SAP security standards stipulate that access to sensitive business data must be logged in SAP products. SAP Gateway enables the Application Log to fulfill this security requirement. To fulfill these requirements, SAP Gateway logs the ID and the field name of the retrieved business objects. Read access logs for SAP Gateway are created in the core software component for SAP Gateway, SAP_GWFND.
To activate the logging mechanism, you must set the log level you want to be used for the Application Log. You can set the log level globally for all users or alternatively for specific users only. To set the required log level, launch the SAP Customizing Implementation Guide (transaction SPRO) and choose, or Set Log Level for Specific Users.
To permit the creation of read access logs, you must select one of the following levels:
A = All
Messages of type Information, Warning, Security, and Error are saved to the Application Log.
I = Step Completion Information
Messages of type Step Completion Information, Warning, Security, and Error are saved to the Application Log. Messages of type Step Initiation Information are omitted.
W = Error, Security, Warning
Message of type Error, Security, and Warning are saved to the Application Log.
S = Error, Security
Messages of type Error and Security are saved to the Application Log. Messages of type Step Initiation Information and Step Completion Information are omitted.
You must select one of the above log levels to ensure that read access logs are written.
The following log levels also exist, but they do not permit the creation of read access logs.
Error: Messages of type Error are saved in the Application Log. Messages of type Warning, Security, Step Initiation Information, and Step Completion Information are omitted.
None: No messages are created or saved.
Use the Application Log Viewer (transaction /IWFND/APPS_LOG) to view read access logs written to the Application Log. For more information, see Application Log Viewer.
In the Application Log Viewer, fill out the relevant input fields on the selection screen to specify the list of log protocols you want to display. All read access log messages are of type Information and have the corresponding long text, Entity disclosed to client in the response. See details. The long text provides details about the disclosed business object, namely the object ID and the field names that were requested. The log never stores the actual values of the business object fields that were requested.
SAP Gateway does not provide service-based configuration to specify which fields are to be written to the log and whether the values shall be recorded.
Read access logging can only be activated or deactivated by setting the appropriate log levels as described in this topic. SAP Gateway does not provide service-based configuration options.
Read access logs must be viewed in the Application Log Viewer (transaction /IWFND/APPS_LOG).
Logs are deleted regularly by automatically scheduled jobs. For more information about clearing logs written to the Application Log Viewer, see Periodical Tasks and refer to the Cache Settings section that explains how default cleanup jobs are created.