UI Data Protection – Masking Bank Account field of Customer using Masking API in SAP C4C (Cloud for Customer) Solutions

Introduction

In this blog post, we will learn how to mask “Bank Account” field of Customer in SAP Cloud  for Customer (C4C).

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking and clearing the field.

The end result for unauthorized users will look like below:

Prerequisite

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Let’s begin

Configuration to achieve masking

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Logical Attribute – Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes

Bank Account

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Sensitive Entity” as “LA_BANK_ACCOUNT” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
• Check “Enable Configuration” check-box
• Select “Role Based Authorization” option
• Enter “PFCG Role” as “/UISM/PFCG_ROLE”. In this example, we have used a blank role “/UISM/PFCG_ROLE”. Customers can use any role as per their requirement.
• Click on “Save” button

Maintain Technical Address

In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

We will be mapping Sensitive Entity(LA_BANK_ACCOUNT) with Data Element of Bank Account field. Get the data element of bank account field from line type (i.e. ISU_C4C_BANK_DETAIL_S) of importing table – CT_BANKDETAILDATA that is holding Bank Account column.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “Data Element Field Mapping”, maintain technical address for following fields.

• Click on “New Entries” button
• Enter “Data Element” as “BANKN”
• Enter “Logical Attribute” as “LA_BANK_ACCOUNT”
• Enter “Description” as “Bank Account”
• Click on “Save” button
• Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs

API Implementation

“UI Data Protection Masking for SAP S/4HANA” solution provides an API which can be employed to mask the required field in SAP C4C Data extraction services.

The below approach needs to be followed to implement Masking API:

1. Developer need to find the RFC/OData Service that has been used to get/extract data from S/4HANA system
2. Call the Masking API in interception point by passing the data reference of the key information which needs to be masked. This interception can be an existing BAdI/Enhancement Spot, Exit or an implicit enhancement can be added at end of RFC or READ_ENTITY/ READ_ENTITYSET Method of OData Service
3. Optionally, pass the underlying Table name-Field name of the key information.
4. Field configured for masking will be masked if current user does not have authorization to view sensitive data.

Step by Step Procedure: Please follow the below steps to mask Bank Account Number of Customer in SAP Cloud for Customers (C4C) Application:

1. Data is sent to C4C from S/4HANA using a WebService build over RFC-ISU_C4C_BANK_DETAILS_GET
2. Since a BAdI already exists at end of RFC, So we will implement this BAdI to call masking API to achieve masking of Bank Account field
3. Go to SE18 and create an implementation of above BAdI(i.e. ISU_C4C_BANK_DETAILS)
4. Implement method- IF_ISU_C4C_BANK_DETAILS~BANK_DETAILS_GET_POST of BAdI and call the masking API.

API Signature Details:

Mandatory Parameters:

1. CR_DATA: Data Reference of Table/Structure or Variable having field that needs to be masked

Optional Parameters:

1. IV_UNAME: Only needs to be passed in case Front-end user is not same as Back-end user (E.g. C4C Scenarios)
2. IT_FIELD_MAP: This needs to populated in case of Sensitive Entity has been mapped with Table-Name and Field-Name. This doesn’t needs to be populated in case Sensitive Entity has been mapped to Data Element.

Sample Code:

DATA : lr_data TYPE REF TO data.

*-- Since, C4C uses a generic User Name for accessing backend, Get Backend user name from audit user name
SELECT SINGLE bname FROM usr01 INTO @DATA(lv_uname) WHERE bname = is_audit-cod_uname.
IF sy-subrc NE 0.
  lv_uname = sy-uname.
ENDIF.

*-- Get Reference to table containing data to be changed(masked)
GET REFERENCE OF ct_bankdetaildata INTO lr_data.

*-- Call API
/uism/cl_data_protection_api=>masking_api(
  EXPORTING
    iv_uname     = CONV #( lv_uname )    " Name of Current User
  CHANGING
    cr_data      = lr_data               " Data Reference 
).

Assumptions

• In SAP C4C, the data to be protected/masked should reside in back-end SAP S/4HANA system and not locally in SAP C4C.
• Non-String type values (Ex. Numeric values) will be cleared instead of masking.
• Update/Create scenarios must be explicitly handled by Developer.

Conclusion

In this blog post, we have learnt how Role-based masking is achieved for “Bank Account” field of Customer in SAP Cloud  for Customer (C4C) using Masking API.