- SAP Managed Tags:
Objective:
‘Field Masking for SAP GUI’ is a solution to protect sensitive data on SAP GUI screens at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.
In this blog, we will learn how to achieve Attribute based masking in transaction FBL1N.
What is Attribute based Masking:
Attributes that deal with time, location or dynamic aspects is called context (environment ) attribute. Masking a field based on attribute is called attribute based-masking.
e.g. – Masking the information of witness protected employee
Masking the Social security number of U.S citizen
Masking the Aadhaar information of Indian citizen
Prerequisite:
Product ‘Field Masking for SAP GUI’ is delivered to customer as add-on (UIM 100), to achieve context based masking Add-on UIM 100 must be installed in customer system.
Requirement:
Attribute masking is required in transaction FBL1N, Amount should be masked for G/L account '161000'.
Maintain Masking configuration:
Configure technical information (table name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->Field Masking for SAP GUI->Masking Configuration->Maintain Masking Configuration
BAdI Implementation:
Attribute based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.
Create BAdI implementation for method PREPARE_AUTH_VALUE, Pass filter value
TABNAME = 'RFPOSXEXT' , FIELDNAME = 'DMSHB'
Sample code is given below
DATA lt_callstack TYPE sys_callst.
DATA lv_progname TYPE dbglprog.
DATA lv_struct TYPE char30.
FIELD-SYMBOLS: <fs_context> TYPE any.
FIELD-SYMBOLS: <fs_grid> TYPE STANDARD TABLE.
FIELD-SYMBOLS: <fs_bseg> TYPE any.
FIELD-SYMBOLS: <fs_hkont> TYPE any.
DATA lv_current_row TYPE lvc_rowpos.
DATA lv_hkont TYPE hkont.
IF sy-tcode = 'FBL1N'.
*-- Reading stack for program name
CALL FUNCTION 'SYSTEM_CALLSTACK'
IMPORTING
et_callstack = lt_callstack.
"{ Start - Context data for ALV Grid
READ TABLE lt_callstack ASSIGNING FIELD-SYMBOL(<fs_callstack>)
WITH KEY eventname = 'EXECUTE_GRID'
progname = 'CL_ALV_UIM_WRAPPER============CP'.
IF sy-subrc = 0.
ASSIGN /uim/cl_msk_alv=>ss_data->* TO <fs_grid>.
lv_current_row = /uim/cl_msk_alv=>sv_row_id.
IF <fs_grid> IS ASSIGNED.
READ TABLE <fs_grid> ASSIGNING <fs_context> INDEX lv_current_row.
ENDIF.
ENDIF.
"} End- Context data for ALV Grid
"{ Start - Context data for ALV List
IF <fs_context> IS NOT ASSIGNED.
READ TABLE lt_callstack ASSIGNING <fs_callstack>
WITH KEY eventname = 'K_KKB_LIST_DISPLAY'.
IF sy-subrc = 0.
lv_progname = <fs_callstack>-progname.
lv_struct = 'T_OUTTAB'.
*--reading value of structure from program
CONCATENATE '('
lv_progname
')'
lv_struct
INTO DATA(lv_exprsn).
ASSIGN (lv_exprsn) TO <fs_context>.
ENDIF.
ENDIF.
"} End- Context data for ALV List
" Get G/L account
IF <fs_context> IS ASSIGNED.
ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_context> TO <fs_hkont>.
IF <fs_hkont> IS ASSIGNED.
lv_hkont = <fs_hkont>.
ENDIF.
ENDIF.
"{ Start - Context data for Module Pool
IF <fs_context> IS NOT ASSIGNED.
READ TABLE lt_callstack ASSIGNING <fs_callstack>
WITH KEY eventname = 'OUT_MASK_EXIT'
progname = 'SDYNPMSK'.
IF sy-subrc = 0.
lv_progname = sy-cprog.
" Reading data from BSEG
lv_struct = 'BSEG'.
CONCATENATE '('
lv_progname
')'
lv_struct
INTO lv_exprsn.
ASSIGN (lv_exprsn) TO <fs_bseg>.
IF <fs_bseg> IS ASSIGNED.
UNASSIGN <fs_hkont>.
ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_bseg> TO <fs_hkont>.
IF <fs_hkont> IS ASSIGNED.
lv_hkont = <fs_hkont>.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
IF lv_hkont <> '0000161000'.
cs_mask_data-masked_val = cs_mask_data-original_val.
cs_mask_data-auth_flag = abap_true.
ENDIF.
ENDIF.
Result:
Execute transaction FBL1N, Amount is masked only for G/L Account 161000.
Conclusion:
In this blog we have learnt how attribute-based masking is achieved for transaction FBL1N, Masking BAdI /UIM/BD_MASKING is used to mask data based on dynamic condition or context attributes. Attribute based masking can be applied for other scenarios by implementing masking BAdI.
‘Field Masking for SAP GUI’ is a solution to protect sensitive data on SAP GUI screens at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.
In this blog, we will learn how to achieve Attribute based masking in transaction FBL1N.
What is Attribute based Masking:
Attributes that deal with time, location or dynamic aspects is called context (environment ) attribute. Masking a field based on attribute is called attribute based-masking.
e.g. – Masking the information of witness protected employee
Masking the Social security number of U.S citizen
Masking the Aadhaar information of Indian citizen
Prerequisite:
Product ‘Field Masking for SAP GUI’ is delivered to customer as add-on (UIM 100), to achieve context based masking Add-on UIM 100 must be installed in customer system.
Requirement:
Attribute masking is required in transaction FBL1N, Amount should be masked for G/L account '161000'.
Maintain Masking configuration:
Configure technical information (table name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->Field Masking for SAP GUI->Masking Configuration->Maintain Masking Configuration
BAdI Implementation:
Attribute based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.
Create BAdI implementation for method PREPARE_AUTH_VALUE, Pass filter value
TABNAME = 'RFPOSXEXT' , FIELDNAME = 'DMSHB'
Sample code is given below
DATA lt_callstack TYPE sys_callst.
DATA lv_progname TYPE dbglprog.
DATA lv_struct TYPE char30.
FIELD-SYMBOLS: <fs_context> TYPE any.
FIELD-SYMBOLS: <fs_grid> TYPE STANDARD TABLE.
FIELD-SYMBOLS: <fs_bseg> TYPE any.
FIELD-SYMBOLS: <fs_hkont> TYPE any.
DATA lv_current_row TYPE lvc_rowpos.
DATA lv_hkont TYPE hkont.
IF sy-tcode = 'FBL1N'.
*-- Reading stack for program name
CALL FUNCTION 'SYSTEM_CALLSTACK'
IMPORTING
et_callstack = lt_callstack.
"{ Start - Context data for ALV Grid
READ TABLE lt_callstack ASSIGNING FIELD-SYMBOL(<fs_callstack>)
WITH KEY eventname = 'EXECUTE_GRID'
progname = 'CL_ALV_UIM_WRAPPER============CP'.
IF sy-subrc = 0.
ASSIGN /uim/cl_msk_alv=>ss_data->* TO <fs_grid>.
lv_current_row = /uim/cl_msk_alv=>sv_row_id.
IF <fs_grid> IS ASSIGNED.
READ TABLE <fs_grid> ASSIGNING <fs_context> INDEX lv_current_row.
ENDIF.
ENDIF.
"} End- Context data for ALV Grid
"{ Start - Context data for ALV List
IF <fs_context> IS NOT ASSIGNED.
READ TABLE lt_callstack ASSIGNING <fs_callstack>
WITH KEY eventname = 'K_KKB_LIST_DISPLAY'.
IF sy-subrc = 0.
lv_progname = <fs_callstack>-progname.
lv_struct = 'T_OUTTAB'.
*--reading value of structure from program
CONCATENATE '('
lv_progname
')'
lv_struct
INTO DATA(lv_exprsn).
ASSIGN (lv_exprsn) TO <fs_context>.
ENDIF.
ENDIF.
"} End- Context data for ALV List
" Get G/L account
IF <fs_context> IS ASSIGNED.
ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_context> TO <fs_hkont>.
IF <fs_hkont> IS ASSIGNED.
lv_hkont = <fs_hkont>.
ENDIF.
ENDIF.
"{ Start - Context data for Module Pool
IF <fs_context> IS NOT ASSIGNED.
READ TABLE lt_callstack ASSIGNING <fs_callstack>
WITH KEY eventname = 'OUT_MASK_EXIT'
progname = 'SDYNPMSK'.
IF sy-subrc = 0.
lv_progname = sy-cprog.
" Reading data from BSEG
lv_struct = 'BSEG'.
CONCATENATE '('
lv_progname
')'
lv_struct
INTO lv_exprsn.
ASSIGN (lv_exprsn) TO <fs_bseg>.
IF <fs_bseg> IS ASSIGNED.
UNASSIGN <fs_hkont>.
ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_bseg> TO <fs_hkont>.
IF <fs_hkont> IS ASSIGNED.
lv_hkont = <fs_hkont>.
ENDIF.
ENDIF.
ENDIF.
ENDIF.
IF lv_hkont <> '0000161000'.
cs_mask_data-masked_val = cs_mask_data-original_val.
cs_mask_data-auth_flag = abap_true.
ENDIF.
ENDIF.
Result:
Execute transaction FBL1N, Amount is masked only for G/L Account 161000.
Conclusion:
In this blog we have learnt how attribute-based masking is achieved for transaction FBL1N, Masking BAdI /UIM/BD_MASKING is used to mask data based on dynamic condition or context attributes. Attribute based masking can be applied for other scenarios by implementing masking BAdI.
