Product Information
UI Data Protection – Masking fields in IDoc documents in transaction WE05
Introduction
In this blog post, we will learn how to mask MATNR field value in IDoc documents in transaction WE05 based on “Field Name” information.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).
The end result will appear as:
Prerequisite
Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.
Let’s begin
Configuration to achieve masking
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Maintain Technical Address
In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.
You can get the Technical Address of a GUI field by pressing “F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “GUI Table Field Mapping”, maintain technical address for following fields.
Maintain Dynpro Field Technical Address
For “INT_SEG-STRING” Table Name-Field Name combination, “Program Name“, “Screen Number“, and “Field Name” information need to be mapped with “Logical Attribute“.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Optional Configuration -> Maintain Dynpro Field Technical Address
Follow below mentioned steps:
Under “GUI Dynpro Technical Address”, maintain following technical address.
- Enter “Program Name” as “IDOC_TREE_CONTROL”
- Enter “Screen Number” as “0100”
- Enter “Field Name” as “INT_SEG-STRING“
- Enter “Logical Attribute” as “LA_IDOC”
- Click on “Save” button to save the information
Policy Configuration
A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.
Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.
Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_MASK_IDOC_VALUE”
- Select “Type” as “Field Level Masking”
- Select “Application Module” as “* Cross-Application”
- Enter “Description” as “Mask IDoc Field Value”
- Click on “Save” button
Write following logic into Policy
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_IDOC” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Attribute Based Authorization” option
- Enter “Policy Name” as “POL_MASK_IDOC_VALUE”
- Click on “Save” button
Conclusion
In this blog post, we have learnt how Attribute-based masking is achieved in transaction WE05 for masking “MATNR” field value based on “Field Name” information.
Hi Amit,
Nice Blog.
Thank you...!!!
Thank you! I like it! It is very helpful. I have one question regarding the settings in Maintain Dynpro Field Technical Address. Maybe do you know the purpose of the field 'Reference Field value'? My case is to mask field KOMV-KSCHL only when value is PB00. Is this the purpose of that field? Thank you for your answer in advance.
Hi Natalia,
Reference Field Values are maintained when technical addresses are maintained for GUI Dynpro Channel. It is an optional reference field type and contains the reference field value. Maintaining this field value will not solve your problem.
In your case, you need to configure ABAC masking using Policy. In order to get an insight how policies are being written and masking gets configured based on ABAC concept, please refer the Blog Post on ABAC Masking
In case you need further assistance, please raise an incident under "GRC-UDS-DO" component. Our support team will help you in this regard.
Thanks,
Amit Kumar Singh