SAP Field Masking

Posted by Fabio Mambretti on Mar 25, 2022 12:00:00 AM

For reasons of internal policies or regulations it may be necessary to make some data inside of SAP anonymous. There are many ways to do this. The first elements we need to consider are:

  • Which data needs to be anonymous
  • In which systems/environments
  • Which users to authorize
  • How to monitor the compliance of the created segregation

SAP DATA Masking

After a good assessment how to proceed and what tool to use will be clear. One of the tools that SAP puts at disposal is Field Masking (see also this video on the SAP site:

https://www.sap.com/assetdetail/2017/01/a4d972a3-a37c-0010-82c7-eda71af511fa.html)

 

This product is paid and is made up of to components:

  • SAP UI Masking
  • SAP UI Logging

 

The SAP UI Masking tool allows to mask, with star symbols (****) sensible data. This level of masking works in the process before output (BPO), so data from SAP tables is not modified.

 

An example shown below about transaction PA20 on remunerative data

Data not hidden:

grpd 1

Data Hidden:

grpd 3

 

Through a specific report transaction (/UIM/VIEW_FAT) it’s also possible to see who displayed what data (in both a hidden or not hidden format). This function can be also utilized on various front-end technologies:

  • SAP GUI
  • Web dynpro ABAP
  • CRM Web Client
  • RFC/BAPI Web Service
  • UI5 FIORI

 

The connection to a SIEM (Security Information and Event Management) becomes crucial in highlighting only the events regarded as important in case of UI Logging component activation.

 

From a SAP terminology standpoint it’s crucial to highlight the difference between Masking and Scrambling.

 

  • The former, masking, is related to the above product or to transaction SDMSK (this one is not subject to an extra SAP license). SAP in this case is referring to the masking of data in production environments. Data is not modified on a database level, but it’s just made anonymous when presented to the user.
  • With the latter, scrambling, SAP refers to the change of data directly in the database, hence in a non-production environment. See the SAP TDMS Test Data Migration Server Product

 

These components can be utilized from a GDPR standpoint (see more here) or for the protection of specific organizational data. (See more here)

 

Do you want to better understand how to go about a project of data masking? Which are the most important aspects to consider? Which are the standard solutions (SAP and non-SAP) and the paid ones, pros and cons?

 

Blog post originally translated from: https://www.aglea.com/blog/sap-field-masking

Topics: SAP GDPR, UI logging, UI Masking

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all