Field Masking – Context based masking scenario in SE16 (ALV Grid Display, ALV List, and SE16 Standard List)

Introduction

In this blog post, we will learn how to mask “Telephone Number” and “Fax Number” fields based on “Region Code” information of table KNA1 in transaction SE16.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The end result for unauthorized users will look like below:

ALV Grid Display

ALV List

Standard SE16 List

What is Context based Masking?

Attributes that deal with time, location or dynamic aspects is called Context (environment) attribute. Masking a field based on context attribute is called Context based-masking.

e.g. – Masking the salary of employees who belong to Germany.

Prerequisite

“Field Masking for SAP GUI” is a solution to protect sensitive data on SAP GUI screens at field level.Product “Field Masking for SAP GUI” is delivered to customer as add-on (UIM 100). To achieve Role based masking, Add-on UIM 100 must be installed in customer system.

Requirement

Context-based masking is required for transaction SE16, “Telephone Number” and “Fax Number” fields of table KNA1 in transaction SE16 need to be masked whose “Region Code” is “CO”.

Maintain Masking configuration

Configure Technical Information (Table Name-Field Name) of field in masking configuration.

You can get the Technical Address of a GUI field by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> Field Masking for SAP GUI -> Masking Configuration->Maintain Masking Configuration

Telephone Number

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Table Name” as “KNA1”
• Enter “Field Name” as “TELF1”
• Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.
• Check “Masking Control” checkbox”
• Click on “Save” button

Fax Number

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Table Name” as “KNA1”
• Enter “Field Name” as “TELFX”
• Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.
• Check “Masking Control” checkbox”
• Click on “Save” button

BAdI Implementation

Context-based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.

Create BAdI implementation for method PREPARE_MASK_DATA

Sample code is given below –

* Sample Implementation for Context based masking in ALV Grid

* Following Global Parameters are available for context based masking in ALV. 
  These can be used in UI Masking BAdI to achieve the context based masking
  in ALV Grid:

  1) /uim/cl_msk_alv=>ss_data    : This contains the complete data reference 
                                   of ALV Grid being displayed

  2) /uim/cl_msk_alv=>sv_row_id  : This global variable contain the current 
                                   row number being processed

  3) /uim/cl_msk_alv=>st_fcat    : This table contains the FieldCat of current 
                                   ALV being processed

* Scenario: Mask Field - "Telephone Number" and "Fax Number" in KNA1 table
                         if Customer's Region Code = 'CO'

* Configuration: The "Telephone Number" and "Fax Number" have been maintained
                 in Masking configuration that means "Telephone Number" and 
                 "Fax Number" column's data field will be masked for
                 unauthorized users.
***********-----------------BAdI Impementation code-----------------**********
*-- BAdI Handling: Under this BAdI, we unmask the above two fields if 
    Customer's Region code is other than 'CO'

DATA : ls_row_data TYPE REF TO data.
FIELD-SYMBOLS : <fs_data>     TYPE STANDARD TABLE,
                <fs_row_data> TYPE any,
                <fs_regio>    TYPE kna1-regio.

*-- Get ALV Data
ASSIGN /uim/cl_msk_alv=>ss_data->* TO <fs_data>.
IF <fs_data> IS ASSIGNED.

*-- Get Current Row
READ TABLE <fs_data> ASSIGNING <fs_row_data> INDEX /uim/cl_msk_alv=>sv_row_id.
  IF sy-subrc EQ 0.
*-- Get Value of field REGIO ( Region )
    ASSIGN COMPONENT 'REGIO' OF STRUCTURE <fs_row_data> TO <fs_regio>.
    IF sy-subrc EQ 0.
*-- Masking Condition - Unmask if REGION is other than CO
      IF <fs_regio> NE 'CO'.
        cs_mask_data-masked_val = cs_mask_data-original_val.
        cs_mask_data-auth_flag = abap_true.
      ENDIF.
    ENDIF.
  ENDIF.
ENDIF.

Conclusion

In this blog post, we have learnt how Role-based masking is achieved for “Telephone Number” and “Fax Number” fields based on “Region Code” information of table KNA1 in transaction SE16.