Skip to Content
Product Information

General Information : UI Masking Solution

In this blog post common queries around UI Masking & UI Data Protection Masking Solutions are gathered and addressed.

 

General

Q: What all UI Technologies does Masking supports?

A: UI Masking is currently available for objects built on SAP GUI, SAP CRM, Web Dynpro ABAP, SAPUI5 and SAP Fiori. It is also possible to protect data exposed via SAP Gateway.

 

Q: Does masking work in databases?

A: UI Masking solution works on presentation layer. The data in database tables remains unchanged. However, special handling has been done to mask data when it is being displayed from data browsers such SE11, SE16 and SE16N transactions.

           

Q: How masking for a field is controlled?

A: Masking is controlled by PFCG roles. A user who has PFCG role assigned in configuration for a field is authorized to see the original data. All other users will see the data in masked form. It is also possible to extend scenarios via implementing the BAdI to achieve Selective Masking or Attribute Based Authorization.

 

Q: Is masking supported for Custom programs or custom tables as well?

A: Yes, UI Masking solution doesn’t differentiate between standard and custom objects. The behavior is the same across.

 

Q: Can we change data for a masked field?

A: The field gets disabled for editing when it is configured for masking. Hence, user will not be able to change its value.

 

Q: Does Masking add-on has any impact existing standard ERP/Fiori applications?

A: Masking happens at runtime (on the fly) and hence functional behaviour of applications and data in DB tables are not impacted.

 

Q: Is there any sizing requirement or performance consideration with masking?

A: There is no sizing requirement and performance impact is negligible and not noticeable to the human eye.

 

Q: Will masking work if the technical address of a field in SAP GUI contains a structure instead of a table?

A: Yes, as masking works on the UI Layer, it doesn’t differentiate between a table or a structure.

 

Q: Is there any provision to turn on/off UI Masking to avoid any risks.

A: Masking solution can be turned on and off by using the global masking switch provided with the solution.

 

Q: Does masking solution work during debug?

A: While Debugging developers access data at application layer and because masking exists after application layer, developers with debug access will be able to see original data.

 

Q: What is HANA Masking and how UI Masking is different from this?

A: HANA Masking is meant for DB Admins who access the DB directly. It prevents unauthorized persons to access data in HANA database. However, when HANA is connected to an application server such as S/4HANA, we need to pass original data to the server so that businesses can run smoothly. UI Masking then kicks in after business has run to process the data and mask for unauthorized users in the application UI’s (GUI/Fiori etc..).

HANA masking and UI Masking complement each other and help protect data at both ends outside the spectrum of business processing.

 

Q: Is there a video I can see to quickly understanding masking solution

A: Refer the links below.

  1. External, published PDF à https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html
  2. Short introduction video à http://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html

 

 

 

More Insights

Q: Does masking work with Composite roles as well?

A: Yes, masking supports both composite and single role. If a composite role is maintained in customizing, then a user which has either the composite role or any of the single roles which comprises the composite role would be able to see unmasked data.

 

Q: How does the create and change transactions work for a data field that has been masked?

A: For change transaction, the field is disabled for editing. For create transaction, the masked field should be pre-populated, otherwise save will not be allowed for the transaction.

 

Q: Does UI Masking solution also mask the values displayed during F4 search?

A: Yes, F4 search help are supported for masking.

 

Q: Will UI masking affect the function of our customized program as we will generate payment file to bank. Should we be worried that data in payment file will be masked too.

A: The payment file will not be masked. Masking works outside the business layer and in the presentation layer. Thus, business processes are not impacted.

 

Q: Does Masking prevents unauthorized access when data is being downloaded from an ALV?

A: Yes, Masking works during download scenarios. The sensitive data will appear in masked form in the downloaded list.

 

Q: Does UI Masking work supports spool results?

A: Yes, sensitive data will appear in masked form in spool results.

 

Q: What is a high-level effort estimate for masking and logging?

A: Typically, customers can go live with each masking / logging channel in a matter of weeks, if not days. The important thing is to have a ready set of requirements and then the configurations are straight forward.

 

Q: Wil masking work for custom programs and or SQL statements and BADIs?

A: For SAP GUI masking, if you can see the Table-Field details in F1 Technical help, masking will work.

 

Q: Can masking and logging be implemented independently?

A: Yes, they are independent solutions which work best when used together but can be used independently as well.

 

Q: What will be the impact of this solution system to system communication such as RFC calls?

A: There is no impact of masking on system / communication ID’s as we do not work on machine to machine layer.

 

Q: How can masking BAdI be implemented to achieve selective masking / attribute-based authorization masking.

A: The approach is as follows

  1. Create Masking BADI implementation with filter value
  2. In that, you need to check the ABAP stack of the program and check where you can get the context which you can use to decide if you want to mask this field or not.
  3. For instance, you would check if (program)t-f1 value EQ ‘ABC’ then mask. This will be applicable to the field f2 which is currently being processed in the BADI

 

Q: For masking in SAPGUI screens, when do we enter table name, fieldname and when do we enter program screen details.

A: Masking happens primarily on Table-Field in SAPGUI screens. However, only for module pool screens, the program name, screen number details are needed for Module Pool screens. You can use the mass configuration report to identify all program screens bound to a table-field to configure multiple SAPGUI screens at once, hence easing implementation efforts.

 

Q: If an unauthorized person enters an unmasked data for searching (i.e.: in the selection screen), will the system retrieve the result?

A: The system will be able to retrieve the result. There is no way to prevent that without modifying each program for this purpose.

 

Q: With the Input/output Field in the screen, an unauthorized person will be displayed as masked value. Assume there is no change in the masked value and ‘Save’ button is clicked. What value will be saved in the Database?

A: The original value would be saved in the DB. That is what was originally there in the DB would not be changed.

 

Q: Could you provide the overall development approach? (what need to be done? What need to setup first? For both application side and server side. We install the addon first? Then setup the config in system Is it by transport?)

A: The add-ons are installed on the server side. All changes and configurations are transported from Dev to Quality to Production.

 

Q: What are the testing approaches? How do we test to ensure the it has no impact to our existing functions after enable the UI Masking?

A: Masking solution works at just below the presentation layer which happens at runtime (on the fly) and hence functional behavior of applications and data in DB tables is not impacted. Testing process is as follows:
Identify the screens on which sensitive data to be protected from unauthorized users. Configure the fields in Dev system, save the entries in a customizing TR. Perform testing and release the customizing TR to other landscapes such as QA. Perform testing in QA with the data in line with productive environment and verify data is masked for unauthorized users.

 

Q: How does the Field Access Trace work?

A: FAT or field access trace works by storing a trace of fields which are maintained for masking and allows the users who see the FAT report to see who saw the sensitive data as masked on unmasked and at what time.

14 Comments
You must be Logged on to comment or reply to a post.
  • Hi Nidhi,

    How do we mask/authorize a field in one screen based on the value of a field in another screen? Say for example , in MM03 ,I choose a plant in one screen and based on the value I have created the policy to mask a field in accounting screen(which is different). But it does not work.  In case If both the fields are on the same screen , it works. Please advise.

    Same is the case when I tried to mask the surname field in Su01 based on the user id I choose in the initial screen.Only the default result gets executed.

    Thanks

    • Hi Srilakshmi,

      You can use the attribute-based authorization feature offered by the product ‘UI Masking for SAPS/4HANA’. This feature will allow you to use contextual information to protect sensitive fields.

      For further information, you can refer to the SAP Blog

      Regards,

      Shantanu

  • Hi Nidhi ,

    Great Blog!

    Here you have mentioned Masking is possible for F4 help as well.

    We are trying to mask a description field in SAPGUI.

    The Description gets masked on the program screen but when we do F4 on the key field , the description is still visible.

    Would appreciate any help on the same .

    Prateek

    • Hi Prateek,

      Yes, it is possible to mask search help fields. Please let us know the details. You can raise an OSS message in the component – GRC-UDS-DO.

      Regards,

      Shantanu

  • Hello Shantanu Sharma & Nidhi Sehgal

    Thank you for the Q&A, this is very helpful!

    We are studying the solution and its application in our company with a wide range of branches around the globe. Could you please advice if SAP UI masking for ECC could be applied in the following case:

    1. Masking based on a specific value, e.g. bank details of a vendor should be masked only if the Vendor’s account group is equal XXXX -> I understand it’s possible to do via BAPI and attribute-based masking, right? What if this field is used in multiple screens and program, in this scenario should we use different BAPIs for every screen/program?
    2. At the same time, we want this logic to be applied only for a certain group of people, not for everyone.

    Could you please advice if such scenarios could be covered with SAP UI Masking for ECC?

    Thank you

    BR,

    Nikolay

    • Hi Nikolai,

      1. It is possible to achieve masking based on a specific value. Through a customized BAdI you can achieve this. For details, you can refer to this blog. Yes, specific handling has to be done in case of multiple screens and programs.
      2. Yes, this scenario would possibly be covered too.

      You can raise an OSS message in the component XX-PROJ-CDP-266 if you need further assistance.

      Regards,

      Shantanu

  • Hello – Thanks for the valuable information.

    Does the UIM solution on ECC support masking on form outputs displayed on screen – such as preview of adobe forms, smart forms, sapscripts?

     

    • Hi Prathvi,

      Masking in Form Output/Preview can be achived using UI Masking API. The only pre-requisite is that this API needs to be integrated into the standard application which is generating the form by the customer.

      Regards,

      Nidhi Sehgal

      • Thanks Nidhi.

        Can you please help elaborate a bit more on the UI Masking API and what is meant by integrating into the standard application?

        Any blog or further documentation on this would be helpful.

        • Hi Prathvi,

          Ui masking API will allow you to extend the masking functionalities to a wider range of applications.

          Please refer this blog to get an idea of the API is implemented. The blog mentions masking in C4C applications but the implementation of the API will be pretty much identical.

          You can raise an OSS message in the component XX-PROJ-CDP-266 if you need further assistance.

           

  • Hello Shantanu Sharma & Nidhi Sehgal

     

    my understanding about UI masking product and native S/4 data masking was that the S/4 functionality work over RAL configuration and was free (only for SAP GUI channel), however, it seems that now S/4 support all channels with native functionality, this means all channels can be used for free? can you clarify which scenarios needs license?

     

    Regards,
    Roberto

  • Hi Roberto

    The S/4 masking that you are referring to is the S/4HANA version of UI masking product which is a licensed solution. The S/4 functionality that you mentioned which work over RAL configurations still only applicable to dynpro fields (not for all things in SAP GUI).

    Hope this clarifies. Please feel free to reach out in case you still have queries.

    Best,
    Deepak