Skip to Content
Product Information
Author's profile photo Amit Kumar Singh

UI Data Protection – Role based masking scenario in PA30 with Reveal on Demand and Field Access Trace Report (FAT)

Introduction

In this blog post, we will learn how to mask “National Insurance Number” of Employees in Info type 2 (Personal Data) in transaction PA30 with Reveal on Demand and Field Access Trace (FAT) Report configured.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The end result for unauthorized users will look like below:

Reveal on Demand

Reveal on demand provides additional data protection by masking the field value by default, even if the user is authorized to view the data. The authorized user then explicitly chooses the option to reveal the field value on the user interface.

When the authorized user reveals the data, a dialog box (which can be configured to display a confirmation message, reason code, and free text) is displayed. The user then has to specify, for example, a reason for revealing the data. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal option.

  • To unmask the National Insurance Number field information using Reveal On Demand feature, Follow the given Path –

In PA30 transaction “Display Personal Data” screen, Click on “Help” -> “Reveal On <–> Off” option

  • On Reveal On Demand pop-up, select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “OK” button

  • Field value will get unmasked for “National Insurance Number” field

  • To Again, mask the Field values, Follow the given path –

In PA30 transaction “Display Personal Data” screen, Click on “Help” -> “Reveal On <–> Off” option

  • On Reveal On Demand pop-up, click on “OK” button

  • National Insurance Number” field will again appear as masked

Field Access Trace Report

Field Access Trace writes an access data entry when the user accesses the fields configured for masking. The trace contains various information such as the user who accesses the value, date and time when the user accessed the value, the transaction the user used to view the configured fields, whether the user was authorized to view the masked data, and additional details such as whether a trace is created because of Reveal on Demand functionality. Also, you have wide filters options to restrict and minimize the information in the log record.

Field Access Trace uses the same configuration tables as those tables used for UI data protection masking and is carried out for the SAP UI channels such as SAP GUI, Web Dynpro, Web Client UI, and SAPUI5/SAP Fiori apps.

Follow the below given steps to generate the FAT Report –

  • Execute T-Code “/UISM/VIEW_UI_FAT
  • Enter “Selection Parameters” and click on “Execute” button

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUISAPUI5/SAP FioriCRM Web Client UI, and Web Dynpro ABAP.

Let’s begin

Configuration to achieve masking

Logical Attribute is a functional modelling of how any attribute such as Social Security NumberBank Account NumberAmountsPricing informationQuantity etc. should behave with masking.

Configure Logical Attribute – Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes

National Insurance Number

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:
  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_SOCSECNO” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Role Based Authorization” option
  • Enter “PFCG Role” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
  • Enter “Field Level Action” as “MASK_FIELD
  • Set “Field Access Trace” value as “P Trace when Revealed
  • Check “Reveal on Demand” check-box
  • Click on “Save” button

Maintain Technical Address

In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

You can get the Technical Address of a GUI field by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “GUI Table Field Mapping”, maintain technical address for following fields.

  • Click on “New Entries” button
  • Enter “Table Name” as “P0002
  • Enter “Field Number” as “PERID
  • Enter “Logical Attribute” as “LA_SOCSECNO
  • Enter “Description” as “Social Security Number
  • Click on “Save” button
  • Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs

Conclusion

In this blog post, we have learnt how Role-based masking with Reveal on Demand and Field Access Trace Report configured is achieved for “National Insurance Number” field in transaction PA30.

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Simone Tocci
      Simone Tocci
      0 secs ago 1 Views

      Dear

      I have an issue i cannot solve.

      I cannot find under Help Menu

      Reveal On <–> Off” option - UI DATA PROTECTION

      Could you help me?

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi Simone,

      Please follow the given steps in order to enable the Reveal option -

      Under "Enable UI Data Protection Masking" node, click on "Maintain Global Flag: Reveal on Demand" option and then check "Enable Functionality" checkbox

      After doing the above configuration, under "Reveal on Demand" configuration perform the following configuration -

      • Maintain Reveal on Demand Configuration
      • Maintain Text Messages
      • Maintain Reason Codes

      Hope it will solve your problem.

      Regards,

      Amit Kumar Singh

      Author's profile photo Simone Tocci
      Simone Tocci

      Dear

      Thank you for your Reply

      i've done everything as you said

       

      • Maintain Global Flag: Reveal on Demand” option and then check “Enable Functionality”
      • Maintain Reveal on Demand Configuration : Message Type -> Confirmation Message
      • Maintain Text Messages : Confirmation Message -> /UISM/REVEAL_CONSENT_TEXT , Reveal Off Message -> UISM/REVEAL_OFF_TEXT (both configured in So10)
      • Maintain Reason Codes : Reason -> DVA ,  Description -> Data Verification

      I've also checked box  "Reveal on Demand" under Maintain Field Level Security and Masking

       

       

      What am i doing wrong?

       

      Author's profile photo Wilder Latino
      Wilder Latino

      Hello Simone,

       

      Hope all is well. I too implemented and all is working. Let me know if you want to chat. email provided.

       

      wilder_latino@jabil.com