Introduction
In this blog post, we will learn how to mask "
MATNR" field value in
IDoc documents in transaction
WE05.
A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
After configuration, unauthorized users will get the below mentioned result. However, in our scenario, only "
MATNR" field is sensitive and only this fields value need to be masked. So, there is a need to implement a
BAdI which will only mask this particular field value:
Prerequisite
“
Field Masking for SAP GUI” is a solution to protect sensitive data on
SAP GUI screens at field level.Product “
Field Masking for SAP GUI” is delivered to customer as add-on (
UIM 100). To achieve Role based masking, Add-on
UIM 100 must be installed in customer system.
Requirement
Role based masking is required to mask "
MATNR" field value in
IDoc documents in transaction
WE05.
Maintain Masking configuration
Configure Technical Information (
Table Name-Field Name) of field in masking configuration.
You can get the Technical Address of a GUI field by pressing “
F1” on the field.
Follow the given path and maintain following entries:
SPRO -> SAP NetWeaver -> Field Masking for SAP GUI -> Masking Configuration->Maintain Masking Configuration
Maintain Program and Screen Details
For the above entry, “
Program and Screen Details” need to be maintained.
Follow below mentioned steps:
- Select the entry maintained above
- Double-Click on “Program and Screen Details” option
- Enter "Program Name" as “IDOC_TREE_CONTROL”
- Enter "Screen Number" as “0100”
- Enter "Field Name" as "INT_SEG-STRING"
- Click on "Save" button to save the information
- Select the entry maintained in above step
- Click on “Regenerate Programs” button
What is Context based Masking?
Attributes that deal with time, location or dynamic aspects is called
Context (environment)
attribute. Masking a field based on context attribute is called
Context based-masking.
e.g. – Masking the salary of employees who belong to Germany.
Context based masking is also possible in
IDoc document in transaction
WE05. To achieve Context based masking, implementation of
BAdI is required. In the given scenario, only "
Material Number" field is sensitive and its value need to be masked.
BAdI Implementation
Context-based masking can be achieved by implementing Masking BAdI
/UIM/BD_MASKING.
Create BAdI implementation for method
PREPARE_MASK_DATA under Class
ZCL_BADI_IDOC.
Sample code is given below –
METHOD /uim/if_uisecurity~prepare_mask_data.
DATA lv_varname TYPE string.
FIELD-SYMBOLS: <fs_segment> TYPE any,
<fieldname> TYPE any.
lv_varname = '(IDOC_TREE_CONTROL)INT_SEG'.
ASSIGN (lv_varname) TO <fs_segment>.
IF <fs_segment> IS ASSIGNED.
ASSIGN COMPONENT 'FIELDNAME' OF STRUCTURE <fs_segment> TO <fieldname>.
IF <fieldname> IS ASSIGNED
AND <fieldname> NE 'MATNR'.
cs_mask_data-auth_flag = abap_true.
cs_mask_data-masked_val = cs_mask_data-original_val.
ENDIF.
ENDIF.
ENDMETHOD.
In this case, the end result for unauthorized users will look like below where "
MATNR" field value will appear as masked and other field values will appear as unmasked:
Conclusion
In this blog post, we have learnt how
Role-based masking is achieved to mask fields in
IDoc document in transaction
WE05.