UI Logging of SAP GUI for Windows – Part 2 of 3

SAP Security Abdullah Alebrahem

As I have described in the previous article, the violation of data privacy and insider threats are today extremely common and how security issues become public, it’s obviously a true and awfully high challenge for companies or Enterprises in need of protecting their highly sensitive information.

Other articles in this series include:

In this article, I will throw light on SAP UI Logging. This solution covers various UI technologies such as S/4HANA, SAP GUI for Windows/HTML/Java, UI5/Fiori, CRM Web Client, RFC/BAPI and Web Services. Hence, it’s hard to discover them all in one blog, I will focus on one use case which is logging of SAP GUI for Windows.

UI Logging of SAP GUI for Windows – Overview 

SAP UI Logging allows you to figure out which users had access to which data at which point in time. You can trace all data of transactions running in SAP GUI for Windows. Logging based on roundtrips (frontend – server – frontend). 

All input and output fields on the user interface and the corresponding values such as field labels, titles, and headings tables, trees, and lists, etc. are logged into a data record. By other words, all entries made by usersare captured. After the system has processed the user input, the data displayed to the user is recorded and stored in a temporary log.

SAP UI Logging can be implemented very fast and easy without the need for changes to the system functionality. Although logging runs in the background, the performance is optimally tuned so that you have to expect only little impact on performance and system resources.

UI Logging of SAP GUI for Windows – Highlights

The major goal of using this high and effective solution is to protect your systems by identifying the insider threats and analyze the threat quickly enough before serious damage in your company happened.

Alerting scenario

After enabling alerting in the customizing, you will receive email alerts in every illegal access to sensitive data depending on the configuration you have made in Alerting Condition Editor.

Alerting
Email notification for critical data access

In alerting editor transaction /logwin/alert_edit, you have a wide range of options to define your alert conditions depending on your requirements, for example, you can decide that alerting is active only for specific user or groups on specific platforms and clients within a given timeframe.

You have the opportunity to choose which transactions, programs or Web Dynpros are critical and should be considered in your alert notification.

Alerting Defintion
Alerting Defintion

The alerts can be sent in different forms, for example, emails, short message service (SMS Gateway required), SAP workspace mail, and so on.

UI Logging
UI Logging

During the creation of the temporary log record, the system processes the information according to alerting conditions and triggers the alert.

If the temporary log is not activated for certain entries such as transaction codes or programs etc. then no alerts are triggered for those entities.

UI Logging
UI Logging

UI-Logging User Manager

Transaction: /LOGWIN/USER_MANAGER

By using this function, you can quickly maintain which users to include or exclude from UI-Logging based on user name, user role, profiles, and group memberships.

UI Logging User Manager
UI Logging User Manager

Log Analyzer and the key element of UI Logging

Let’s assume that you have configured SAP UI Logging for about 50 transactions and 200 users in your system. At the end of the day you will have a massive amount of log records with a very big number of entries like all input and output fields on the user interface, and the corresponding values, which could make your task difficult to monitor the activities of all the users.

The log analyzer is your magic wand to set filters retrieving the important log entries and makes you feel like Harry Potter while you monitor the log records in the system.

How to efficiently analyze your logs on-demand

In this example, I have maintained the transaction SU01 for logging. I want to see who had run SU01 and which log records do I have.

Transaction: /LOGWIN/LOGANALYZER

  • Log Analyzer
    Log Analyzer
  • Log Analyzer
    Log Analyzer
  • Log Analyzer
    Log Analyzer

As you see in the loganalyzer screenshots, the data which has been logged is organized within a unique name-value pairthus you have a clear overview about your analysis data on demand and wide filtering options to manage your log file details.

Conclusion

Source SAP SE
Source: SAP SE

SAP UI Logging is to be considered as a lightweight, uncomplicated and secure solution massively supporting your audit efforts. It helps you to identify potential data leaks while still being compliant with GDPR taking Data Access Transparency and Reduction of Data Access into account.

Automated controls raise an alert in case of dubious data access and manual controls allows you to review the logs periodically and in-depth. Besides the on-demand log analysis and real-time alerting facilities, you can also automate analysis through integration into SAP Enterprise Threat Detection (ETD) and use your UI Logging as a powerful data source. SAP delivers UIL-specific patterns since ETD SP7. 

Stay tuned for the next blog and we will explore the use case for SAP UI Masking.

Contact

Get in touch with us!

Do you have questions about our products?

+41 43 422 8803
[email protected]
+49 7656 8999 002
[email protected]
+1 855 594 84 64
[email protected]
+44 1454 838 785
[email protected]
Contact
Webinars

Attend our live webinars and learn more from our experts about SAP authorizations, XAMS, SAP IDM and many other topics in the context of SAP security.

Register now