In this blog post, we will learn how to achieve Data-element based masking via an enhanced approach released as part of FP04 of UI Data Protection Masking for SAP S/4HANA. This new approach has removed the long pending demand from customers regarding:
Removal of dependency on manual execution of utilities like “Mass Configuration” and “Generate Programs”
Enabling automatic protection of new and updated programs referring to already configured Data-elements.
To achieve masking and blocking in SAP GUI Transactions, UI Data Protection Masking solution requires manual tasks to be executed in customer landscape. This manual activity known as “Mass Configuration” and “Generate Programs” make configuration complex and a hectic task.
Taking feedback from customers into account, an enhanced approach has been released as part of latest release which removed the dependency on additional manual activities.
The new approach explained in this blog also ensures that if a customer wishes to achieve system wide protection via Data-element based configuration then the same can be achieved with minimum configuration steps. There will also be an automatic protection of sensitive data on transactions/screens that will be developed/changed in future provided they are referring to same data-element.
For example, if you want system wide masking for “Bank Account Number”, Then with enhanced Data-element based approach explained in this blog:
Bank Account will be masked on all existing transactions/screens.
Bank Account will also be auto masked on future transactions/screens that gets introduced via an upgrade or a custom development.
Note: The testing for such new apps will still be on you to ensure that your system has the required security in place.
You need to be on latest Support Pack of UI Data Protection Masking solution for ECC and S/4HANA released in 2023.
The “Global Flag for Automatic Protection Based on Data Elements” needs to be switched on in SPRO configurations. The detail steps to switch on this flag are mentioned down the line in this blog.
Here, we want to configure masking for “Order Quantity” field on Item detail tab of VA03 transaction using Role-based authorization concept. A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
There are two Order Quantity fields on this tab, one on the form and the other in the table-control.
Note: For simplicity, We have taken two fields on same screen, but the fields could be on different transactions/screens as well. In a real work scenario, a field that needs to be protected will be on multiple different transactions/screens.
Technical information in terms of “Program Name-Screen Number-Field Name” of both the fields are different but the Data Element is same. The field on the tab field has “SAPMV45A-4480-RV45A-KWMENG” and the field on the table control has “SAPMV45A-4900-RV45A-KWMENG” as technical information. But both share the same “KWMENG” as Data Element.
In this scenario, we will use Data Element “KWMENG” to configure masking for Order Quantity field without executing the Mass Configuration and Generate Programs utility. We will be using the “Global Flag for Automatic Protection Based on Data Elements” functionality to achieve masking without generating the customizing entries for the data element.
Enable Global Flag for Automatic Protection Based on Data Elements
To enable the Automatic Protection Based on Data Elements feature, follow the below given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags
Follow below mentioned steps:
Select the “Enable” checkbox to enable the Automatic Protection Based on Data Elements functionality under Global Flag for Automatic Protection Based on Data Elements section.
Automatic Protection Based on Data Elements pop-up screen with message “Data-element based masking and blocking will be enabled without the need for mass configuration.” will be displayed.
Select “Yes” on the pop-up screen to enable the functionality and then click on the “Save” button to save the changes made on the Maintain Global Flags screen.
Configuration to achieve masking for Order Quantity field
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
Click on Add icon
Enter “LA_ORDER_QTY” in Sensitive Attribute field
Enter “Order Quantity” in Description field
Click on “Create” button
Sensitive Attribute with specified details will be created.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
Under Technical Mapping > Data Elements, choose the Add icon.
Use the value help to select the Data Element name. Entering the name of the application/transaction codes in the Comments field will provide useful information by which to identify the mappings.
In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.
To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.
Select Role-Based authorization concept. For role-based authorization, use the value help to select a PFCG role
Select a field-level action to determine what should be visible to unauthorized users. Users with this PFCG role will have access to the original values.
Save the configuration.
Masking in VA03 transaction when “Automatic Protection Based on Data Elements” feature is enabled
Since the “Automatic Protection Based on Data Elements” feature is enabled, “Order Quantity” fields at the form and in the table-control will appear as masked for unauthorized users.
If this automatic protection is not enabled, Data Element based masking and blocking in SAP GUI Transaction can still be configured by running the Mass Configuration.
Automatic masking or blocking will only work if the sensitive field on screen is tied to a Data Element.
By default, data blocking and masking are not enabled for selection screens in SAP GUI Transactions.
This functionality does not currently support SAPUI5/SAP Fiori applications. Mass Configuration still need to be executed for these.
In this blog post, we have learnt how Role-based masking is achieved for a field in Module Pool Program using Data Element without executing the Mass Configuration and Generate Programs utility.