Dynamic Field Masking of SAP Applications
Field Masking for SAP GUI/Webgui/Fiori is a solution to protect sensitive data on SAP application at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.
In this blog, we will see how to achieve dynamic role-based masking in SAP application view/screens for a custom requirement using BADI in a simple way. So friends, lets get started.
What is Role-Based Masking:
Masking a field based on PFCG Role assigned to user is called role-based attribute masking.
e.g. – Masking the salary of employees who belong to Managerial Role.
Need for Dynamic Role-Based Field Masking:
All the configured attributes in UI Masking(UIM) are by default masked for an unauthorized user based on user role (pfcg) assignment. However, if a UIM based field masking is to be decided run-time for an authorized user having valid role, then it would be called as dynamic field masking.
To achieve role based field-masking Add-on SAP UIM must be installed and configured ( UISM – 100, UIMUI5 – 200 ).
This blog assumes that user has,
- Basic UIM configuration relating to Logical Attribute Declaration, Maintaining Technical Address and Masking Pattern in place.
- A PFCG role having authorized users who may have access to configured application-field in above point who would see data which is masked. Hence, masking would work only for authorized users as per pfcg role.
- In our example, I am using pfcg role /uism/pfcg_role which I am authorized, meaning my user id is added under that role>>user section. Hence, I am valid authorized user a per role and as per UIM all configured fields would be unmasked by default when I access the configured sap application, (it can be any gui/fiori/webgui), in our example I am using fiori application.
In existing uim system, field masking configuration is done for four fields say customer name, city, company code and phone of a SAP fiori application Display Customer List. Our requirement, is to mask only two fields out of four i.e. location and company code for those customers who are based out of Germany(i.e. who have city field value as Germany) and who do not come under company code 1710(i.e. who do not run on SAP).
Maintain Masking configuration:
Configure technical information (application name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->UI Data Protection Masking for SAP S/4HANA->Maintain Metadata Configuration->Maintain Logical Attributes->Select a logical attribute->Masking Configuration
Note: BADI Filter passed here is named as MASK_ALL, you can give any name to your badi filter. Also, you can use same filter name, if you are using same badi for the respective logical attribute.
Maintain BADI configuration:
Configure technical information (application name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->UI Data Protection Masking for SAP S/4HANA->Business Add Ins->BADI: Authorization Check for Field Level Security. Execute and Create a Badi.
Click OK or press continue. After BADI declaration, you have to define the filter values. Click on create combination-
You have to pass the same filter name for which you are creating badi. In the sense, you are creating badi filter for logical attribute location having badi filter name configured in UIM as MASK_ALL. You will pass the same name here.
Click on save. Now, you to write dynamic masking code. Click on Implementing class->Execute authorization
Role based dynamic field masking can be achieved by implementing Masking BAdI /UISM/BD_MASK_AUTHORIZATION.
Create BAdI implementation for method EXECUTE_AUTHORIZATION,
Double-click on execute authorization and implement the interface method to write the dynamic masking code.
So till this step, you would find that static field masking as configured in UIM would mask all the configured fields for unauthorized/authorized user, until you write dynamic sample code in interface method as below-
Above is a sample code to make field masking dynamic only for authorized users just add an if condition(if cv_auth_indicator = ‘Y’) having scope from first line to the end of code.. You can make call to a rest api or RFC or any FM as per requirement to decide ‘Y’ or ‘N’ upon.
Dynamic role-based field masking is working in sap application. Company code and city text is masked based on dynamic logic in Badi.
This blog, shows how to acheive dynamic field masking for role-based SAP application as configured in UIM can be GUI/Fiori/Table/WebGui etc. Implementation of the masking BAdI /UIM/BD_MASK_AUTHORIZATION is used to mask data based on dynamic condition for the authorized users. Needless, to mention role-based attribute masking have their own business benefits vs. context-based attribute masking. Thus, if your business needs fall in a role-based field level security to be mapped dynamically then do try it out and let me know feedback!.
Hi Manisha Madhwani
Thanks for your helpful blog post. My question is Does this Masking feature works when someone access data via Se16N,SE11 etc...?
as you explained in your post standard transactions in Fiori, gui etc can work with BAdI but how possibly we can enable it in Table or view?
Does this feature has separated licensing or it is part of standard S4HANA components?
I appreciate your kind assist.
This feature is not a part of standard S/4HANA and you need to purchase separate license for this solution.
As far as SE16, SE16N and SE11 t-codes are concerned, masking feature is well-supported in all these transactions and you can protect your sensitive data in these transactions as well.
Please follow the blog post in order to know how masking can be configured in these t-codes.
Amit Kumar Singh
Hi, Thanking you for sharing knowledge. I am QM consultant facing issue in Quality notification
( QM01/QM02/QM03) one of the field value masking in S/4 HANA.
Please review and suggest possible solution as we are facing the issue from customer in High priority form their end as below .
We could not find either of the following SPRO paths to generate
standard hooks for masking :
'Generate Programs' available at IMG path SPRO->SAP NetWeaver->UI Data
Protection Masking for SAP S/4HANA->Data Protection Configur
ation->Maintain Field Level Security and Masking Configuration->Generate Programs
'Generate Programs' available in SAP Menu -> Cross-Application
Components -> UI Data Protection Masking for SAP S/4HANA -> Utility
Reports -> Generate Programs.
Thanks in advance,
I am sharing few screenshots which will help you to locate the "Generate Programs" option using which you can achieve the desired results.
If you still face any issue, I will recommend you to raise a ticket with our support team under "GRC-UDS-DO" component.
Amit Kumar Singh
Dear Amit Ji,
Thanking your quick review of my issue & kind guidance . As per the PRD urgency, we have escalated the issue to SAP well before your answer receipt.
SAP suggested the step >>in the screen Display view " Maintain Masking Configuration" overview >> Press Regenerate Programs button>> SYSTEM-EXIT event is triggered for respective field
"GRC-UDS-DO" component is maintained for the incident.
Theja | QM consultant.
I am aware about the incident that you raised with us and I also discussed the same with colleagues. Based on the discussion, we have suggested this solution to you.
Please let me know whether this solved your issue or not. If not, then once again I will discuss this on monday with the team.
Please let us know if you have any other concern related to masking configuration. We will be happy to help you.
Amit Kumar Singh
Dear Amit Ji,
As on Today ( 09-June), Issue has been with 'Auth Action'. We can assume that the solution given by your team member worked for the client , as they have not revert since 04-June .
Thanking you ,
Thanks for this important information.
Is this feature available for ecc 6.0 ehp 8.?
Thanks for showing interest in our solution.
Yes, this feature is available for ECC 6.0 EHP 8. Please let us know if you have any further query.
Our team will be happy to help you in this regard.
Amit Kumar Singh
Thanks for your prompt response.
Case in question is as below.
Time to time we do a production refresh to QA environment. Meaning live data is available in QA including sensitive data like PII. As a way of preventing users in QA from accessing this sensitive infor, we are brainstorming about a SAP solution that can help us achieve this.
Kindly let me know if this use case is covered by your product.
You can use masking in Quality system to protect sensitive information same way as you would do it in Production. But your developers can see the sensitive information by debugging UI masking's code.
This is well noted.
What are the license and implementations costs?
Is the SPRO path different in ECC 6.0? Could you share more how to setup this in ECC 6.0?
Yes, the SPRO path is different in ECC 6.0. Please follow below given blog link in order to get a better insight about the solution.
Blog - Field Masking in SAP GUI
If you need further assistance, please reach out to us.
Amit Kumar Singh
This is to inform you that the contents and the feature information elaborated in this blog post is now obsolete. So, please do not use this blog post for any kind of reference.
In order to get updated and correct information about the solution, please visit following SAP Community page which is an official page managed by UI Masking Team.
SAP UI Data Protection
For any other help/information, please do reach to us. We will be happy to help you.
Thanks & Regards,
Amit Kumar Singh