UI Data Protection Masking for ECC scenarios: near feature parity with S/4HANA masking!

With the latest release cycle, we have been able to offer a new product version UI DATA
PROTECTION MASKING 1.0 for ECC scenarios – which brings all of the key data protection features, dynamic/attribute based authorizations, and integrated installation and configuration options from the highly advanced SAP S/4H based masking to be usable for ECC based scenarios! A list of only the key features is appended below.

In this initial release, the solution covers scenarios in SAP GUI, Web Dynpro ABAP, and Web Client UI; with UI5/Fiori based scenarios planned to be integrated with the solution in the future feature packs.

The new product version is based on SAP NetWeaver 7.4 and 7.5 – more specifics can be found in the Release Availability Documentation (RAD) and partly also in the Product Availability Matrix.

Find more information on this release in the Help Portal, as well as in the UI Data Protection community page for the solution in general!

Key Features included in this release are: 

UI data protection masking:
Only users with field-level authorization can view data. If a user is not authorized to view the field’s value, the data can be protected by masking, clearing, hiding, or disabling the field.

Data-element-based masking:
You can protect individual data elements independently of the UI technology displaying them.

Data blocking:
The system can suppress (not show) lines in table-style UI elements and block access to entire sensitive records in applications. This is useful in protecting highly sensitive data when the presence of a record should be hidden entirely and is available in SAP GUI transactions.

Attribute-based authorization:
The ABAC policy cockpit enables you to create policies to determine how you want to protect sensitive data within the system. Authorization checks also take the context of a field or data element into consideration.

Recording tool:
The recording tool records the technical addresses of the UI fields that a specified user accesses during a given timeframe and can be used when setting up your system to provide information for configuring sensitive attributes.

Field access trace:
The field access trace can write a trace entry whenever a user accesses fields configured for UI data protection masking, to understand and improve authorizations.

Reveal on demand:
This feature provides an additional level of data protection in SAP GUI by masking the field value by default, irrespective of whether the user is authorized to view the original field value. Users can choose the option to reveal the field value, giving a reason for viewing the data. This will be granted to authorized users only.

Data protection based on sensitive attributes and context attributes:
Sensitive attributes are at the heart of the solution and are the starting point for any configuration cycle. The different data protection options, such as masking and blocking, are applied to one core entity, the sensitive attribute. Context logical attributes encompass information related to a sensitive attribute. They define the context within which a sensitive attribute is to be protected. Context attributes can be static or dynamic in nature, and can therefore contain different values across different runtime scenarios.