HaloCORE in SAP Systems

How does it Work?

Prerequisites:

1. HaloCORE Add-On, HaloENGINE, and HaloENGINE Service must be installed and configured.

2. Classification rules must be configured. 

HaloCORE in SAP System

1. ABAP Add-on in action: When a user downloads a file, HaloCORE runs in the background to:

   1. determine a HaloENGINE Service connection that is alive.

   2. the NetWeaver Add-On collects the requested metadata and sends it to the HaloENGINE.  For example,

      • tcode = SE16

      • user_ip = 10.91.0.145

      • application_component = BC-DWB-UTL

      • type_of_event = Spreadsheet display

      • mail_sensitivity = Confidential

      • report_name = SAPMSTAZ
        Optionally, the Classification UI can also be displayed to the users if pre-classification is requested by HaloENGINE. This helps to extend classification attributes and values as metadata to have deeper access to the NetWeaver Client. For example,

      • preclassification = key "SENS", value "SECRET"

      • preclassification = key "DOM", value "ENGG"

      • preclassification = key "ORG", value "USA"
        Note: This requires Classification UI to be enabled in SAP Add-On.

2. HaloENGINE in action: Based on collected data and derived classification, HaloENGINE determines the actions (block/label/protect/notify) to be executed on the file.

   1. If action = block. The download is blocked with a message logged as "The download was blocked by the configured rules".

   2. If action = block + notify/label + notify/protect + notify, HaloENGINE requests the NetWeaver client (BAdI) to send a notification.

   3. If action = label and protect, the file is sent to HaloENGINE Service. The file is processed as stated below and is sent back to the SAP client via HaloENGINE.

      • The file is embedded with the derived classification properties.

      • The file is encrypted with the derived label.

   4. If an improper action is present or action is not available, then the file will not be processed further. It will be downloaded without any changes.

3. The exported file is saved in the user-specified location. For more details on each step, please look into the Detailed Download Log.

Display Download Log Properties

Once you have installed and configured the HaloCORE Add-On, you will want to examine the log which contains records of each file downloaded from SAP. Use transaction /SECUDESD/DISP_LOG to display the log list. For comprehensive details, please refer to the HaloCORE Installation Manual. 

List with Logged Data

The log is displayed as an ALV grid, with all the standard functions and features. On the standard list, not all fields are displayed, and depending on your authorizations, some fields may be deactivated altogether. Due to limitations in the ALV grid, the File Name and Path field may not display the full path. To display the full path in a pop-up window, select the log entry in question and click on the File Path button in the menu or double-click on the field. The File Name and Path field displays the encrypted file name with full path details for files downloaded with the protection option. In the case of files downloaded without protection, the File Name and Path field displays the original file name with full path details.

In addition to the fields shown by default, the following can also be displayed, by modifying the layout: 

Audit log

1. Complete name

2. Terminal ID

3. Platform/Front End

4. Transaction Text

5. Report/Program Name

6. Appl. Description

7. Package

8. Appl. Component

9. Log UID

10. With User Interface

11. Unprotected

12. Source System

13. HTTP User Agent

14. User ID

15. User Type

For detailed information about the individual fields, select and press F1.

Only for SAP GUI downloads: The Terminal ID, IP Address, Transaction Code, and Transaction text fields are applicable.

Only for WDA downloads: The Web Dynpro Appl. field is applicable and the log displays only the downloaded file name and not the file path in the File Name and Path field.

The data in the audit log is shown in an ALV grid format and can be changed using the standard ALV Layout Manager as described below:

1. On the standard ALV grid, click Choose Layout and select Change Layout. 

   

   Change Layout dialog

   1. To add fields to the display list:
      On the right side of the Change Layout screen, select the column name(s) from Column Set and click Show selected fields. The fields will move to Displayed Columns.

   2. To hide fields from the display list:
      On the left side of the Change Layout screen, select the column name(s) from Displayed Columns and click Hide selected fields. The fields will move to Column Set.

2. Click Adopt. Optionally, if you want to save the layout, click Save As, type a name for the layout and description, and click Adopt. The saved layout will be listed in Choose Layout. The following tables describe each field in the layout and log buttons:

Field	Description
Aborted By System	Download was aborted by the system; together with ERROR, if the fail-safe mode is "strict"; or set by the BAdI.
Appl. Component	Application Component name.
Appl. Description	Description of the Web Dynpro application.
Complete name	The complete name is not persistently logged; read from the user master at the time of log display.
Cancelled By User	The download was aborted by the user.
Date/Time	The actual date and time (stored internally as UTC timestamps, displayed in the end user's date/time format and time zone) at which a download occurred.
Download Blocked	"Blocked" refers to a DLP action. For example, a user's download is restricted when he does not have proper authorization.
Error	An error occurred during processing; the system could not perform the required activities on the file. For example, when RMS or HaloENGINE Service is not reachable.
File Name and Path	Name and (if available) location where the file was saved. Note: XXL display and printing do not result in a file; therefore the information shown here is generated from the source of the data (XXL) or the spool request's title or name (printing). XXL display will result in a file if “Replace XXL display with a file” is selected for “XXL Display” in HaloCORE Client Parameters.
File Size (Downld.)	Downloaded file size can be different than File Size (Original) if the file was labeled or protection was applied.
File Size (Original)	Original file size.
HTTP User Agent	Browser information.
IP Address	The IP address of the destination system.
Labeled	Data was labeled (= classified & labeled) by HaloCORE. Note: Not all file types support labeling; in such a case, "Labeled" will be left blank.
Log UID	The technical ID of the log entry.
Logged Event	Indicates the following events with icons: download e-mail download for viewing (KPro) spreadsheet display printing Copy/paste action Note: For technical purposes, there is another field with the same name "Logged Event", which is usually hidden; it contains the same information in text form (blank=download, "M"=mail, or V=download for viewing. Useful in case of printing or filtering purposes.
Message Level	The log level defines the severity of the logged messages. It is represented in three different colors, for details refer to section "Fail-Safe—Log level". Indicates only information and success messages. Indicates an error occurred (e.g., inconsistent settings). Indicates warnings occurred (e.g., communication failure with the HaloENGINE Service or event logged in simulation mode).
Originally Protected	Data was originally protected (i.e., an existing file was downloaded which already had RMS protection).
Package	SAP Package name.
Platform / Front End	Front-end operating system.
Policy Name	The policy applied during protection.
Protected	Data was protected (= classified & protected) by HaloCORE.
Report/Program Name	Name of the report/program.
Source System	Source system (sending system) from which the data was exported.
Table Names	Name of the table that was downloaded.
Technical File Type	Technical type of the file. It can be null, if not clearly identifiable (e.g., an ANSI text file or unknown binary format).
Terminal ID	Host name of the destination.
Transaction Code	Transaction code associated with a download.
Transaction Text	Not persistently logged; read from the Data Dictionary at the time of log display.
Unprotected	The uploaded file was unprotected.
User ID	If the user type is not "SAP" (non-NetWeaver), the user ID provided by the log will be displayed here.
User Name	Name of the user who triggered the download.
User Type	It can be blank (for logs originating within NetWeaver itself), "SAP", "mail address", or "BO user ID".
WebDynpro Appl.	Name of the Web Dynpro application.
With User Interface	The download happened with the UI.

HaloCORE Log fields

HaloCORE Log Icons

Description

1 – Downl. of diagnostic information – Generates a compressed XML file for analyzing issues.
2 – Log – Displays the logged details.
3 – File Path – Displays the filename and downloaded path.
4 – Classification – Displays attribute name, system, and user-derived values.
5 – Justification – Displays the justification text (which is entered in HaloENGINE) while uploading the protected files in SAP.
6 – Tables – Displays table names.
7 – Mail Recipients – Displays mail recipients.
8 – Ext.Attributes – Displays Label name and label ID for an SAP download, Runtime - Modifying File, Total Runtime, and Simulation mode status. Displays additional attributes provided by external logs (like BO universe, dimension, Content Server, etc.). It appears only if the log currently displays fields with such attributes; otherwise, it is hidden.
9 – Selections – Displays the selection criteria (log and derive classification from the user's input on report selection screens).
10 – Errors and Warnings – Displays the error and warning messages.

Classification, Tables, Mail Recipients, Ext. Attributes and Selections button will not be displayed if there is no data. The other buttons Log, File Path, and Errors and Warnings will always be displayed.

The examples presented in this manual are for illustrative purposes only and it does not constitute a comprehensive explanation of:

• Creating a classification profile for each (block/protect) case

• The download process of all supported file types

Create a Classification Profile 

For illustration purposes, a simple classification profile is shown below:

1. Step 1: Configure classification properties and their values.

   

   Create classification properties

2. Step 2: Configure PII or Financial Information for certain tcodes. (optional)

   1. Create and configure Custom Pre-Expressions based on Client Metadata types. (optional)

   2. Create classification rules based on metadata types and/or Pre-Expression.

      

      Create classification rules

3. Step 3: Download Rules (create Action rules to indicate if a download, needs to be blocked, labeled, or protected).

   1. Block 

      

      Create action rules - block

   2. To configure the action rule for the "Protect" feature, make sure the profile is mapped to a registered HaloENGINE Service.

      

      Create action rules - MPIP

   3. Document Owner (Optional)

      

      Document Owner

4. Step 4: Upload Rules (create Action rules to define how a file must be decrypted when uploading a file) - Optional

   

   Upload Rules

5. Step 5: Assign systems to the profile. 

   

   Assign systems

6. Step 6: Make sure that you have configured the HaloENGINE local log and monitor properties.

Audit-only/Unprotected File Download

To download an unprotected file, follow the steps:

1. Login to SAP.

2. Execute a tcode from where you want to extract data. In this example, tcode S_ALR_87012284 is used.

3. The file will be downloaded in the user-specified location and it is logged in the Detailed Download Log. Note: In an audit-only case, the downloaded file will not be classified. Please see the figure below. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

   

   HaloCORE log of an unprotected file download

Blocking of File Download

To block a file download, follow the steps: 

1.  Configure the rule in the HaloENGINE Admin Portal as shown in the below example. Refer to the section "Create a classification profile" to know how to create a profile.

   

   HaloENGINE rule for blocking

2. Login to SAP.

3. Execute a tcode from where you want to extract data. In this example, tcode S_ALR_87012284 is used.

4. Select a file type to download. For illustrative purposes, a Spreadsheet is chosen in this section.

5. Click on the Spreadsheet icon and choose Excel (in Office 2007 XLSX Format) from the list.

6. Click OK and enter a filename in the Save As dialog.

7. HaloCORE blocks the download of the report from SAP with the following message. 

   

   File blocked message for a spreadsheet download

8. Click OK. You will see the following SAP GUI Security dialog. Note: Depending on the user's GUI settings, the SAP GUI Security dialog may or may not appear.

   

   SAP GUI Security #1

9. Click Allow.

10. Whenever an xlsx file is chosen for download, SAP tries to open the file automatically, which is the standard behavior. Because the file is blocked by HaloCORE, the auto-opening of the file fails, and hence, Windows displays the following error message as it could not find the file in a specific location.

    

    SAP GUI Security #2

11. Click OK.

12. The file download is blocked based on the rules and actions configured in HaloENGINE. 

13. The field "File size (Dld)" will be "0" when a file is blocked.

    Note: Error message varies depending upon the type of file selected for download. 

    

    File blocked messages in the status bar while saving as a local file

14. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

    

    HaloCORE log of a blocked file

Blocking of Spool Printing

To block a file download, follow the steps: 

1. Configure the rule in the HaloENGINE admin portal as shown in the below example. Refer to the section "Create a classification profile" to know how to create a profile. 

   

   HaloENGINE rule for blocking of Spool printing

2. When you attempt to download a spool request, HaloCORE intercepts the request and blocks the data.

   

   File blocked message for a Spool request export #1

3. Click OK. The following message will appear:

   

   File blocked message for a Spool request export #2

4. Click OK. The following message will appear:

   

   File blocked message for a Spool request export #3

5. Click OK. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

   

   HaloCORE log of a blocked spool list download

Blocking of Emails with Attachments 

To block email attachments, follow the steps:

1. Prerequisite: Configure the rule for blocking email attachments. Refer to the section "Create a classification profile" to know how to create a profile. 

   

   HaloENGINE rule for blocking the attachments

2. Create email: 

   1. Compose an email with an attachment in transaction code S_ALR_87012284.

   2. Enter the recipient’s email ID (for example, derek@secude-qc.com) and set Recip. Type as Internet address.

3. Click Send. 

There are two outcomes for an email-blocking scenario:

1. Recipient—The original attachment is replaced with an HTML file. If there are ‘n’ number of attachments in the original mail, the sender will get ‘n’ number of notification emails, one for each attachment.

2. Sender—To inform the sender what happened, HaloCORE will notify the sender stating that the attachment is blocked.

Recipient

The following is an example email that is received by the recipient:

Recipient's mail

Sender

The following is an example email that the sender receives.

Notification mail from HaloCORE to sender

For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

HaloCORE log of a blocked email with attachments

Labeling and Protecting of Mail Attachment

This section explains how to protect a file that is sent over SMTP.

1. Configure the required rule in the HaloENGINE admin portal. Refer to the section "Create a classification profile" to know how to create a profile.  

2. Login to SAP.

3. Call transaction SBWP > or go to SAP Menu > Office > double-click SBWP – Workplace.

4. Click New message. 

5. Compose a mail with an attachment.

   1. Click the Attributes tab > Select a value for Sensitivity from the list. Note that the value "Confidential" stands for all three of the SAP-side settings "Confidential" & "Business" & "Private". These three values are only available in HaloENGINE Admin Portal. Therefore, you need to select only "Confidential" or "Functional" or "Standard" from the list. 

      

      SBWP and HaloENGINE Sensitivity Values

   2. Enter email addresses in Recipient and select RecipientType.

6. Click Send.

7. The protected file is sent to the recipient. 

8. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

9. Limitations: 

   1. Labeling and protection can only be applied to attachments (files) sent to Internet addresses. Other types of recipients such as Fax number, Pager number, Telex Number, etc. are not supported.

   2. Note that there will be two log lines for every attachment that gets sent. (Mail messages without attachments are not logged at all.)

   3. The first log line is written when the mail is created.

   4. The second log line (with flags checked for protection and/or labeling) is written when the mail is transmitted to the recipients. 

   

   HaloCORE log of an email attachment

Labeling and Protecting of File Download 

To download a protected file, follow the steps:

1. Configure the required rule in the HaloENGINE Admin portal. Refer to the section "Create a classification profile" to know how to create a profile.  

2. Login to SAP. 

3. Execute a tcode from where you want to extract data. For example, data can be extracted as an Excel file from S_ALR_87012284.

4. The Save As dialog will appear. Choose a directory, enter a filename, and then click Save. For example, Balance sheet.xlsx.

   

   Save As Dialog

5. (Optional) Classification dialog will appear (if Classification UI is enabled in HaloCORE Client Parameters). You can either confirm system-derived classification or modify the classification and then click Confirm. 

   

   Pre-classification UI

6. You will see the following SAP GUI Security dialog. Note: Depending on the user's GUI settings, the SAP GUI Security dialog may or may not appear.

   

   SAP GUI Security dialog #2

7. Click Allow. 

8. If you are prompted by the SAP GUI Security dialog again as shown below, click Allow. 

   

   SAP GUI Security dialog #3

9. The file will be labeled as defined in HaloENGINE.

10. Whenever an xlsx file is chosen for download, SAP tries to open the file automatically followed by a Microsoft Sign-in pop-up for user authentication. After authentication, the file will open. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu).

    

    HaloCORE log of a labeled file download

Uploading and Downloading Files to/from Content Server

HaloCORE supports labeling, protection, logging and optionally blocking of all accesses to original files from SAP DMS (Document Management Service) stored on the NetWeaver system database or in a Content Server (CS). Refer to the section "Create a classification profile" to know how to create a profile.  

SAP Standard message while blocking a file

For more details, see the HaloCORE Download Log (by navigating to Log Administration -> Display Download from the HaloCORE main menu). 

HaloCORE log of uploading and viewing a file in the Content Server

Downloading as an XLSX File instead of XXL display

Prerequisite:
Make sure that the XXL Display option in HaloCORE Client Parameters is configured as Replace XXL display with a file. Please note that once this option is set, it is not possible to save the file in other file types via the Save As dialog.

The following is an example to show XLSX file download:

1. Configure the required rule in the HaloENGINE admin portal. Refer to the section "Create a classification profile" to know how to create a profile.

2. Login to SAP. 

3. Execute a tcode from where you want to extract data. In this example, tcode SE16 is used.

4. Click on the Spreadsheet icon and select the Excel (In Existing XXL Format) option.

   

   File download with XXL format

5. Click OK. The Save As dialog will appear with a default file name.

   

   Save As dialog

6. Click Save.

7. The file will be downloaded with the XLSX file type by default. 

Downloading in Simulation Mode

If running in simulation mode, labeling/protection/blocking will not be performed, but in the background, all the HaloCORE processes will run as per the configured rules and the simulated result will be stored in logs. The following is an example to simulate HaloCORE processes when a download is performed. 

1. Configure the required rule in the HaloENGINE admin portal and set it in “Simulation Mode”. Refer to the section "Create a classification profile" to know how to create a profile. 

2. Login to SAP. 

3. Execute a tcode from where you want to extract data. For example, data is extracted as an Excel file from SE16.

4. The Save As will appear. Choose a directory, enter a filename, and then click Save. For example, Simulation Mode.xlsx.

5. (Optional) Classification dialog will appear (if Classification UI is enabled in HaloCORE Client Parameters). You can either confirm system-derived classification or modify the classification and then click Confirm. 

6. You will see the following file renaming message if the actions label/protect are configured in action rules.

   

   Simulation Mode message

7. Click OK.

8. You will see the SAP GUI Security dialog. Note: Depending on the user's GUI settings, the SAP GUI Security dialog may or may not appear.

9. Click Allow.

10. The file will be downloaded without being applied with a label. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

    

    HaloCORE log displaying a download in Simulation Mode

Decrypting a Protected File During Upload

The following is an example to demonstrate the decryption process during an upload:

1. Configure the required rule in the HaloENGINE admin portal. Refer to the section "Create a classification profile" to know how to create a profile.  

2. Login to SAP. 

3. Execute a tcode from where you want to upload a protected file. In this example, tcode MM03 is used.

4. Click Services For Object -> Create -> Create Attachment -> select a labeled file and click OK. [Please note, in this example, the file (Balance Sheet.xlsx) that is going to be uploaded is already protected with the HCAD Public label].

5. The file will be uploaded as an attachment to the purchase order.

6. Download the same file from SAP

   1. After uploading the file, click Services For Object -> Attachment List.

   2. From the list, select the previously uploaded file and click Export.

   3. Click OK.

7. There are two outcomes for this scenario:

   1. During upload - The original label HCAD Public is removed and the decrypted file is saved.

   2. During download - The file is exported from SAP with a new label HCAD Confidential that is defined in the Classification Engine.

8. The following figure shows the difference between uploaded and downloaded files from SAP.

   

   File upload and download

9. For more details, see the HaloCORE Download Log (by navigating to Log Administration --> Display Download from the HaloCORE main menu). 

   

   HaloCORE log of uploading and downloading file