In this blog post, we will learn how to mask fields of S_ALR report “S_ALR_87012177” which is a Classical Report in SAP GUI.
A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
The end result for unauthorized users will look like below:
Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.
Role-based masking is required for S_ALR report “S_ALR87012177“. Some of the fields need to be masked on this report.
Recording Tool for Technical Address
In order to mask the fields on SAP GUI, Technical Information (Table Name-Field Name) is required which users can get by pressing “F1” on the field. There are some instances where “F1” is not working for some or all of the fields of S_ALR reports in SAP GUI. In our scenario, “F1” is not working for any of the fields on S_ALR report “S_ALR87012177“.
In this scenario “Recording Tool for Technical Address” will help user to find technical address for UI Masking. This report logs/records User Trace, Table Name-Field Name, Field Value and other metadata information that helps users to find Technical Address for masking.
Even after running the Recording Tool, if you do not see the Table Name-Field Name information of the field that you want to mask in the report then it is not possible to mask that field technically because of technical limitation.
How to use Recording Tool for Technical Address?
User should be activated for recording then he needs to run the actual transaction for which masking is required. Then, after successful execution of transaction user can view Table Name-Field Name and other metadata information.
- Execute T-Code “/N/UISM/TTRACE”. “Recording Tool for Technical Address” screen will be displayed.
- Enable Recording – Click on “Enable” button in order to activate recording at Global Level.
- Activate User – Click on “Activate User” button in order to activate recording for the user. Provide the “User Name”, “Timeout Period in minutes” and check “Value to be stored?” check-box and click on “OK” button.
- User: User for which store the technical address for UI fields entries.
- Timeout (in Mins): User activation timeout period in minutes.
- Value to be stored: Need to store the value or not.
- Recording will get activated for the user and “Status” flag will change to “Active”.
- Execute T-Code “/OS_ALR87012177″. “Customer Payment History” screen will be displayed. Click on “Execute (F8)” button.
- Report details will be displayed.
- View Recording Data – Select the user for which you want to view the Recording Data and click on “View” button.
- Provide the Selection Parameters in order to view the Recording Data and click on “Execute” button.
- Based on the selection parameters, the system displays a list of entries which contains Table Name-Field Name information using which user can configure masking on the fields.
- Deactivate User – Select the row and click on “Deactivate User” button in case you want to deactivate the recording for the selected user.
- Click on menu “RFC Destination” and then click on “Maintain RFC to Customizing Client” option.
- Select the “RFC to Cust Client” value from the list which will be available by pressing “F4” on the field.
“RFC to Cust Client” field value must be specified. This field expects the “RFC Destination of the Customizing Client”. This RFC will be used by UI Data protection masking Recording Tool Application to maintain Masking Configuration in Customizing system. The Logical Attributes maintained in this client will be visible in simulation view report.
Configuration to achieve masking
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Assign Logical Attribute
- Select the entry for which you want to configure the Logical Attribute and click on “Assign Logical Attribute” button.
- Enter Logical Attribute name and select one of the option (i.e. Technical Address or Data Element) based on which you want to configure the Logical Attribute and click on “OK” button.
- Success message will be shown if Logical Attribute is successfully assigned and assigned Logical Attribute will be displayed next to the Field ID on which it has been assigned.
- Also, mapping of Logical Attribute with Technical Address can also be seen in “GUI Table Field Mapping” section under “Maintain Technical Address”.
In order to configure masking for other fields in the report, repeat the steps mentioned in “Assign Logical Attributes” section of the blog post.
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_CUST_PMT_HISTORY” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Role Based Authorization” option
- Enter “PFCG Role” as “/UISM/PFCG_ROLE“. In this example, we have used a blank role “/UISM/PFCG_ROLE”. Customers can use any role as per their requirement.
- Enter “Field Level Action” as “MASK_FIELD”
- Click on “Save” button
In this blog post, we have learnt how Role-based masking is achieved for mask fields of S_ALR report “S_ALR87012177” which is a Classical Report in SAP GUI.
For information on Recording Tool in UIM Data Protection, please refer the blog post Field Masking – How to use Recording Tool for masking in Classical Reports