Data Description

The SECPOL_LOG event is used to determine and log all changes made to user and authorization management entity i.e. security policies.

Potential Use Cases

This event could be used in the following scenarios:

  • Determine which security policies with attributes are created in the SAP system/s, for which you explicitly do not want to use the default value

  • Monitor to determine if critical security policies and attributes are being changed

  • Identify and alert on security policies changes, which could create compliance concerns

Splunk Event

The event will look like this in Splunk:

SAP Navigation

Log in to the SAP system and execute the transaction SECPOL_CHANGES. Select the display option “Show Raw Change Documents” along with required inputs in selection fields.

Change Documents/Logs for the policies are displayed in the output screen as below.

Field Mapping

Field

Description

Unit of Measure

EVENT_TYPE

SECPOL_LOG

String

EVENT_SUBTYPE

 Not Applicable for this Event Type (always blank)

String

CURRENT_TIMESTAMP

The date time stamp when the information was collected

YYYYMMDDHHMMSS

CHANGENUMBER_HEADER

Change Document Number

Numerical

POLICY_NAME_HEADER

Security Policy Name

String

POLICY_TEXT_HEADER

Security Policy Text

String

ATTRIBUTE_KEY

Security Policy Attribute Name

String

ATTRIBUTE_TEXT

Security Policy Attribute Text

CHNGIND_HEADER

Policy Header (Name) Change Indicator

1 Character Value: I for Insert, C for Change, D for Delete

CHNGIND

Policy Attribute Change Indicator

1 Character Value: I for Insert, C for Change, D for Delete

CHANGEDATE_HEADER

Change Document Date (UTC)

YYYYMMDD

CHANGETIME_HEADER

Change Document Time (UTC)

HHMMSS

CHANGEUSER_HEADER

User ID

String

CHANGETCODE_HEADER

Transaction code

String

VALUE_OLD

Old Value

String

VALUE_NEW

New Value

String

UTCDIFF

The UTC OFFSSET in HHMMSS that the data was collected in

HHMMSS

UTCSIGN

The UTC positive or negative OFFSET indicator. Positive (+) means add UTCDIFF to find the time zone of the data, negative (-) means subtract the UTCDIFF to find the time zone adjusted date time the data was collected in.

+ | -

Note: This event type is available from PowerConnect version 6.08 onwards and SAP NetWeaver version 7.40 and above.