You can use Read Access Logging (RAL) to monitor and log access to personal data. The information provided may include, for example, which business users accessed business partner personal data, and in which time frame.
SAP delivers default configurations, which assign dedicated fields to log domains. A log domain is a category that groups semantically identical or related data fields. Logging occurs for all fields disclosed on the UI that are related to these domains. The domain is displayed in the log.
You can activate or deactivate the available RAL configurations in the Read Access Logging Configuration app, or make changes. You should carefully consider which information is relevant for logging. Configure your system to log only what you really control. If you maintain a wide scope of information to be logged, you will end up with a lot of data that will be more difficult to process than if you are more specific in your logging configurations.
The following table lists the log domains that are part of the delivered sample configuration content. You can use these log domains or define your own, according to your needs.
|
Log Domain Name |
Description |
|---|---|
|
|
Data referring to a bank account |
|
|
Data referring to biometric data |
|
|
Data referring to criminal or administrative offenses or suspected criminal or administrative offenses |
|
|
Data referring to racial or ethnic origin |
|
|
Data referring to genetic data |
|
|
Data referring to health data |
|
|
Data referring to political opinion |
|
|
Data which is usually based on profiling like: scoring, rating, unwanted customer |
|
|
Data referring to religious or philosophical beliefs |
|
|
Data referring to professional secrecy |
|
|
Data referring to sex life |
|
|
Data referring to sexual orientation |
|
|
Data referring to social security number |
|
|
Data referring to trade union membership |
These log domains are logged with fields related to business partner (BP), customer (CUSTOMER), supplier (VENDOR), legal entity (LEGAL_ENTITY), employee (EMPLOYEE), or student (STUDENT) because they are only identifiable with this additional personal data. For example,TRADE_UNION data requires details on the EMPLOYEE.
Log conditions are used, if required, to limit the logging of data (in technical terms, these fields are considered as and conditions). For example, you could configure RAL to log a field related to the employee in a specific transaction only if the employee’s religion is shown. If this field is only visible on a tab where the employee’s religion is not displayed, access to this field is not logged.
RAL is switched off by default. You can activate it in the respective section of the Read Access Logging Configuration app. In the Read Access Logging: Monitor app, you can view created logs. If you need a downloaded version of your RAL logs, please contact the Service Center. Also contact the Service Center if you need to create new configurations.
For more information on Read Access Logging and the related apps, see Read Access Logging.