General Information : UI Masking Solution

Nidhi · ‎05-06-2019

In this blog post common queries around UI Masking & UI Data Protection Masking Solutions are gathered and addressed.

General

Q: What all UI Technologies does Masking supports?

A: UI Masking is currently available for objects built on SAP GUI, SAP CRM, Web Dynpro ABAP, SAPUI5 and SAP Fiori. It is also possible to protect data exposed via SAP Gateway.

Q: Does masking work in databases?

A: UI Masking solution works on presentation layer. The data in database tables remains unchanged. However, special handling has been done to mask data when it is being displayed from data browsers such SE11, SE16 and SE16N transactions.

Q: How masking for a field is controlled?

A: Masking is controlled by PFCG roles. A user who has PFCG role assigned in configuration for a field is authorized to see the original data. All other users will see the data in masked form. It is also possible to extend scenarios via implementing the BAdI to achieve Selective Masking or Attribute Based Authorization.

Q: Is masking supported for Custom programs or custom tables as well?

A: Yes, UI Masking solution doesn’t differentiate between standard and custom objects. The behavior is the same across.

Q: Can we change data for a masked field?

A: The field gets disabled for editing when it is configured for masking. Hence, user will not be able to change its value.

Q: Does Masking add-on has any impact existing standard ERP/Fiori applications?

A: Masking happens at runtime (on the fly) and hence functional behaviour of applications and data in DB tables are not impacted.

Q: Is there any sizing requirement or performance consideration with masking?

A: There is no sizing requirement and performance impact is negligible and not noticeable to the human eye.

Q: Will masking work if the technical address of a field in SAP GUI contains a structure instead of a table?

A: Yes, as masking works on the UI Layer, it doesn’t differentiate between a table or a structure.

Q: Is there any provision to turn on/off UI Masking to avoid any risks.

A: Masking solution can be turned on and off by using the global masking switch provided with the solution.

Q: Does masking solution work during debug?

A: While Debugging developers access data at application layer and because masking exists after application layer, developers with debug access will be able to see original data.

Q: What is HANA Masking and how UI Masking is different from this?

A: HANA Masking is meant for DB Admins who access the DB directly. It prevents unauthorized persons to access data in HANA database. However, when HANA is connected to an application server such as S/4HANA, we need to pass original data to the server so that businesses can run smoothly. UI Masking then kicks in after business has run to process the data and mask for unauthorized users in the application UI’s (GUI/Fiori etc..).

HANA masking and UI Masking complement each other and help protect data at both ends outside the spectrum of business processing.

Q: Is there a video I can see to quickly understanding masking solution

A: Refer the links below.

External, published PDF à https://www.sap.com/documents/2015/06/0a0d918e-5b7c-0010-82c7-eda71af511fa.html

Short introduction video à http://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html

More Insights

Q: Does masking work with Composite roles as well?

A: Yes, masking supports both composite and single role. If a composite role is maintained in customizing, then a user which has either the composite role or any of the single roles which comprises the composite role would be able to see unmasked data.

Q: How does the create and change transactions work for a data field that has been masked?

A: For change transaction, the field is disabled for editing. For create transaction, the masked field should be pre-populated, otherwise save will not be allowed for the transaction.

Q: Does UI Masking solution also mask the values displayed during F4 search?

A: Yes, F4 search help are supported for masking.

Q: Will UI masking affect the function of our customized program as we will generate payment file to bank. Should we be worried that data in payment file will be masked too.

A: The payment file will not be masked. Masking works outside the business layer and in the presentation layer. Thus, business processes are not impacted.

Q: Does Masking prevents unauthorized access when data is being downloaded from an ALV?

A: Yes, Masking works during download scenarios. The sensitive data will appear in masked form in the downloaded list.

Q: Does UI Masking work supports spool results?

A: Yes, sensitive data will appear in masked form in spool results.

Q: What is a high-level effort estimate for masking and logging?

A: Typically, customers can go live with each masking / logging channel in a matter of weeks, if not days. The important thing is to have a ready set of requirements and then the configurations are straight forward.

Q: Wil masking work for custom programs and or SQL statements and BADIs?

A: For SAP GUI masking, if you can see the Table-Field details in F1 Technical help, masking will work.

Q: Can masking and logging be implemented independently?

A: Yes, they are independent solutions which work best when used together but can be used independently as well.

Q: What will be the impact of this solution system to system communication such as RFC calls?

A: There is no impact of masking on system / communication ID’s as we do not work on machine to machine layer.

Q: How can masking BAdI be implemented to achieve selective masking / attribute-based authorization masking.

A: The approach is as follows

Create Masking BADI implementation with filter value

In that, you need to check the ABAP stack of the program and check where you can get the context which you can use to decide if you want to mask this field or not.

For instance, you would check if (program)t-f1 value EQ ‘ABC’ then mask. This will be applicable to the field f2 which is currently being processed in the BADI

Q: For masking in SAPGUI screens, when do we enter table name, fieldname and when do we enter program screen details.

A: Masking happens primarily on Table-Field in SAPGUI screens. However, only for module pool screens, the program name, screen number details are needed for Module Pool screens. You can use the mass configuration report to identify all program screens bound to a table-field to configure multiple SAPGUI screens at once, hence easing implementation efforts.

Q: If an unauthorized person enters an unmasked data for searching (i.e.: in the selection screen), will the system retrieve the result?

A: The system will be able to retrieve the result. There is no way to prevent that without modifying each program for this purpose.

Q: With the Input/output Field in the screen, an unauthorized person will be displayed as masked value. Assume there is no change in the masked value and ‘Save’ button is clicked. What value will be saved in the Database?

A: The original value would be saved in the DB. That is what was originally there in the DB would not be changed.

Q: Could you provide the overall development approach? (what need to be done? What need to setup first? For both application side and server side. We install the addon first? Then setup the config in system Is it by transport?)

A: The add-ons are installed on the server side. All changes and configurations are transported from Dev to Quality to Production.

Q: What are the testing approaches? How do we test to ensure the it has no impact to our existing functions after enable the UI Masking?

A: Masking solution works at just below the presentation layer which happens at runtime (on the fly) and hence functional behavior of applications and data in DB tables is not impacted. Testing process is as follows:
Identify the screens on which sensitive data to be protected from unauthorized users. Configure the fields in Dev system, save the entries in a customizing TR. Perform testing and release the customizing TR to other landscapes such as QA. Perform testing in QA with the data in line with productive environment and verify data is masked for unauthorized users.

Q: How does the Field Access Trace work?

A: FAT or field access trace works by storing a trace of fields which are maintained for masking and allows the users who see the FAT report to see who saw the sensitive data as masked on unmasked and at what time.

deodutt_dwivedi · ‎09-10-2019

Hi Nidhi,

Thanks for the wonderful write-up. I see there is an annotation available in ABAP CDS view ui.masked, is this part of the above solution or a separate feature?

Regards,

Deo

srilakshmi_s2 · ‎10-18-2019

Hi Nidhi,

How do we mask/authorize a field in one screen based on the value of a field in another screen? Say for example , in MM03 ,I choose a plant in one screen and based on the value I have created the policy to mask a field in accounting screen(which is different). But it does not work. In case If both the fields are on the same screen , it works. Please advise.

Same is the case when I tried to mask the surname field in Su01 based on the user id I choose in the initial screen.Only the default result gets executed.

Thanks

former_member649486 · ‎12-17-2019

Hi Nidhi ,

Great Blog!

Here you have mentioned Masking is possible for F4 help as well.

We are trying to mask a description field in SAPGUI.

The Description gets masked on the program screen but when we do F4 on the key field , the description is still visible.

Would appreciate any help on the same .

Prateek

former_member607422 · ‎02-28-2020

Hi Prateek,

Yes, it is possible to mask search help fields. Please let us know the details. You can raise an OSS message in the component - GRC-UDS-DO.

Regards,

Shantanu

former_member607422 · ‎02-28-2020

Hi Srilakshmi,

You can use the attribute-based authorization feature offered by the product 'UI Masking for SAPS/4HANA'. This feature will allow you to use contextual information to protect sensitive fields.

For further information, you can refer to the SAP Blog

Regards,

Shantanu

former_member607422 · ‎02-28-2020

Hi Deodutt,

This is a separate feature.

Regards,

Shantanu

former_member527545 · ‎06-09-2020

Hello shantanu.sharma1996 & nidhi_sehgal

Thank you for the Q&A, this is very helpful!

We are studying the solution and its application in our company with a wide range of branches around the globe. Could you please advice if SAP UI masking for ECC could be applied in the following case:

Masking based on a specific value, e.g. bank details of a vendor should be masked only if the Vendor’s account group is equal XXXX -> I understand it’s possible to do via BAPI and attribute-based masking, right? What if this field is used in multiple screens and program, in this scenario should we use different BAPIs for every screen/program?
At the same time, we want this logic to be applied only for a certain group of people, not for everyone.

Could you please advice if such scenarios could be covered with SAP UI Masking for ECC?

Thank you

BR,

Nikolay

former_member607422 · ‎06-17-2020

Hi Nikolai,

It is possible to achieve masking based on a specific value. Through a customized BAdI you can achieve this. For details, you can refer to this blog. Yes, specific handling has to be done in case of multiple screens and programs.

Yes, this scenario would possibly be covered too.

You can raise an OSS message in the component XX-PROJ-CDP-266 if you need further assistance.

Regards,

Shantanu

former_member688485 · ‎06-30-2020

Hello - Thanks for the valuable information.

Does the UIM solution on ECC support masking on form outputs displayed on screen - such as preview of adobe forms, smart forms, sapscripts?

Nidhi · ‎07-01-2020

Hi Prathvi,

Masking in Form Output/Preview can be achived using UI Masking API. The only pre-requisite is that this API needs to be integrated into the standard application which is generating the form by the customer.

Regards,

Nidhi Sehgal

former_member688485 · ‎07-08-2020

Thanks Nidhi.

Can you please help elaborate a bit more on the UI Masking API and what is meant by integrating into the standard application?

Any blog or further documentation on this would be helpful.

former_member607422 · ‎07-20-2020

Hi Prathvi,

Ui masking API will allow you to extend the masking functionalities to a wider range of applications.

Please refer this blog to get an idea of the API is implemented. The blog mentions masking in C4C applications but the implementation of the API will be pretty much identical.

You can raise an OSS message in the component XX-PROJ-CDP-266 if you need further assistance.

robertoram · ‎09-16-2020

Hello shantanu.sharma1996 & nidhi_sehgal

my understanding about UI masking product and native S/4 data masking was that the S/4 functionality work over RAL configuration and was free (only for SAP GUI channel), however, it seems that now S/4 support all channels with native functionality, this means all channels can be used for free? can you clarify which scenarios needs license?

Regards,
Roberto

former_member185354 · ‎09-28-2020

Hi Roberto

The S/4 masking that you are referring to is the S/4HANA version of UI masking product which is a licensed solution. The S/4 functionality that you mentioned which work over RAL configurations still only applicable to dynpro fields (not for all things in SAP GUI).

Hope this clarifies. Please feel free to reach out in case you still have queries.

Best,
Deepak

yashwantt · ‎10-14-2020

Hi,

How can I use data masking feature in Web Dynpro ABAP ? I want to mask the table columns fetched and processed through web Dynpro program. I have designed front end in web Dynpro and now want data masking feature to mask some columns.

Thanks.

AmitKrSingh · ‎10-14-2020

Hi Yashwant,

I will recommend you to go through the following blog posts in order to understand how masking can be configured in a Web Dynpro program -

ABAC Scenario in Web Dynpro

RBAC Scenario in Web Dynpro

You can raise an OSS message in the component GRC-UDS-DO if you need further assistance.

Thanks,

Amit Kumar Singh

sritco_saaq · ‎01-26-2021

Hello,

For UI S4HANA with FES on HUB (separate):

Where to install UIDPUI5 AddOn? on FES, S4 or Both?

Thanks

former_member185354 · ‎01-27-2021

hi Sorin

in a hub scenario, you will install the UIDPUI5 add-on on your FES system. For further details you can also refer to Main Note for S/4HANA masking

Please do let me know if you have any other queries.

Deepak

sritco_saaq · ‎01-27-2021

Thanks Deepak,

Yes, that was my understanding too,

also, the master note states: 2980561 - UIDP 100 / UIDPUI5 100 that we should install it on FES 6 ..

Still , Maintenance Planner is not showing the component, SAINT refuses - incompatibility with NW ABAP version 7.54?!?

So, if anybody tried or successfully installed UIDPUI5 on FES 6 (hub) SP2?

Or unknown compatibilities required ?

Thanks

former_member185354 · ‎01-27-2021

For your FES version, could you help with your SAP_BASIS and SAP_UI versions. There are a few restrictions around that. If memory serves you need to be on SAP_UI 754 and SAP_BASIS 754 SP01.

If you are not meeting these requirements, you will have to install the previous version of the solution PAM LINK here

sritco_saaq · ‎01-28-2021

Thanks Deepak,

But on a Hub FES6 - the maximum version of NW (SAP_BASIS) is 7.52 ; SAP_UI can be independently upgraded - as we did ;

so: my component son FES (hub) :

SAP_BASIS 7.52 SP6

SAP_UI 7.54 SP3

The PAM allows it (FES6 accepts UI Data Masking 2011 - and vice-versa)

it seems that the product (Data masking) allows only installation on FES Embedded on S/4HANA 1909 or later;

Any thoughts?

Thanks;

former_member185354 · ‎01-28-2021

hi Sorin

Please allow me a few days to check with my team if there are alternates available to resolve this issue.

In the meantime, if needed, you can already use masking by using the previous version of the solution PAM LINK here

It is an easy upgrade to UIDP from there.

Best,

Deepak

guillaume_fagernes-turpin · ‎11-24-2021

Hi,
I read "It is also possible to protect data exposed via SAP Gateway". Is there more information available about this?

If I have an OData service based using a CDS or a BAPI, can I mask a data field with this solution?

BR, Guillaume

former_member463546 · ‎11-30-2021

Hi Nidhi,

we have activated data masking for e.g. VAT registration number in the customer master. We receive idoc DEBMAS to maintain customer master records via an external system, and this is processed via a background (system) user. Is there a need to assign the proper roles, in order to allow this background user update the masked fields?

kind regards

Nidhi · ‎12-02-2021

Hi Guillaume,

Yes, it is possible to mask data exposed via SAP Gateway. Any data field identified with the service-entity-property of any oData service can be masked using our Solution.

Please refer the blog for details.

https://blogs.sap.com/2021/01/01/attribute-based-access-control-abac-how-to-configure-masking-in-man...

Regards,

Nidhi Sehgal

Nidhi · ‎12-02-2021

Hi Henri,

Please be informed that Masking works on the User Interface Layer. There is no need to assign unmasking roles to the background user as the field data is getting updated in the background.

Please feel free to revert to this thread in case of any further query.

Regards,

Nidhi Sehgal

former_member463546 · ‎12-02-2021

Hello Nidhi,

Thank you for your prompt response, however we see it acting differently, see per attached document. Is there any parameter to be set to ensure those unmasking roles are not required for the background user?

thanks, and kind regards.

former_member463546 · ‎12-02-2021

Page 1

Page 2

Page 3

Page 4

Nidhi · ‎12-03-2021

Hi Henri,

Please open an incident in component GRC-UDS-DO for this issue. We need access to the system to look into the issue you described.

Thanks.

Regards,

Nidhi Sehgal

shital_lohar · ‎02-18-2023

Hi,

We have added add ons as below in S/4 HANA sandbox system -

and followed below blog -

https://blogs.sap.com/2021/01/09/ui-data-protection-mask-net-price-information-in-se16-and-me1m-tran...

PFCG role is in place one with

but at the end we are not able to see any output with authorized user and with unauthorized user.

Are we missing any system config ?

Thank You,

Shital.

Nidhi · ‎02-22-2023

Hi Shital,

Have you switch on the global flags and RZ11 parameter for UI Masking solution?

For switching on the RZ11 parameter, follow the below steps:

1. Enter transaction RZ10 or RZ11.
2. Enter the parameter name dynp/usrmasking.
3. Choose Display.
4. In the application toolbar, choose Change Value.
5. Set New Value to ALL.
6. Choose Save.

For Global Flags, follow the below URL.

https://help.sap.com/docs/UI_DATA_PROTECTION_MASKING_FOR_S4HANA/8fdc7b10574f4a6f9db4bb1d37cb80c3/45f...

Regards,

Nidhi Sehgal

shital_lohar · ‎02-22-2023

Hi Nidhi,

Thank you so much for quick reply.

My issue is resolved by maintaining global flag value from OFF to ALL.

Thank You,

Shital.

shital_lohar · ‎03-02-2023

Hi Nidhi,

I have done configuration for reveal on demand so now authorized user also able to see masked data by default but in SE16->Help menu I am not able to see the option to make reveal flag ON or OFF. I read somewhere that we need to configure a dialog box for te same but no idea where to configure it so can you please help me here.

Thanks,

Shital.

Nidhi · ‎03-03-2023

Hi Shital,

Have you implemented SAP Note '2697782 - UI Data Protection and Masking : Manual changes for SAP GUI - Reveal On Demand'?

To configure the Reveal on demand scenario, follow the below URL

https://help.sap.com/docs/UI_DATA_PROTECTION_MASKING_FOR_S4HANA/8fdc7b10574f4a6f9db4bb1d37cb80c3/993...

I would request you to please raise an OSS Incident in component GRC-UDS-DO to get a timely response.

Thanks.

Regards,

Nidhi Sehgal

shital_lohar · ‎03-03-2023

Hi Nidhi,

Your comment helped me here thank you very much will have raised an incident to SAP as implemeting this note affect indirectly on F4 funtionality.

Earlier when we implemented this note, F4 was not working throughout the system so we reversed the changes of this note 2697782.

Thanks,

Shital.

vinod_jha06 · ‎03-08-2023

Above issue is resolved after doing manual steps mentioned in Note – 2697782, but now functionality of reveal data hide data not working

OlivierDewit · ‎03-27-2023

Hi Nidhi,

Very interesting Q&A! Thank you.

I have a question regarding custom programs. You said they were supported. Very good but do we need to change something in our custom programs for that?

Best regards,

Olivier

sriraghu · ‎04-24-2023

Hi Nidhi,

Its a very informative blog ! Thank you for the details. We are looking at restricting a scenario where F4 search help has to be masked for a field in a fiori tile . However it doesn't seem to work as expected. All the pre-requisite notes have been implemented in the system as indicated in the report. We are on SAPK-10003INUIDP & SAPK-10003INUIDPUI5 levels and the F4 search masking solution doesnt seem to work at the moment. Did you come across any such scenarios for S/4 HANA 2021 ?

General Information : UI Masking Solution

Get Your SAP HANA Idea Incubator Badge Today!

SCN Mission - SAP HANA Quiz Challenge is now retired

Share your #HANAStory and Win