
•
Read Access Logging Configuration•
Data logged with Read Access Logging•
Administrative LogIn addition, Read Access Logging is integrated into the archiving framework to allow automated archiving of older log entries.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 7
Read Access Logging with SRALMANAGER
The Way it Works
The Read Access Logging framework (RAL) allows customers to trace which data
was sent out of the system, by enabling remote communication and user interface
infrastructures to log access to sensitive data.
When an application/transaction is started, the Read Access Logging configuration is
read.
It indicates whether the current remote-enabled function module, Web service
operation, Dynpro or Web Dynpro UI element is log-relevant.
The RAL configuration defines which fields and elements should be logged.
Knowing this, the requested field and element values are set for logging.
Finally, the log data is written to the database.
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 9
The Way it Works
Read Access Logging Framework
Configurations
Log conditions
Log writer Log data indatabase
Features
Read Access Logging (RAL) allows you to track data access:
Who
had access to the dataWhich data
was accessedWhen
was the data accessedHow
was the data accessed (transaction or user interface)Amount of detail to be logged is customizable based on
User interfaces
used to access the dataOperations
executed on remote APIsUsers
using the remote APIs / user interfaces© 2013 SAP AG or an SAP affiliate company. All rights reserved. 11
Supported Channels
Read Access Logging supports the following channels:
Web Dynpro
You can log context-bound UI elements of Web Dynpro-based user interfaces.
Dynpro
You can log Dynpro UI elements and ALV grid-based user interfaces.
Remote Function Calls (RFC)
You can log server and client side of RFC-based communication.
Web service calls
Entities Used During Configuration
Log purpose
Each RAL configuration requires a logging purpose. It groups the log events you want to record by use case and reason for recording.
Log domain
Log domains define the semantic meaning of the data elements that will be captured during the log recording. This helps auditors understand the data recorded in the log results.
Log context
Log context is the key field that other visible fields are related to within the logging session.
Log group
A log group is a collection of fields that are displayed in the same log entry (based on the logging purpose).
Log condition
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 13
Transport Integration
Read Access Logging entities can
be transported to other systems and
clients
Logging purposes
Log domains
Configurations
User interface recordings
User exclusion list
Authorization – Template Roles to Work with Read Access Logging
Template roles Description Assigned authorization objects
SAP_BC_RAL_ADMIN_BIZ A template role for business
administrators doing the configuration and monitoring
S_RAL_BLKL User exclusion list S_RAL_CLIS- En Disabling client S_SRAL_CFG Configuration S_RAL_LDOM Log domains S_RAL_PURP Logging purposes S_RAL_REC Recording
S_RAL_ELOG Administrative log S_RAL_LOG Log Data
SAP_BC_RAL_ADMIN_TEC For technical administrators responsible for archiving, maintaining the user
exclusion list, en- and disabling client and monitoring administrative log
(S_ARCHIVE) Archiving
S_RAL_BLKL User exclusion list S_RAL_CLIS En-/Disabling client S_RAL_ELOG Administrative log
SAP_BC_RAL_ANALYZER A template role for Read Access Logging analyzer
S_RAL_LOG Log Data
SAP_BC_RAL_SUPPORTER A template role for Read Access Logging support engineer
© 2013 SAP AG or an SAP affiliate company. All rights reserved. 15
Availability I
NW 7.40 SP0
First shipment of framework and Web service channel
NW 7.40 SP2
Shipment connection to archiving / ILM, RFC channel, Web Dynpro channel
NW 7.40 SP3
Automatic transport of configurations
NW 7.40 SP4
Shipment of Web Dynpro query logging, Dynpro + ALV grid channel
NW 7.31 SP9
Availability II
NW 7.30 SP11 Available as of 28.02.2014 NW 7.11 SP13 Available as of 07.02.2014 NW 7.02 SP15 Available as of 07.02.2014 NW 7.01 SP15 Available as of 31.01.2014© 2013 SAP AG or an SAP affiliate company. All rights reserved. 17
Key Take-Aways !
•
Read Access Logging supports you in
staying compliant with data privacy
regulations
•
Logging access to sensitive data is made
easy with the Read Access Logging
solution
•
Read Access Logging is deeply integrated
Further Information
Read Access Logging on SAP Community Network
http://scn.sap.com/docs/DOC-53843
SAP Insider Article about Read Access Logging
http://scn.sap.com/docs/DOC-44006
Documentation on SAP Help Portal
© 2014 SAP AG. All rights reserved. 43
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
© 2014 SAP AG. All rights reserved.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an
SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.
