Skip to Content
Product Information
Author's profile photo Amit Kumar Singh

Attribute Based Authorization and Masking based on External Attribute such as Geo-location, Biometric, IP Address, User Terminal Information, Swiping of Access Card etc.


Digital innovations and transformations are re-shaping everyone’s life. Technologies such as in-memory computing, cloud, and mobility have made an impact on enterprises.

Companies that embrace the digital transformation are facing increased Cyber threats and attacks. Security breaches can impact organizations and their customers.

One of the first line of defense measures is to protect company’s confidential data and business partners privacy. And the first and foremost defense is to encrypt data wherever feasible.

Because of today’s increasingly decentralized lifestyle, where organizations allow users to connect to information systems from anywhere in the world via many different devices, the users therefore carry part of the information system out of the secure infrastructure. Insecurity in SAP is caused by the user himself.

Security breaches rapidly become public knowledge today, and the risks we encounter every time we give a user access to our important systems together with the necessary authorizations to access our data are very real.

To avoid those risks, we recommend every SAP organization increases their data security by introducing “UI Data Protection Masking for SAPS/4HANA” solution from SAP.

The solution provides following features –

  • Masking/disabling/hiding fields on the UI and disabling actions (such as navigation and buttons)
  • Suppressing (not showing) lines in table-style UI elements; blocking access to entire sensitive records in applications
  • Reveal on Demand. Sensitive fields are initially masked and will only be unmasked after giving a reason/comment, all of which is documented in the Access Trace for review or audit purposes. Unmasking happens only if user is authorized to see the fields.
  • Field Access Trace. Trace for review/auditing, containing timestamp, user, technical address of the field (field type), and whether the user was authorized to see the data or not.

The above listed features are governed by Attribute Based Access Control (ABAC) policies provided by the product.

Attribute-Based Access Control (ABAC) allows for authorization to users in real-time based on attributes such as certificates, employment status; attributes of the object that user is trying to access, user attributes, classification; and environment attributes, such as time, biometric information, IP Address, User Terminal Information, Access card swipe etc.

While a lot of attributes are available in the SAP system, some scenarios could require reading of external attributes. For Example, whether the person has swiped his card, fingerprint has scanned, certificates on system.

Let’s begin

The scenario is to protect sensitive Business Partner’s Bank Account information from unauthorized user. This will be enforced by the fingerprint information of user. When user scan his fingerprint on the scanning device and If the user is authorized user then Bank Account information will be displayed unmasked else information will be displayed as masked.

Configuration to achieve masking

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Logical Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes

Bank Account

Configure Derived Attribute

First, customer needs to create a Derived Attribute. Derived Attributes are user defined attributes which are populated at run time. The derivation of these attributes can be maintained in a class method. The name of the Class can be specified while maintaining a derived attribute in the IMG.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> Derived Attribute Definition – Create a Derived Attribute with name “DA_BIOMETRIC_DATA” –:

Steps to implement Class for Derived Attribute:

  • Execute transaction SE24
  • Create Derived Attribute Class mentioned in the configuration (i.e. ZCL_BIOMETRIC).
  • Implement the Interface: /UISM/IF_DERIVED_ATTR_VALUE in the Class
  • In this Derived Attribute, Developer needs to code to read the data from the scanning device by consuming their APIs

Create a Policy

Then, customer needs to create a Policy. A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which must be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations – Create Policy with the name “FINGERPRINT_ENFORCEMENT” –:

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step. In this step, we will link the Policy with Logical Attribute.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration


In this blog post, we have learnt how Attribute based masking is achieved to mask Bank Account information of sensitive Business Partners based on the fingerprint scanning using API.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.