SAP UI Masking is a tool that sits between the database and GUI to protect the sensitive data. Basically the tool works at the presentation layer which can be used for making a field display only, mask using a pattern or completely hide the field itself without impacting the application layer that runs the business processes.

Attribute Based Masking: ABAC Policy cockpit is the feature in the product that offers many ways to protect the sensitive data like Hiding, disabling or masking the field as the per the requirement.

In below example, we will use Attribute Based Masking on field STREET with respect to transaction codes BP and BUP3 but masking will use derived attribute and value range for category US1 to implement the logic.

If the data in the field STCD1 is further categorized by type US1 (SSN) and US2 (General Data) then Attribute based masking will be the solution and it will mask only if the category is of type US1.

Business Scenario: Business Partner data is deemed as highly sensitive which is common in many organizatons. Users who have access to business partner data like transactions BP and BUP3 see much more than they are authorized to see. There is a growing concern among the organizations to protect the data of their employees, customers and suppliers. At the same time many departments need access to display BUP3/BP hence securing the data based on context is legitimate case for using UI Masking and data protection.

BP Address Without Masking

BP Address with Masking

Prequisite: Add-on UISM100 must be installed first in the system to achieve Field level Masking

Configuration Steps:

Configure Technical Information (Table Name-Field Name) of field in masking configuration.

The Technical Address of a GUI field can be find by pressing “F1” on the field.

F1 Technical Information

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA –> Maintain Metadata Configuration

• Maintain Logical Attributes
• Maintain Technical Address

Under Maintain Logical Attributes –> Click on New Entries

Logical Attribute

Click on Maintain Technical Address –> Click on new entries

Maintain Technical Attribute

• Enter the table, field name, and Logical Attribute. C
• Select the row and click on Mass Configuration
• Select all and Generate Customizing
• Save

Click on Maintain Attributes and Ranges for Policy

Derived Attribute

Value Range

Go to SE24 and create the class with following code changes that applies to tables and t-code fields based on context

Masking Class

Data Protection Configuration

Click on Maintain Policy Details for Attribute-Based Authorizations

ABAC Policy

Assign the above policy to the Logical Attribute which is tied to the fields where masking needs to be switched on.

Conclusion: Street address is masked based on derived attribute based on category of type US1 in BP and BUP3

Please share your thoughts and feedback in a comment.

Related topics – link from the text

Ask questions about field masking for SAP GUI and follow https://answers.sap.com/tags/67838200100800005192

Read other field masking for SAP GUI and follow blog posts https://blogs.sap.com/tags/67838200100800005192