Field Masking for SAP GUI/Webgui/Fiori is a solution to protect sensitive data on SAP application at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.
In this blog, we will see how to achieve dynamic role-based masking in SAP application view/screens for a custom requirement using BADI in a simple way. So friends, lets get started.
What is Role-Based Masking:
Masking a field based on PFCG Role assigned to user is called role-based attribute masking.
e.g. – Masking the salary of employees who belong to Managerial Role.
Need for Dynamic Role-Based Field Masking:
All the configured attributes in UI Masking(UIM) are by default masked for an unauthorized user based on user role (pfcg) assignment. However, if a UIM based field masking is to be decided run-time for an authorized user having valid role, then it would be called as dynamic field masking.
To achieve role based field-masking Add-on SAP UIM must be installed and configured ( UISM – 100, UIMUI5 – 200 ).
This blog assumes that user has,
- Basic UIM configuration relating to Logical Attribute Declaration, Maintaining Technical Address and Masking Pattern in place.
- A PFCG role having authorized users who may have access to configured application-field in above point who would see data which is masked. Hence, masking would work only for authorized users as per pfcg role.
- In our example, I am using pfcg role /uism/pfcg_role which I am authorized, meaning my user id is added under that role>>user section. Hence, I am valid authorized user a per role and as per UIM all configured fields would be unmasked by default when I access the configured sap application, (it can be any gui/fiori/webgui), in our example I am using fiori application.
In existing uim system, field masking configuration is done for four fields say customer name, city, company code and phone of a SAP fiori application Display Customer List. Our requirement, is to mask only two fields out of four i.e. location and company code for those customers who are based out of Germany(i.e. who have city field value as Germany) and who do not come under company code 1710(i.e. who do not run on SAP).
Maintain Masking configuration:
Configure technical information (application name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->UI Data Protection Masking for SAP S/4HANA->Maintain Metadata Configuration->Maintain Logical Attributes->Select a logical attribute->Masking Configuration
Note: BADI Filter passed here is named as MASK_ALL, you can give any name to your badi filter. Also, you can use same filter name, if you are using same badi for the respective logical attribute.
Maintain BADI configuration:
Configure technical information (application name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->UI Data Protection Masking for SAP S/4HANA->Business Add Ins->BADI: Authorization Check for Field Level Security. Execute and Create a Badi.
Click OK or press continue. After BADI declaration, you have to define the filter values. Click on create combination-
You have to pass the same filter name for which you are creating badi. In the sense, you are creating badi filter for logical attribute location having badi filter name configured in UIM as MASK_ALL. You will pass the same name here.
Click on save. Now, you to write dynamic masking code. Click on Implementing class->Execute authorization
Role based dynamic field masking can be achieved by implementing Masking BAdI /UISM/BD_MASK_AUTHORIZATION.
Create BAdI implementation for method EXECUTE_AUTHORIZATION,
Double-click on execute authorization and implement the interface method to write the dynamic masking code.
So till this step, you would find that static field masking as configured in UIM would mask all the configured fields for unauthorized/authorized user, until you write dynamic sample code in interface method as below-
Above is a sample code to make field masking dynamic only for authorized users just add an if condition(if cv_auth_indicator = ‘Y’) having scope from first line to the end of code.. You can make call to a rest api or RFC or any FM as per requirement to decide ‘Y’ or ‘N’ upon.
Dynamic role-based field masking is working in sap application. Company code and city text is masked based on dynamic logic in Badi.
This blog, shows how to acheive dynamic field masking for role-based SAP application as configured in UIM can be GUI/Fiori/Table/WebGui etc. Implementation of the masking BAdI /UIM/BD_MASK_AUTHORIZATION is used to mask data based on dynamic condition for the authorized users. Needless, to mention role-based attribute masking have their own business benefits vs. context-based attribute masking. Thus, if your business needs fall in a role-based field level security to be mapped dynamically then do try it out and let me know feedback!.