Product Information
UI Data Protection – Role based masking scenario in BP
Introduction
In this blog post, we will learn how to mask “Account Number” of Business Partners in transaction BP.
A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
The end result for unauthorized users will look like below:
Prerequisite
Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.
Let’s begin
Configuration to achieve masking
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute – Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Bank Account Number
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_BANKACCT” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Role Based Authorization” option
- Enter “PFCG Role” as “ZTEST”. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Enter “Field Level Action” as “MASK_FIELD”
- Click on “Save” button
Maintain Technical Address
In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.
You can get the Technical Address of a GUI field by pressing “F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “GUI Table Field Mapping”, maintain technical address for following fields.
- Click on “New Entries” button
- Enter “Table Name” as “BUSBANKCHECK”
- Enter “Field Number” as “BANKN”
- Enter “Logical Attribute” as “LA_BANKACCT”
- Enter “Description” as “Bank Account”
- Click on “Save” button
- Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs
Conclusion
In this blog post, we have learnt how Role-based masking is achieved for “Bank Account Number” field in transaction BP.
How Masking can be done in Non-S/4 HANA system ?
Hi Praveen,
For masking in Non-S/4 HANA systems, you can use following add-ons -
Regards,
Amit Kumar Singh
Thanks Amit. Very useful blog.
Unfortunately Masking not working after these configuration. I am on 1909 FPS01 environment and S/4HANA specific UISM 100 addon is installed.
I activated the Masking flag and set the RZ11 parameter.
abap/advanced_listmasking to = 1
dynp/usrmasking = ALL
What else Do i need to do. Appreciate if you can help.
Hi Sameer,
Please check that you have configured correct Technical Address for the field. Also, make sure that PFCG Role is not assigned to the logged-in user.
If you still face issue, please raise a ticket with us under "GRC-UDS-DO" component with proper system and login information so that we can check and apply proper configuration.
The team will be happy to help you.
Thanks,
Amit Kumar Singh