Introduction
In this blog post, we will learn how the “
Self Service" Reveal type of
Enhanced Reveal method works in
SAP GUI. We will explore the configuration process by masking the “
Social Security Number” of Employees in
Infotype 2 (
Personal Data) in transaction
PA30.
A
PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
The result for unauthorized users will look like below:

Reveal on Demand
UI Data Protection Masking introduces an intercept point for a user’s access to data based on a determination of authorization.
Reveal on Demand constitutes a second intercept, refining and basing authorization on additional conditions. This feature provides an additional level of data protection in SAP GUI by masking the field value by default, irrespective of whether the user is authorized to view the original field value. The authorized user then explicitly chooses the option to reveal the field value on the user interface.
In the case of
Self Service Reveal type, the user can choose the option "
Reveal Data" to reveal the field value. When the authorized user reveals the data, a dialog box (which can be configured to display a confirmation message, reason code, and free text) is displayed. The user can view the data by specifying a reason for revealing. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal using "
Hide Data" option.
- To unmask the Social Security Number field information using Reveal on Demand feature, Follow the given Path –
In
PA30 transaction “
Display Personal Data” screen, click on “
Help” -> “
Reveal Data” option.

- On Reveal on Demand wizard in Field Selection (Step 1), select “ID number” field by clicking on "Select" checkbox, and click on “Next” button.

- On Reveal on Demand wizard in Reveal Attribute (Step 2), click on "Next" button.

- On Reveal on Demand wizard in Enter Reason (Step 3), select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “Submit” button.

- On Reveal on Demand wizard in Summary step, click on "OK" button

- Field value will get unmasked for “Social Security Number” field.

- To Again, mask the Field values, Follow the given path –
In
PA30 transaction “
Display Personal Data” screen, click on “
Help” -> “
Hide Data” option.

- On Reveal on Demand wizard in Hide Sensitive Data screen, select “ID number” field by clicking on "Select" checkbox, and click on “Hide Data” button.

- “Social Security Number” field will again appear as masked.
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
Requirement
Here, we want to configure masking for
Social Security Number field in
Infotype 2 (
Personal Data) in transaction
PA30 using
Role-based authorization concept with
Self Service Reveal type based on
Enhanced Reveal method.
Product “
UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Let’s begin!
Basic Settings for Reveal on Demand
To enable the
Reveal on Demand feature, follow the below given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Basic Settings ->
Enable UI Data Protection Masking ->
Maintain Global Flags
Follow below mentioned steps:
- Select the “Reveal on Demand” checkbox to enable the Reveal on Demand functionality.
- Once you have enabled Reveal on Demand feature, set the Reveal Method as Enhanced Reveal.

Maintain Reveal on Demand Configuration
If
Reveal Method is set as
Enhanced Reveal, following settings need to be performed –
Timeout Period: Applies to
Self Service scenarios and specifies how long, in
minutes, the requesting user will be allowed to access the revealed data.
Validity Period: Applies to
Workflow scenarios and specifies how long, in
days, the requesting user will be allowed to access the revealed data. This default value can be changed by the requesting user and the approver as needed.
Follow the below given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Basic Settings ->
Reveal on Demand Configuration ->
Maintain Reveal on Demand Configuration

Maintain Reason Codes
Reason Codes need to be maintained which will appear in the
Reason field and these
Reason Codes need to be selected by the user when data of the UI fields configured for masking is revealed.
Follow the below given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Basic Settings ->
Reveal on Demand Configuration ->
Maintain Reason Codes

Configuration to achieve masking for Social Security Number field
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Sensitive Attribute Configuration ->
Maintain Metadata Configuration ->
Maintain Logical Attributes
Follow below mentioned steps:
Under “
Maintain Logical Attributes”, maintain following logical attribute.
Social Security Number
- Click on “New Entries” button
- Enter “Logical Attribute” as “LA_SOCSECNO”
- Enter “Description” as “Social Security Number”
- Select “Is Sensitive” checkbox
- Click on “Save” button

Maintain Technical Address
To mask the fields on
SAP GUI Module Pool screens, Technical Information (
Program Name-Screen Number-Field Name) is required which users can get by pressing “
F1” on the field.

Follow the given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Sensitive Attribute Configuration ->
Maintain Metadata Configuration ->
Maintain Technical Address
Follow below mentioned steps:
Under “
SAP GUI (Module Pool) Field Mapping”, maintain technical address for following field.
- Click on “New Entries” button
- Enter “Program Name” as “MP000200”
- Enter “Screen Number” as “2010”
- Enter “Field Name” as “Q0002-PERID”
- Enter “Logical Attribute” as “LA_SOCSECNO”
- Click on “Save” button

Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in the above step.
Follow the given path:
SPRO ->
SAP NetWeaver ->
UI Data Protection Masking for SAP S/4HANA ->
Sensitive Attribute Configuration ->
Masking and Blocking Configuration ->
Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
Social Security Number
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_SOCSECNO” and press “Enter” key. “Description” will get populated in corresponding fields
- Check “Enable Configuration” checkbox
- Select “Role Based Authorization” option
- Enter “PFCG Role” as “/UISM/ALL“. The role “/UISM/ALL” must be assigned to the logged-in user. Customers can use any role as per their requirement.
- Enter “Field Level Action” as “MASK_FIELD”
- Check "Reveal on Demand" checkbox
- Select "Reveal Type" as "Self Service"
- Click on “Save” button

Conclusion
In this blog post, we have learnt how
Role-based masking with
Reveal on Demand of
Self Service Reveal type based on
Enhanced Reveal method is configured for “
Social Security Number” field in transaction
PA30.