Field Masking for SAP GUI – Context based masking scenario in FB03
‘Field Masking for SAP GUI’ is a solution to protect sensitive data on SAP GUI screens at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.
In this blog, we will learn how to achieve context-based masking in SAP GUI screens.
What is Context based Masking:
Attributes that deal with time, location or dynamic aspects is called context (environment ) attribute. Masking a field based on context attribute is called context based-masking.
e.g. – Masking the salary of employees who belong to Germany.
Product ‘Field Masking for SAP GUI’ is delivered to customer as add-on (UIM 100), to achieve context based masking Add-on UIM 100 must be installed in customer system.
Context based masking is required for transaction FB03, account short text need to be masked for customer whose industry key (BRSCH) is ‘ZHCO’
Maintain Masking configuration:
Configure technical information (table name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->Field Masking for SAP GUI->Masking Configuration->Maintain Masking Configuration
Context based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.
Create BAdI implementation for method PREPARE_AUTH_VALUE, Pass filter value
TABNAME = BSEG_ALV, FIELDNAME = KOBEZ
Sample code is given below
**The importing data contains the table name. Read the table name into a variable
DATA(lv_tabname) = cs_auth_data-tabname.
** Set the context field on which logic is based. In the use case we need to know the employee number of the object
DATA(lv_context_field) = cs_auth_data-fldname.
DATA(lv_program) = ‘SAPLKKBL’.
DATA lv_oid TYPE char50.
DATA ld_brsch TYPE kna1-brsch.
DATA lv_kunnr TYPE kunnr.
cs_auth_data-auth_flag = ‘X’.
CONCATENATE ‘(‘ lv_program ‘)’ ‘T_OUTTAB’ INTO lv_oid.
FIELD-SYMBOLS: <fs_context> TYPE any.
FIELD-SYMBOLS <fs_kunnr> TYPE any.
ASSIGN (lv_oid) TO <fs_context>.
IF sy-subrc EQ 0.
** the table doesn’t contain the employee number field. Implement some logic to get the employee number (e.g. reading through the program stack)
ASSIGN COMPONENT ‘KONTO’ OF STRUCTURE <fs_context> TO <fs_kunnr>.
IF <fs_kunnr> IS ASSIGNED.
lv_kunnr = <fs_kunnr>.
SELECT SINGLE brsch FROM kna1 INTO ld_brsch WHERE kunnr = lv_kunnr.
IF ld_brsch = ‘ZHCO’.
cs_auth_data-auth_flag = ”.
Context based masking is working in transaction FB03. Account short text is masked based on the value of industry key.
In this blog we have learnt how context-based masking is achieved for transaction FB03, Masking BAdI /UIM/BD_MASKING is used to mask data based on dynamic condition or context attributes. Context-based masking can be applied for other scenarios by implementing masking BAdI.