Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
Showing results for 
Search instead for 
Did you mean: 

‘Field Masking for SAP GUI’ is a solution to protect sensitive data on SAP GUI screens at field level. An authorized user will see the original data and unauthorized user will see the mask data on screen. Role based masking can be achieved by configuring sensitive fields in masking configurations.

In this blog, we will learn how to achieve Attribute based masking in transaction FBL1N.

What is Attribute based Masking:

Attributes that deal with time, location or dynamic aspects is called context (environment ) attribute. Masking a field based on attribute is called attribute based-masking.

e.g. – Masking the information of witness protected employee

Masking the Social security number of U.S citizen

Masking the Aadhaar information of Indian citizen


Product ‘Field Masking for SAP GUI’ is delivered to customer as add-on (UIM 100), to achieve context based masking Add-on UIM 100 must be installed in customer system.


Attribute masking is required in transaction FBL1N, Amount should be masked for G/L account '161000'.


Maintain Masking configuration:

Configure technical information (table name-field name) of field in masking configuration. Path SPRO->SAP NetWeaver->Field Masking for SAP GUI->Masking Configuration->Maintain Masking Configuration

BAdI Implementation:

Attribute based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.

Create BAdI implementation for method PREPARE_AUTH_VALUE, Pass filter value



Sample code is given below

    DATA lt_callstack      TYPE sys_callst.
    DATA lv_progname    TYPE dbglprog.
    DATA lv_struct      TYPE char30.
    FIELD-SYMBOLS<fs_context>      TYPE any.
    FIELD-SYMBOLS<fs_bseg>         TYPE any.
    FIELD-SYMBOLS<fs_hkont>        TYPE any.

    DATA lv_current_row TYPE lvc_rowpos.
    DATA lv_hkont       TYPE hkont.

    IF sy-tcode 'FBL1N'.

*-- Reading stack for program name
          et_callstack lt_callstack.

      "{ Start - Context data for ALV Grid
      READ TABLE lt_callstack ASSIGNING FIELD-SYMBOL(<fs_callstack>)
                                    WITH KEY eventname 'EXECUTE_GRID'
                                             progname  'CL_ALV_UIM_WRAPPER============CP'.
      IF sy-subrc 0.
        ASSIGN /uim/cl_msk_alv=>ss_data->TO <fs_grid>.
        lv_current_row /uim/cl_msk_alv=>sv_row_id.
        IF <fs_grid> IS ASSIGNED.
          READ TABLE <fs_grid> ASSIGNING <fs_context> INDEX lv_current_row.
      "} End- Context data for ALV Grid

      "{ Start - Context data for ALV List
      IF <fs_context> IS NOT ASSIGNED.
        READ TABLE lt_callstack ASSIGNING <fs_callstack>
                                      WITH KEY eventname 'K_KKB_LIST_DISPLAY'.
        IF sy-subrc 0.
          lv_progname <fs_callstack>-progname.
          lv_struct 'T_OUTTAB'.
*--reading value of structure from program
          CONCATENATE '('
                 INTO DATA(lv_exprsn).

          ASSIGN (lv_exprsnTO <fs_context>.
      "} End- Context data for ALV List

      " Get G/L account
      IF <fs_context> IS ASSIGNED.
        ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_context> TO <fs_hkont>.
        IF <fs_hkont> IS ASSIGNED.
          lv_hkont <fs_hkont>.

      "{ Start - Context data for Module Pool
      IF <fs_context> IS NOT ASSIGNED.
        READ TABLE lt_callstack ASSIGNING <fs_callstack>
                                           WITH KEY eventname 'OUT_MASK_EXIT'
                                                    progname  'SDYNPMSK'.
        IF sy-subrc 0.
          lv_progname sy-cprog.
          " Reading data from BSEG
          lv_struct 'BSEG'.
          CONCATENATE '('
                 INTO lv_exprsn.

          ASSIGN (lv_exprsnTO <fs_bseg>.

          IF <fs_bseg> IS ASSIGNED.
            UNASSIGN <fs_hkont>.
            ASSIGN COMPONENT 'HKONT' OF STRUCTURE <fs_bseg> TO <fs_hkont>.
            IF <fs_hkont> IS ASSIGNED.
              lv_hkont <fs_hkont>.

      IF lv_hkont <> '0000161000'.
        cs_mask_data-masked_val cs_mask_data-original_val.
        cs_mask_data-auth_flag  abap_true.




Execute transaction FBL1N, Amount is masked only for G/L Account 161000.


In this blog we have learnt how attribute-based masking is achieved for transaction FBL1N, Masking BAdI /UIM/BD_MASKING is used to mask data based on dynamic condition or context attributes.  Attribute based masking can be applied for other scenarios by implementing masking BAdI.