Skip to Content
Product Information
Author's profile photo Amit Kumar Singh

UI Data Protection – Masking in Double-Click on SE16 and SE16N Record Display

Introduction

In this blog post, we will learn how to mask “Order Description”, “Company Code”, “Plant”, “Business Area”, and “Controlling Area” fields of AUFK table in Double-Click on SE16 and SE16N Record Display screen based on “Order Type” information.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

The end result will appear as:

SE16

SE16N

Prerequisite

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUISAPUI5/SAP FioriCRM Web Client UI, and Web Dynpro ABAP.

Let’s begin

Configuration to achieve masking

Logical Attribute is a functional modelling of how any attribute such as Social Security NumberBank Account NumberAmountsPricing informationQuantity etc. should behave with masking.

Configure Logical Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes

Maintain Technical Address

In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

You can get the Technical Address of a GUI field by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “GUI Table Field Mapping”, maintain technical address for following fields.

Mass Configuration

For all the above entries, “Mass Configuration” report should be executed which is required to generate technical addresses.

Follow below mentioned steps:
  • Select the entry in GUI Table Field Mapping
  • Click on “Mass Configuration” button
  • Click on “Select All” button
  • Click on “Generate Customizing” button
  • Save the information

Policy Configuration

Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

  • Click on “New Entries” button
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Select “Type” as “Field Level Masking
  • Select “Application Module” as “* Cross-Application
  • Enter “Description” as “Masking in AUFK table
  • Click on “Save” button

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:
  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_ORDR_BUAR” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Click on “Save” button

  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_ORDR_COAR” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Click on “Save” button

  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_ORDR_COCD” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Click on “Save” button

  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_ORDR_DESC” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Click on “Save” button

  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_ORDR_PLNT” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
  • Check “Enable Configuration” check-box
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_AUFK
  • Click on “Save” button

Conclusion

In this blog post, we have learnt how Attribute-based masking is achieved in Double-Click on SE16 and SE16N Record Display screen for masking “Order Description”, “Company Code”, “Plant”, “Business Area”, and “Controlling Area” fields of AUFK table based on “Order Type” information.

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sourav Chakraborty
      Sourav Chakraborty

      Hi Amit,

       

      We are trying to implement the UI masking in our project, but we are unable to find the given SPRO path:

      SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA

       

      Please note the initial setup as per the SAP note 2980561 has been completed.

       

      Thanks,

      Monica

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi Sourav,

      Please raise an incident under "GRC-UDS-DO" component for this problem. Our support team will look into the issue and provide a resolution on the same.

      Regards,

      Amit Kumar Singh

      Author's profile photo Former Member Shah
      Former Member Shah

      Hi can you provide me proper details how to mask at double click level for various tables se11 , s16n and etc. I am currently working on MDG system. So table level , Nwbc level and GUI level its working fine as expected. But during double click i am facing issue.

      what proper configuration needed please let me know. Because i am masking based on Roles.

       

       

       

       

       

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi,

      Please refer the following blog post to get the details -

      Blog for masking in Double-Click screen

      Regards,

      Amit

      Author's profile photo Former Member
      Former Member

      Hi.

      In our project we implemented all steps to mask field VTTRI from table DFKK_VT_TR, but nothing really happens, all customizing flags setting are enable for data protection + logical attribute + technical address based on GUID table field + Masking configuration using standard /UISM/PFCG_ROLE.

      There is nothing in trace tables like /uism/fat or trace report. What could i be missing ?, code is not even stopping at any of the standard implemented Badis. If there a switch thats need to be activated?, where can i put a break-point to ensure at least functionality is being process ?.

      Thanks in advance for any help 🙂 !!.

       

      Author's profile photo Amit Kumar Singh
      Amit Kumar Singh
      Blog Post Author

      Hi,

      Please coordinate with our support team by raising an incident under "GRC-UDS-DO" component.

      Regards,

      Amit