Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitKrSingh
Product and Topic Expert
Product and Topic Expert

Introduction


In this blog post, we will learn how the “Self Service" Reveal type of Enhanced Reveal method works in SAP GUI. We will explore the configuration process by masking the “Social Security Number” of Employees in Infotype 2 (Personal Data) in transaction PA30.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The result for unauthorized users will look like below:



Reveal on Demand


UI Data Protection Masking introduces an intercept point for a user’s access to data based on a determination of authorization. Reveal on Demand constitutes a second intercept, refining and basing authorization on additional conditions. This feature provides an additional level of data protection in SAP GUI by masking the field value by default, irrespective of whether the user is authorized to view the original field value. The authorized user then explicitly chooses the option to reveal the field value on the user interface.

In the case of Self Service Reveal type, the user can choose the option "Reveal Data" to reveal the field value. When the authorized user reveals the data, a dialog box (which can be configured to display a confirmation message, reason code, and free text) is displayed. The user can view the data by specifying a reason for revealing. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal using "Hide Data" option.

  • To unmask the Social Security Number field information using Reveal on Demand feature, Follow the given Path –


In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Reveal Data” option.




  • On Reveal on Demand wizard in Field Selection (Step 1), select “ID number” field by clicking on "Select" checkbox, and click on “Next” button.





  • On Reveal on Demand wizard in Reveal Attribute (Step 2), click on "Next" button.





  • On Reveal on Demand wizard in Enter Reason (Step 3), select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “Submit” button.





  • On Reveal on Demand wizard in Summary step, click on "OK" button





  • Field value will get unmasked for “Social Security Number” field.





  • To Again, mask the Field values, Follow the given path –


In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Hide Data” option.




  • On Reveal on Demand wizard in Hide Sensitive Data screen, select “ID number” field by clicking on "Select" checkbox, and click on “Hide Data” button.





  • Social Security Number” field will again appear as masked.



Prerequisite


UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.

Requirement


Here, we want to configure masking for Social Security Number field in Infotype 2 (Personal Data) in transaction PA30 using Role-based authorization concept with Self Service Reveal type based on Enhanced Reveal method.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin!


Basic Settings for Reveal on Demand


To enable the Reveal on Demand feature, follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags

Follow below mentioned steps:

  • Select the “Reveal on Demand” checkbox to enable the Reveal on Demand functionality.

  • Once you have enabled Reveal on Demand feature, set the Reveal Method as Enhanced Reveal.




Maintain Reveal on Demand Configuration


If Reveal Method is set as Enhanced Reveal, following settings need to be performed –

Timeout Period: Applies to Self Service scenarios and specifies how long, in minutes, the requesting user will be allowed to access the revealed data.

Validity Period: Applies to Workflow scenarios and specifies how long, in days, the requesting user will be allowed to access the revealed data. This default value can be changed by the requesting user and the approver as needed.

Follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reveal on Demand Configuration



Maintain Reason Codes


Reason Codes need to be maintained which will appear in the Reason field and these Reason Codes need to be selected by the user when data of the UI fields configured for masking is revealed.

Follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reason Codes



Configuration to achieve masking for Social Security Number field


Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Social Security Number

  • Click on “New Entries” button

  • Enter “Logical Attribute” as “LA_SOCSECNO

  • Enter “Description” as “Social Security Number

  • Select “Is Sensitive” checkbox

  • Click on “Save” button




Maintain Technical Address

To mask the fields on SAP GUI Module Pool screens, Technical Information (Program Name-Screen Number-Field Name) is required which users can get by pressing “F1” on the field.


Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “SAP GUI (Module Pool) Field Mapping”, maintain technical address for following field.

  • Click on “New Entries” button

  • Enter “Program Name” as “MP000200

  • Enter “Screen Number” as “2010

  • Enter “Field Name” as “Q0002-PERID

  • Enter “Logical Attribute” as “LA_SOCSECNO

  • Click on “Save” button



Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

Social Security Number

  • Click on “New Entries” button

  • Enter “Sensitive Entity” as “LA_SOCSECNO” and press “Enter” key. “Description” will get populated in corresponding fields

  • Check “Enable Configuration” checkbox

  • Select “Role Based Authorization” option

  • Enter “PFCG Role” as “/UISM/ALL“. The role “/UISM/ALL” must be assigned to the logged-in user. Customers can use any role as per their requirement.

  • Enter “Field Level Action” as “MASK_FIELD

  • Check "Reveal on Demand" checkbox

  • Select "Reveal Type" as "Self Service"

  • Click on “Save” button



Conclusion

In this blog post, we have learnt how Role-based masking with Reveal on Demand of Self Service Reveal type based on Enhanced Reveal method is configured for “Social Security Number” field in transaction PA30.