Product Information
Field Masking – Context based masking scenario in CS03
Introduction
In this blog post, we will learn how to mask “Component”, “Component Description“, and “Quantity” fields of Bill of Materials (BoM) based on “Material Group” information in transaction CS03.
A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
The end result for unauthorized users will look like below:
What is Context based Masking?
Attributes that deal with time, location or dynamic aspects is called Context (environment) attribute. Masking a field based on context attribute is called Context based-masking.
e.g. – Masking the salary of employees who belong to Germany.
Prerequisite
“Field Masking for SAP GUI” is a solution to protect sensitive data on SAP GUI screens at field level.Product “Field Masking for SAP GUI” is delivered to customer as add-on (UIM 100). To achieve Role based masking, Add-on UIM 100 must be installed in customer system.
Requirement
Context-based masking is required for transaction CS03, “Component”, “Component Description“, and “Quantity” fields of Bill of Materials (BoM) in transaction CS03 need to be masked whose “Material Group” is “00107”.
Maintain Masking configuration
Configure Technical Information (Table Name-Field Name) of field in masking configuration.
You can get the Technical Address of a GUI field by pressing “F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> Field Masking for SAP GUI -> Masking Configuration->Maintain Masking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Table Name” as “RC29P”
- Enter “Field Name” as “IDNRK”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
- Click on “New Entries” button
- Enter “Table Name” as “RC29P”
- Enter “Field Name” as “KTEXT”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
- Click on “New Entries” button
- Enter “Table Name” as “RC29P”
- Enter “Field Name” as “MENGE”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
- Click on “New Entries” button
- Enter “Table Name” as “RC29P”
- Enter “Field Name” as “BOMOB”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
- Click on “New Entries” button
- Enter “Table Name” as “RMMG1”
- Enter “Field Name” as “MATNR”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
- Click on “New Entries” button
- Enter “Table Name” as “MAKT”
- Enter “Field Name” as “MAKTX”
- Enter “PFCG Role Name” as “ZTEST“. In this example, we have used a blank role “ZTEST”. Customers can use any role as per their requirement.
- Check “Masking Control” checkbox”
- Click on “Save” button
Mass Configuration
For the above entries, “Mass Configuration” report should be executed which is required to generate technical addresses.
Follow below mentioned steps:
- Select the entry
- Click on “Mass Configuration” button
- Click on “Select All” button
- Click on “Generate Customizing” button
- Save the information
BAdI Implementation
Context-based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.
Create BAdI implementation for method PREPARE_MASK_DATA
Sample code is given below –
METHOD /uim/if_uisecurity~prepare_mask_data.
DATA : lv_matnr TYPE matnr,
lv_progname TYPE dbglprog,
lv_struct TYPE string.
IF cs_mask_data-tabname = 'RC29P'.
IF cs_mask_data-fldname = 'KTEXT' OR cs_mask_data-fldname = 'IDNRK'
OR cs_mask_data-fldname = 'MENGE' OR cs_mask_data-fldname = 'BOMOB'.
lv_progname = 'SAPLCSDI'.
lv_struct = 'RC29P-IDNRK'.
CONCATENATE '(' lv_progname ')' lv_struct INTO DATA(lv_expr).
ASSIGN (lv_expr) TO FIELD-SYMBOL(<fv_matnr>).
IF <fv_matnr> IS ASSIGNED.
lv_matnr = <fv_matnr>.
ENDIF.
ENDIF.
ELSEIF cs_mask_data-tabname = 'RMMG1' OR cs_mask_data-tabname = 'MAKT'.
IF cs_mask_data-fldname = 'MAKTX' OR cs_mask_data-fldname = 'MATNR'
OR cs_mask_data-fldname = 'MENGE' .
lv_progname = 'SAPLMGD1'.
lv_struct = 'RMMG1-MATNR'.
CONCATENATE '(' lv_progname ')' lv_struct INTO lv_expr.
ASSIGN (lv_expr) TO <fv_matnr>.
IF <fv_matnr> IS ASSIGNED.
lv_matnr = <fv_matnr>.
ENDIF.
ENDIF.
ENDIF.
IF lv_matnr IS NOT INITIAL.
SELECT SINGLE matnr, matkl FROM mara INTO @DATA(ls_mara)
WHERE matnr = @lv_matnr AND matkl = '00706'.
IF sy-subrc = 0 .
cs_mask_data-auth_flag = abap_true.
ENDIF.
ENDIF.
ENDMETHOD.
Conclusion
In this blog post, we have learnt how Role-based masking is achieved for “Component”, “Component Description“, and “Quantity” fields of Bill of Materials (BoM) based on “Material Group” information in transaction CS03.
Note:
For information of masking in transaction MIGO, please refer the blog post Field Masking – Mask Vendor, Material, and Quantity related information in MIGO
Hi,
It's a great Blog, I am trying to implement the same, for one of my client, can you please share which notes are used to enable this functionality or any document which you have captured and can be shared across
Thanks and Regards,
Abhishek Parab
Hi Abhishek,
Please raise an incident under "GRC-UDS-DO" component so that Support Team can provide you a resolution on the same.
Regards,
Amit Kumar Singh