Skip to Content
Product Information
Author's profile photo Amit Kumar Singh

UI Data Protection – Role based masking scenario in BP

Introduction

In this blog post, we will learn how to mask “Account Number” of Business Partners in transaction BP.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The end result for unauthorized users will look like below:

Prerequisite

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Let’s begin

Configuration to achieve masking

Logical Attribute is a functional modelling of how any attribute such as Social Security NumberBank Account NumberAmountsPricing informationQuantity etc. should behave with masking.

Configure Logical Attribute – Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes

Bank Account Number

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:
  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_BANKACCT” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Role Based Authorization” option
  • Enter “PFCG Role” as “ZTEST”. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
  • Enter “Field Level Action” as “MASK_FIELD
  • Click on “Save” button

Maintain Technical Address

In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

You can get the Technical Address of a GUI field by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “GUI Table Field Mapping”, maintain technical address for following fields.

  • Click on “New Entries” button
  • Enter “Table Name” as “BUSBANKCHECK
  • Enter “Field Number” as “BANKN
  • Enter “Logical Attribute” as “LA_BANKACCT
  • Enter “Description” as “Bank Account
  • Click on “Save” button
  • Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs

Conclusion

In this blog post, we have learnt how Role-based masking is achieved for “Bank Account Number” field in transaction BP.

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Praveen Mittal
      Praveen Mittal

      How Masking can be done in Non-S/4 HANA system ?

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi Praveen,

      For masking in Non-S/4 HANA systems, you can use following add-ons -

      • Field Masking for SAP GUI
      • Field Masking for SAPUI5 and SAP Fiori
      • Field Masking for Web Client UI
      • Field Masking for Web Dynpro for ABAP

      Regards,

      Amit Kumar Singh

      Author's profile photo Samir Dutta
      Samir Dutta

      Thanks Amit. Very useful blog.

      Unfortunately Masking not working after these configuration. I am on 1909 FPS01 environment and S/4HANA specific UISM 100 addon is installed.

      I activated the Masking flag and set the RZ11 parameter.

      abap/advanced_listmasking to = 1

      dynp/usrmasking  = ALL

       

      What else Do i need to do.  Appreciate if you can help.

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi Sameer,

      Please check that you have configured correct Technical Address for the field. Also, make sure that PFCG Role is not assigned to the logged-in user.

      If you still face issue, please raise a ticket with us under "GRC-UDS-DO" component with proper system and login information so that we can check and apply proper configuration.

      The team will be happy to help you.

      Thanks,

      Amit Kumar Singh