Natuvion is a consulting company specializing in SAP solutions for utilities and digital transformation. The presentation discusses SAP Read Access Logging (RAL), a tool that allows monitoring and logging of access to sensitive data fields within SAP systems. RAL can monitor access at different levels, including user interfaces, services, and programs. Logs show which users accessed what data and provide technical access details. Implementing RAL generally takes 10-24 weeks and involves conception, configuration, testing, and rollout phases. Natuvion's services include RAL concept development, proof of concept implementations, and full realization projects.
1. Data Security and Data Privacy
Natuvion Webcast (8) – SAP RAL - Read Access Logging
Natuvion GmbH – 09.2017
2. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 2
3. Since 2014, NATUVION supports customers with our experience and expertise in
digitalization
3
Founded in 2014 as an owner-managed consulting company
specializing in utilities, transformation and security
Office locations: Walldorf, Berlin, München, Vienna(AT),
Philadelphia(US)
Company size: > 55 Employees
Expertise of consultants: > 75 % SAP certified & Ø 12 years Utilities and
SAP
SAP Gold Partner
SAP Recognized Expertise in Utilities
SAP Landscape Transformation
Long-term partner of the largest energy suppliers in Germany
Services / Skills
▪ Strategic IT-Management
▪ IT Consulting for Utilities Industry
▪ SAP Transformation & Data Services
▪ SAP Security & Data Privacy / Protection
▪ Business Intelligence / Analytics
Natuvion Group
In-depth experience in
implementation of GDPR
requirements
Strategic partnership with SAP Data
Protection and Privacy
Development Teams – ILM / IRF /
Consent
Close & long-term partnership with
IT / data protection law experts
Complete understanding of the
processes and requirements from a
business, IT and data privacy
perspective
Own certified solutions specifically
for consistent data erasure,
information and anonymization
Designated data protection and
privacy expertise (solutions)
Designated Transformation
expertise
Success Factors
Conception & introduction of
anonymization (IS-U / CRM)
Group-wide roll-out of a system
anonymization (CRM / IS-U /
ERP / HCM)
Selective data deletion (IS-U /
CRM / ERP / BW)
Deletion concept of GDPR (SAP
System landscape)
IT and process concept
conformity of affected persons
rights according to GDPR
(Information and Transparency)
System and data
decommissioning with SAP ILM
Concept and implementation
information (SAP IRF)
Relevant References
Natuvion – Your specialist for the implementation and requirements of the GDPR
Data Security und Data Privacy in SAP - Datenanonymisierung
4. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 4
5. Natuvion Webcasts
Overview of the webcast series Data Privacy and Data Privacy
5
The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR.
8
30 Min.
Access Monitoring of Sensitive Data
Access monitoring of personal data powerd by SAP
Read Access Logging
Data Security und Data Privacy in SAP - Read Access Logging
1
1 hr.
EU-GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Blocking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
GDPR compliant data transfer from conception to
implementation - SAP IRF
6
45 min.
Consent / Approval
GDPR compliant approval concept and introduction –
SAP CONSENT
7
45 Min.
Privacy Impact Assessment
How can PIAs be implemented and continue to exist?
6. Natuvion Webcasts
Overview of the webcast series Data Privacy and Data Privacy
6
The webcast series "Data Privacy and Protection in SAP" offers an outstanding overview of the actions and
implementation possibilities in accordance to the EU-GDPR.
8
30 Min.
Access Monitoring of Sensitive Data
Access monitoring of personal data powerd by SAP
Read Access Logging
Data Security und Data Privacy in SAP - Read Access Logging
1
1 hr.
EU-GDPR Onboarding
Legal overview and basic structuring of the fields of
action (1 hour)
2
45 min.
Deletion of Existing Historical Data
Consistent deletion of mass data in SAP system
landscapes (30 minutes)
3
45 min.
Simple Blocking and Deletion
Overview and experiences with the introduction of
SAP Information Lifecycle Management (30 minutes)
4
45 min.
Anonymization / Pseudonymization
Background, challenges and implementation of a
GDPR compliant anonymization
5
30 min.
Data Reporting / Transparency
GDPR compliant data transfer from conception to
implementation - SAP IRF
6
45 min.
Consent / Approval
GDPR compliant approval concept and introduction –
SAP CONSENT
7
45 Min.
Privacy Impact Assessment
How can PIAs be implemented and continue to exist?
7. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 7
8. Read Access Logging
What is SAP Read Access Logging
8
The Read Access Logging Framework (RAL) allows you to monitor and log access to sensitive data / fields
within SAP system landscapes. Monitoring can be performed on different levels and input channels.
Access to the user interfaces as well as services and function / program calls can be monitored. The
monitoring is to be configured at the field level.
The result of the monitoring can be viewed either in the function view (monitoring)
or in further applications (Threat Detection /
own alarm mechanisms and evaluations).
Data Security und Data Privacy in SAP - Read Access Logging
9. Read Access Logging
Industry use cases
9
In a clinic, treatment information of a public figure is stolen
and offered to the public to purchase (eg: Formula 1 Star).
The Data Protection Office is asked to investigate this case.
Use Case: Health Care Industry
Within a bank, there is suspicion of internal trading. The Data
Protection Officer is commissioned with investigating
the suspicion.
A customer of a power supply company complained to a data
protection officer about the customer service. The data of
the customer was used by a different power supplier for
direct addressing / solicitation.
Use Case: Banking Industry
Use Case: Utilities Industry
Compliance with data protection regulations
Compliance with industry standards (eg. Basel for the
banking sector)
Access control to classified or other sensitive data (such as
information on company assets or salary data).
Data Security und Data Privacy in SAP - Read Access Logging
10. Read Access Logging
Overview SAP Read Access Logging
10
Why RAL
Who had access to data determined
data (e.g., a bank account)
Who had access to personal data (eg.:
business partner)
Which employee had access to special
personal data (eg.: religion)
Who is looking for specific persons (eg:
VIPs)
Are there patterns of regular and / or
similar search queries / accesses (eg.:
repeatedly calling the same bank
account)
What can RAL do?
Monitoring of RFC based
communication (sRFC, aRFC, tRFC,
qRFC, bgFRC)
Monitoring of Web Dynpro-based user
interfaces
Monitoring of screen UI elements and
ALV Grid based user interfaces
Monitoring of web service based
communication
Content filtering based on conditions /
users / channels...
Grouping (Purpose Assignment)
Results
Overview of the accesses to the
monitored data fields per data channel
and per access
Information about the user
Information about the access path
(screen / transaction / program /
functions ...)
Technical information about the user
(terminal, IP, time)
Information about the contents of the
displayed fields
Possibility of limited storage /
archiving / deletion
?
Data Security und Data Privacy in SAP - Read Access Logging
11. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 11
12. System Demo
Read Access Logging - Configuration and Application
12
Selection
Transformation
User View
Administrationssicht
REC
Dynpro / Web-Dynpro
Services, Functions, Programs
REC
REC
Administration View
Data Security und Data Privacy in SAP - Read Access Logging
13. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 13
14. Introduction - Read Access Logging
The implementation of the solution can be simply done within just a short time.
14
Conception Configuration Individualization Roll-Out Support
▪ Presentation of the
functionalities of SAP RAL to
the department (IT)
▪ Collection of relevant process,
transactions, programs and
user groups
▪ Definition of data protection
measures according to GDPR
▪ Automated DDIC relationship
analysis (search of target
fields / data)
▪ Activation SAP RAL
▪ In add.: Delivery of
template(s)
▪ Customizing and technical
testing of SAP RAL on the
basis of the concept
specifications
▪ View additional functions
▪ Protocol storage and
evaluation
▪ Integration into other
applications (Threat
Detection)
▪ Refinement of logging (filter /
conditions)
▪ Customizing distribution /
master client
▪ Permissions
▪ Final function test
▪ Training / Documentation
▪ Handover to business
▪ Maintenance
▪ Result archiving
▪ Development / Roll-Out
Project Run Time: 10 – 24 Weeks 12 - 24 Months
Scope Test Environment Tailoring your solution Start Regular Business Support
Typical Phases During Implementation
Data Security und Data Privacy in SAP - Read Access Logging
15. SAP Read Access Logging
Tasks and efforts during implementation
RAL offers consistent and comprehensive access control
01 02 03 04 05
(**) Operations & Monitoring
(II) Realization
Work Package
(I) Conception / Preparation
(IV) Roll-Out P-System
(III) Roll-Out Q-System
Work Package Effort Bus. Effort IT
(I) Conception/ Preparation 1/2/3 15 MD 15 MD
(II) Realization RAL4 20 MD 35 MD
(III) Roll-Out Q-System 10 MD 10 MD
(IV) Roll-Out P-System 15 MD 10 MD
Total Effort 60 MD 70 MD
Indicative project planning and effort assessment1
1 Experiences from reference projects
2 System in scope SAP ERP / CRM (pbD)
3 Add. external auditing (optional)
4 Also add. licence costs15
Task Levels
Level Activities
1
• Conception and analysis based on the present system
landscape
• Creation of a phase plan as well as concreting of
realization costs
• Coordination and consideration of data protection
requirements
2
• Realization of the conceived monitoring channels,
processes, authorizations and conditions
• Function test and performance test (including test
automation)
3
• Roll-out and test of the configuration as well as the
developments / extensions on the productive system
chain (quality system)
4
• Roll-out and operation of the configuration as well as
the developments / extensions on the productive
system chain (production)
Data Security und Data Privacy in SAP - Read Access Logging
16. Services provided by Natuvion in the context of access control with SAP RAL
16
Conception
(Scope & Analysis)
Proof Of
Concept
(2 Processes - 10 MD)
Full
Realization
(incl. Maintenance)
Quality
Assurance
(Audit, Training, QS)
Data Security und Data Privacy in SAP - Read Access Logging
17. AGENDA
Natuvion
Webcast Series Data Security and Data Privacy
SAP RAL Read Access Logging
SAP RAL Configuration and Application
SAP RAL Introduction and Costs
Contact
BERLIN 30.11.2016 – Patric Dahse NATUVION 17
18. Natuvion GmbH
Altrottstraße 31 | 69190 Walldorf
Fon +49 6227 73-1400
Fax +49 6227 73-1410
www.natuvion.com
We look forward to answering any of your questions!
Patric Dahse
Managing Director
Tel: +49 151 171 357 02
E-Mail: patric.dahse@natuvion.com
18 Data Security und Data Privacy in SAP - Read Access Logging