In a previous blog, I have outlined the potential benefit for organizations in setting up measures of internal data protection.
I want to describe in this post what “means” of improving system and data security are available in SAP in general; and introduce two solutions specifically geared at protecting data against available to protect there are in SAP technology
Security in SAP ERP systems
When considering system and data security functionality that SAP standard provides, you might first think of identity management (who has a user) and the role and authorization concept (TCode PFCG). There’s a couple of protective means supported by SAP that, by and large, help to protect networks and systems from outside attacks.
The remaining area, protection against data thefts be insiders, is not covered as well by standard functionality. This is where the two products come in I want to introduce here:
UI Logging (logging read data requests and keeping track of the exact content which was provided via user interfaces) and
UI Field Security (= UI Masking; configurable masking of data values in a user interface).
The technical approach to both solutions is the intercepting and masking/logging of data just before they are provided for display in a user screen. This takes place in the SAP Netweaver Basis with optimal performance and making them quite tamper proof. In addition, both products are rather lightweight and highly configurable, allowing for swift implementation (as a matter of weeks, not months). Specific logic can be introduced by BADIs down to field level. As SAP products, UI Logging and UI Masking are integrated into SAP maintenance.
Let’s explore what the use case for each of the solutions is:
UI Masking: the speed limit
The straightforward way to protect data is to technically withhold them from being provided to untrustworthy users in the first place. This can be achieved by other means as well; however these tend to be too cumbersome or not sufficiently granular. In such cases, UI Field Security might come in handy, technically altering data values before they are sent to a user’s screen. The solutions allows you to define which fields (in tables and transactions) are to be protected, and how values should be masked: You might want to fill a data field with placeholders, or replace some parts of a value with masking characters (like you know it from credit card numbers being displayed in websites). All users will by default receive only masked data, except if they are assigned to one exact role configured on field level. Field access trace functionality makes data usage transparent.
The functionality is most widely used to guarantee protection for personal data in HR data (income, contact details, religion, social security number, etc.), and for personal information in customer data. But UI Masking can protect basically every screen in SAP GUI (and other UI channels may follow). Another use case is protection of (productive) data which are migrated into a test system for data quality reasons.
UI Logging: the speed trap
Data protection becomes more of a headache in case you need to keep data widely accessible. This guarantees that a wider range of employees can perform a given role ad hoc. Imagine a patient collapsing in a hospital corridor: it’s certainly desirable that any medical staff should have access to
the patient data. Open data access also allows users with varied tasks to work more efficiently without having to search for somebody who can help them out with required data. Logging access on user level also increases transparency of data usage.
Logging helps to increases data security in subtle ways. You might compare it to a speed camera setting a strong disincentive that deters would-be speeders. Internal leaks are prevented because potential thieves are afraid of being found out and fined; and through an enhanced “human firewall” because users become more aware of their responsibility to protecting relevant information. Logging also empowers your organization to identify and prove trespassers. With logging you might be able to find out exactly which data was stolen and take adequate measures to manage and minimize trouble. With a logging solution, you might also fulfill legal or internal compliance requirements.
UI Logging provides just this. It determines and documents on UI level which data a user requested and what he eventually accessed, and provides functionality to analyze the log in depth or through reports. Of course, users whose movements are to be logged can be configured just like the scope
what transactions, particular tabs, or explicit fields need to be logged. Again, implementation is very fast, and allows you to add more logic through BADIs.
I hope this short perspective on UI Logging and UI Masking gives you a first impression whether either of these solutions might be useful for you in the context of internal data protection!
You will find more information in our UI Logging channel here on SCN.
Need more information? Want to see a demo or discuss implications? Do you need help in evaluating these solutions against your particular data security requirements?
Please approach your SAP client partner know, or contact us directly under