Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Field Masking - Context based masking scenario in DEBIS Search Help screen

AmitKrSingh
Advisor
Advisor
‎02-17-2020 9:00 AM
0 Kudos

Introduction


In this blog post, we will learn how to mask “Distribution Channel”, “Division”, “Sales Office", and “Sales Group” fields in DEBIS Search Help“ screen based on “Sales Organization" information.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The end result for unauthorized users will look like below:


What is Context based Masking?


Attributes that deal with time, location or dynamic aspects is called Context (environment) attribute. Masking a field based on context attribute is called Context based-masking.

e.g. – Masking the salary of employees who belong to Germany.

Prerequisite


Field Masking for SAP GUI” is a solution to protect sensitive data on SAP GUI screens at field level.Product “Field Masking for SAP GUI” is delivered to customer as add-on (UIM 100). To achieve Role based masking, Add-on UIM 100 must be installed in customer system.

Requirement


Context-based masking is required for DEBIS Search Help screen, “Distribution Channel”, “Division”, “Sales Office", and “Sales Group” fields need to be masked whose “Sales Organization" is "1000".

Maintain Masking configuration


Configure Technical Information (Table Name-Field Name) of field in masking configuration.

You can get the Technical Address of a GUI field by pressing “F1” on the field.


Follow the given path:


SPRO -> SAP NetWeaver -> Field Masking for SAP GUI -> Masking Configuration->Maintain Masking Configuration
Distribution Channel

Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Table Name” as “M_DEBIS

  • Enter “Field Name” as “VTWEG

  • Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.

  • Check “Masking Control” checkbox”

  • Click on “Save” button



Division

Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Table Name” as “M_DEBIS

  • Enter “Field Name” as “SPART

  • Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.

  • Check “Masking Control” checkbox”

  • Click on “Save” button



Sales Office

Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Table Name” as “M_DEBIS

  • Enter “Field Name” as “VKBUR

  • Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.

  • Check “Masking Control” checkbox”

  • Click on “Save” button



Sales Group

Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Table Name” as “M_DEBIS

  • Enter “Field Name” as “VKGRP

  • Enter “PFCG Role Name” as “/UIM/PFCG_ROLE“. In this example, we have used a blank role “/UIM/PFCG_ROLE”. Customers can use any role as per their requirement.

  • Check “Masking Control” checkbox”

  • Click on “Save” button



BAdI Implementation


Context-based masking can be achieved by implementing Masking BAdI /UIM/BD_SEARCH_HELP_MASK

Create BAdI implementation for method /UIM/IF_SEARCH_HELP_MASK~PREPARE_MASK_DATA

Sample code is given below –


*-- Loop the record table to read the sales org

LOOP AT ct_record_tab ASSIGNING <fs_mask>.



*-- check the sales org and if it is not 1000  

*--then unmask distribution channel, division, sales office and sales group

  IF <fs_mask>+3(4) NE '1000'.

    READ TABLE it_record_tab ASSIGNING <fs_unmask> INDEX sy-tabix.

    IF sy-subrc EQ 0.

	<fs_mask> = <fs_unmask>.

    ENDIF.

  ENDIF.



ENDLOOP.

Conclusion


In this blog post, we have learnt how Context-based masking is achieved in DEBIS Search Help for masking “Distribution Channel”, “Division”, “Sales Office", and “Sales Group” fields based on “Sales Organization" information.

Note:


For information on masking in Search Help screen in UI Data Protection, please refer blog post Attribute Based Access Control (ABAC) – Field Masking Scenario in DEBIX Search Help screen.
Labels:
4 Comments
PrashantVerma
Explorer
‎01-02-2024 9:10 AM

Hi @amit.kumar.singh05

 

I am in S4 HANA system, doing data masking by "UI DATA PROTECTION MASKING for SAP S4 HANA', I have a new requirement to show masking fields for F4 search help for any standard table fields like KNA1-KUNNR and all its rows in SE16N OR SE11 . How to achieve it for a specific role which will be maintained in PFCG. If i use data element masking then it will cause masking in the entire system. Result should be like if user has the role, they can view the value in F4 , if the users doesnot have the value they can see masked value.

 

AmitKrSingh
Advisor
Advisor
‎01-02-2024 9:58 AM
Hi Prashant,

To achieve this you may use Table-Field details instead of Data Element and the scenario can be configured using RBAC and ABAC both. You may refer the blogs to understand how to configure masking to protect sensitive information.

Regards,

Amit Kumar Singh
PrashantVerma
Explorer
‎01-02-2024 11:44 AM
Thank you @amit.kumar.singh05 for your response.

I have 2 points as a query -

Point1

  1.  As per the blog, I created a logical attribute,created the attribute based and assigned  the policy.

  2. In the Technical attribute created the Table and Field Name and assigned the logical attribute.

  3. Also, activated the policy. Still in search help, the masking is not appearing in SE11 or SE16N. Is there any thing i am missing ?. Please find the screenshot below



Point 2

In ECC system, Notes

2755940 - UIM 100 is implemented.


Is there any snote similar to ECC , I need to implement in  my S4 HANA system version UIDP100 ,UIDPUI5  100  to get this task done .

 

Thanks !!!

 
AmitKrSingh
Advisor
Advisor
‎01-02-2024 12:50 PM
Hi Prashant,

Please raise an incident under "GRC-UDS-DO" component so that our support team can investigate the problem.

Regards,

Amit Kumar Singh
Labels in this area
Popular Blog Posts