In this blog post common queries around UI Masking & UI Data Protection Masking Solutions are gathered and addressed.
Q: What all UI Technologies does Masking supports?
A: UI Masking is currently available for objects built on SAP GUI, SAP CRM, Web Dynpro ABAP, SAPUI5 and SAP Fiori. It is also possible to protect data exposed via SAP Gateway.
Q: Does masking work in databases?
A: UI Masking solution works on presentation layer. The data in database tables remains unchanged. However, special handling has been done to mask data when it is being displayed from data browsers such SE11, SE16 and SE16N transactions.
Q: How masking for a field is controlled?
A: Masking is controlled by PFCG roles. A user who has PFCG role assigned in configuration for a field is authorized to see the original data. All other users will see the data in masked form. It is also possible to extend scenarios via implementing the BAdI to achieve Selective Masking or Attribute Based Authorization.
Q: Is masking supported for Custom programs or custom tables as well?
A: Yes, UI Masking solution doesn’t differentiate between standard and custom objects. The behavior is the same across.
Q: Can we change data for a masked field?
A: The field gets disabled for editing when it is configured for masking. Hence, user will not be able to change its value.
Q: Does Masking add-on has any impact existing standard ERP/Fiori applications?
A: Masking happens at runtime (on the fly) and hence functional behaviour of applications and data in DB tables are not impacted.
Q: Is there any sizing requirement or performance consideration with masking?
A: There is no sizing requirement and performance impact is negligible and not noticeable to the human eye.
Q: Will masking work if the technical address of a field in SAP GUI contains a structure instead of a table?
A: Yes, as masking works on the UI Layer, it doesn’t differentiate between a table or a structure.
Q: Is there any provision to turn on/off UI Masking to avoid any risks.
A: Masking solution can be turned on and off by using the global masking switch provided with the solution.
Q: Does masking solution work during debug?
A: While Debugging developers access data at application layer and because masking exists after application layer, developers with debug access will be able to see original data.
Q: What is HANA Masking and how UI Masking is different from this?
A: HANA Masking is meant for DB Admins who access the DB directly. It prevents unauthorized persons to access data in HANA database. However, when HANA is connected to an application server such as S/4HANA, we need to pass original data to the server so that businesses can run smoothly. UI Masking then kicks in after business has run to process the data and mask for unauthorized users in the application UI’s (GUI/Fiori etc..).
HANA masking and UI Masking complement each other and help protect data at both ends outside the spectrum of business processing.
Q: Is there a video I can see to quickly understanding masking solution
A: Refer the links below.
- External, published PDF à https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html
- Short introduction video à http://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html
Q: Does masking work with Composite roles as well?
A: Yes, masking supports both composite and single role. If a composite role is maintained in customizing, then a user which has either the composite role or any of the single roles which comprises the composite role would be able to see unmasked data.
Q: How does the create and change transactions work for a data field that has been masked?
A: For change transaction, the field is disabled for editing. For create transaction, the masked field should be pre-populated, otherwise save will not be allowed for the transaction.
Q: Does UI Masking solution also mask the values displayed during F4 search?
A: Yes, F4 search help are supported for masking.
Q: Will UI masking affect the function of our customized program as we will generate payment file to bank. Should we be worried that data in payment file will be masked too.
A: The payment file will not be masked. Masking works outside the business layer and in the presentation layer. Thus, business processes are not impacted.
Q: Does Masking prevents unauthorized access when data is being downloaded from an ALV?
A: Yes, Masking works during download scenarios. The sensitive data will appear in masked form in the downloaded list.
Q: Does UI Masking work supports spool results?
A: Yes, sensitive data will appear in masked form in spool results.
Q: What is a high-level effort estimate for masking and logging?
A: Typically, customers can go live with each masking / logging channel in a matter of weeks, if not days. The important thing is to have a ready set of requirements and then the configurations are straight forward.
Q: Wil masking work for custom programs and or SQL statements and BADIs?
A: For SAP GUI masking, if you can see the Table-Field details in F1 Technical help, masking will work.
Q: Can masking and logging be implemented independently?
A: Yes, they are independent solutions which work best when used together but can be used independently as well.
Q: What will be the impact of this solution system to system communication such as RFC calls?
A: There is no impact of masking on system / communication ID’s as we do not work on machine to machine layer.
Q: How can masking BAdI be implemented to achieve selective masking / attribute-based authorization masking.
A: The approach is as follows
- Create Masking BADI implementation with filter value
- In that, you need to check the ABAP stack of the program and check where you can get the context which you can use to decide if you want to mask this field or not.
- For instance, you would check if (program)t-f1 value EQ ‘ABC’ then mask. This will be applicable to the field f2 which is currently being processed in the BADI
Q: For masking in SAPGUI screens, when do we enter table name, fieldname and when do we enter program screen details.
A: Masking happens primarily on Table-Field in SAPGUI screens. However, only for module pool screens, the program name, screen number details are needed for Module Pool screens. You can use the mass configuration report to identify all program screens bound to a table-field to configure multiple SAPGUI screens at once, hence easing implementation efforts.
Q: If an unauthorized person enters an unmasked data for searching (i.e.: in the selection screen), will the system retrieve the result?
A: The system will be able to retrieve the result. There is no way to prevent that without modifying each program for this purpose.
Q: With the Input/output Field in the screen, an unauthorized person will be displayed as masked value. Assume there is no change in the masked value and ‘Save’ button is clicked. What value will be saved in the Database?
A: The original value would be saved in the DB. That is what was originally there in the DB would not be changed.
Q: Could you provide the overall development approach? (what need to be done? What need to setup first? For both application side and server side. We install the addon first? Then setup the config in system Is it by transport?)
A: The add-ons are installed on the server side. All changes and configurations are transported from Dev to Quality to Production.
Q: What are the testing approaches? How do we test to ensure the it has no impact to our existing functions after enable the UI Masking?
A: Masking solution works at just below the presentation layer which happens at runtime (on the fly) and hence functional behavior of applications and data in DB tables is not impacted. Testing process is as follows:
Identify the screens on which sensitive data to be protected from unauthorized users. Configure the fields in Dev system, save the entries in a customizing TR. Perform testing and release the customizing TR to other landscapes such as QA. Perform testing in QA with the data in line with productive environment and verify data is masked for unauthorized users.
Q: How does the Field Access Trace work?
A: FAT or field access trace works by storing a trace of fields which are maintained for masking and allows the users who see the FAT report to see who saw the sensitive data as masked on unmasked and at what time.