Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitKrSingh
Product and Topic Expert
Product and Topic Expert
1,749

Introduction


In this blog post, we will learn how to mask "MATNR" field value in IDoc documents in transaction WE05.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

After configuration, unauthorized users will get the below mentioned result. However, in our scenario, only "MATNR" field is sensitive and only this fields value need to be masked. So, there is a need to implement a BAdI which will only mask this particular field value:



Prerequisite


Field Masking for SAP GUI” is a solution to protect sensitive data on SAP GUI screens at field level.Product “Field Masking for SAP GUI” is delivered to customer as add-on (UIM 100). To achieve Role based masking, Add-on UIM 100 must be installed in customer system.

Requirement


Role based masking is required to mask "MATNR" field value in IDoc documents in transaction WE05.

Maintain Masking configuration


Configure Technical Information (Table Name-Field Name) of field in masking configuration.

You can get the Technical Address of a GUI field by pressing “F1” on the field.



Follow the given path and maintain following entries:


SPRO -> SAP NetWeaver -> Field Masking for SAP GUI -> Masking Configuration->Maintain Masking Configuration



Maintain Program and Screen Details


For the above entry, “Program and Screen Details” need to be maintained.
Follow below mentioned steps:


  • Select the entry maintained above

  • Double-Click on “Program and Screen Details” option





  • Enter "Program Name" as “IDOC_TREE_CONTROL

  • Enter "Screen Number" as “0100

  • Enter "Field Name" as "INT_SEG-STRING"

  • Click on "Save" button to save the information





  • Select the entry maintained in above step

  • Click on “Regenerate Programs” button




What is Context based Masking?


Attributes that deal with time, location or dynamic aspects is called Context (environment) attribute. Masking a field based on context attribute is called Context based-masking.

e.g. – Masking the salary of employees who belong to Germany.

Context based masking is also possible in IDoc document in transaction WE05. To achieve Context based masking, implementation of BAdI is required. In the given scenario, only "Material Number" field is sensitive and its value need to be masked.

BAdI Implementation


Context-based masking can be achieved by implementing Masking BAdI /UIM/BD_MASKING.

Create BAdI implementation for method PREPARE_MASK_DATA under Class ZCL_BADI_IDOC.

Sample code is given below –


METHOD /uim/if_uisecurity~prepare_mask_data.
DATA lv_varname TYPE string.
FIELD-SYMBOLS: <fs_segment> TYPE any,
<fieldname> TYPE any.

lv_varname = '(IDOC_TREE_CONTROL)INT_SEG'.
ASSIGN (lv_varname) TO <fs_segment>.
IF <fs_segment> IS ASSIGNED.
ASSIGN COMPONENT 'FIELDNAME' OF STRUCTURE <fs_segment> TO <fieldname>.
IF <fieldname> IS ASSIGNED
AND <fieldname> NE 'MATNR'.
cs_mask_data-auth_flag = abap_true.
cs_mask_data-masked_val = cs_mask_data-original_val.
ENDIF.
ENDIF.
ENDMETHOD.

In this case, the end result for unauthorized users will look like below where "MATNR" field value will appear as masked and other field values will appear as unmasked:



Conclusion


In this blog post, we have learnt how Role-based masking is achieved to mask fields in IDoc document in transaction WE05.
2 Comments