During the recent implementation of SAP Read Access Logging, that our client will be using to log personal data access, we have encountered a small gap. In our current SAP NetWeaver version, search-helps logging is not supported. That means, that if a person looking for some sensitive information (phone number, for example), uses a search-help instead of going directly to customer master transaction, these actions will not be logged.
To fill this gap, the following has been developed:
- Single screen program that outputs a generic table using a table control.
- Transaction attached to this program
- Simple class that calls this transaction in background mode using very simple BDC
- Implicit enhancement of the standard function module( 'DD_SHLP_GET_HELPVALUES') to pass data to this transaction.
- Custom table that contains search help names relevant to RAL logging
RAL recording that contains every field of the generic table has also been created.
Eventually, when someone receives a search-help output, the following happens:
1. Data is passed to the custom transaction in background mode before search-help output is displayed.
2. RAL logging is triggered, values are being recorded to RAL Raw Database
However, some caution should be exercised with this approach - every search-help call might generate hundreds if not thousands of records. Thus said, if there is a requirement to log search-helps output using RAL, it will be a good idea to explicitly specify the elementary search-helps that contain sensitive data and avoid logging everything.