Skip to Content
Product Information

ABAC – Attribute based Masking in transaction FBL1N

Objective:

‘Field Masking for SAP GUI’ is a solution to protect sensitive data on SAP GUI screens at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.

In this blog, we will learn how to achieve Attribute based masking in transaction FBL1N.

What is Attribute based Masking:

Attributes that deal with time, location or dynamic aspects is called context (environment ) attribute. Masking a field based on attribute is called attribute based-masking.

e.g. – Masking the information of witness protected employee

Masking the Social security number of U.S citizen

Masking the Aadhaar information of Indian citizen

Prerequisite:

Product ‘Field Masking for SAP GUI’ is delivered to customer as add-on (UIM 100), to achieve context based masking Add-on UIM 100 must be installed in customer system.

Requirement:

Attribute masking is required in transaction FBL1N, Amount should be masked for G/L account ‘161000’.

 

Maintain Masking configuration:

Configure technical information (table name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->Field Masking for SAP GUI->Masking Configuration->Maintain Masking Configuration

BAdI Implementation:

Attribute based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.

Create BAdI implementation for method PREPARE_AUTH_VALUE, Pass filter value

TABNAME = ‘RFPOSXEXT’ ,   FIELDNAME = ‘DMSHB’

 

Sample code is given below

    DATA lt_callstack      TYPE sys_callst.
    DATA lv_progname    TYPE dbglprog.
    DATA lv_struct      TYPE char30.
    FIELD-SYMBOLS<fs_context>      TYPE any.
    FIELD-SYMBOLS<fs_grid>         TYPE STANDARD TABLE.
    FIELD-SYMBOLS<fs_bseg>         TYPE any.
    FIELD-SYMBOLS<fs_hkont>        TYPE any.

    DATA lv_current_row TYPE lvc_rowpos.
    DATA lv_hkont       TYPE hkont.

    IF sytcode ‘FBL1N’.

*– Reading stack for program name
      CALL FUNCTION ‘SYSTEM_CALLSTACK’
        IMPORTING
          et_callstack lt_callstack.

      “{ Start – Context data for ALV Grid
      READ TABLE lt_callstack ASSIGNING FIELDSYMBOL(<fs_callstack>)
                                    WITH KEY eventname ‘EXECUTE_GRID’
                                             progname  ‘CL_ALV_UIM_WRAPPER============CP’.
      IF sysubrc 0.
        ASSIGN /uim/cl_msk_alv=>ss_data->TO <fs_grid>.
        lv_current_row /uim/cl_msk_alv=>sv_row_id.
        IF <fs_grid> IS ASSIGNED.
          READ TABLE <fs_grid> ASSIGNING <fs_context> INDEX lv_current_row.
        ENDIF.
      ENDIF.
      “} End- Context data for ALV Grid

      “{ Start – Context data for ALV List
      IF <fs_context> IS NOT ASSIGNED.
        READ TABLE lt_callstack ASSIGNING <fs_callstack>
                                      WITH KEY eventname ‘K_KKB_LIST_DISPLAY’.
        IF sysubrc 0.
          lv_progname <fs_callstack>progname.
          lv_struct ‘T_OUTTAB’.
*–reading value of structure from program
          CONCATENATE ‘(‘
                      lv_progname
                      ‘)’
                      lv_struct
                 INTO DATA(lv_exprsn).

          ASSIGN (lv_exprsnTO <fs_context>.
        ENDIF.
      ENDIF.
      “} End- Context data for ALV List

      ” Get G/L account
      IF <fs_context> IS ASSIGNED.
        ASSIGN COMPONENT ‘HKONT’ OF STRUCTURE <fs_context> TO <fs_hkont>.
        IF <fs_hkont> IS ASSIGNED.
          lv_hkont <fs_hkont>.
        ENDIF.
      ENDIF.

      “{ Start – Context data for Module Pool
      IF <fs_context> IS NOT ASSIGNED.
        READ TABLE lt_callstack ASSIGNING <fs_callstack>
                                           WITH KEY eventname ‘OUT_MASK_EXIT’
                                                    progname  ‘SDYNPMSK’.
        IF sysubrc 0.
          lv_progname sycprog.
          ” Reading data from BSEG
          lv_struct ‘BSEG’.
          CONCATENATE ‘(‘
                      lv_progname
                      ‘)’
                      lv_struct
                 INTO lv_exprsn.

          ASSIGN (lv_exprsnTO <fs_bseg>.

          IF <fs_bseg> IS ASSIGNED.
            UNASSIGN <fs_hkont>.
            ASSIGN COMPONENT ‘HKONT’ OF STRUCTURE <fs_bseg> TO <fs_hkont>.
            IF <fs_hkont> IS ASSIGNED.
              lv_hkont <fs_hkont>.
            ENDIF.
          ENDIF.
        ENDIF.
      ENDIF.

      IF lv_hkont <> ‘0000161000’.
        cs_mask_datamasked_val cs_mask_dataoriginal_val.
        cs_mask_dataauth_flag  abap_true.
      ENDIF.

    ENDIF.

 

Result:

Execute transaction FBL1N, Amount is masked only for G/L Account 161000.

Conclusion:

In this blog we have learnt how attribute-based masking is achieved for transaction FBL1N, Masking BAdI /UIM/BD_MASKING is used to mask data based on dynamic condition or context attributes.  Attribute based masking can be applied for other scenarios by implementing masking BAdI.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.