Introduction
In this blog post, we will learn how the “Workflow” Reveal type of Enhanced Reveal method works in SAP GUI. We will explore the configuration process by masking the “Social Security Number” of Employees in Infotype 2 (Personal Data) in transaction PA30.
A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.
The result for unauthorized users will look like below:
Reveal on Demand
UI Data Protection Masking introduces an intercept point for a user’s access to data based on a determination of authorization. Reveal on Demand constitutes a second intercept, refining and basing authorization on additional conditions. This feature provides an additional level of data protection in SAP GUI by masking the field value by default, irrespective of whether the user is authorized to view the original field value. The authorized user then explicitly chooses the option to reveal the field value on the user interface.
In the case of Workflow Reveal type, the user can choose the option “Reveal Data” to reveal the field value. When the authorized user tries to reveal the data, an Approval Request is being generated and sent to the Approver configured on the Masking Configuration screen. The request remains Pending until it is approved by the Approver. The user will be able to view the revealed data once the request is approved. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal using “Hide Data” option.
- To unmask the Social Security Number field information using Reveal on Demand feature, Follow the given Path –
In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Reveal Data” option.
- On Reveal on Demand wizard in Field Selection (Step 1), Reveal Type will be displayed as “Request Approval“. Select “ID number” field by clicking on “Select” checkbox, and click on “Next” button.
- On Reveal on Demand wizard in Reveal Attribute (Step 2), “Valid Until” field will show the date calculated based on the “Workflow Validity” days configured on the Reveal on Demand configuration details screen. User can modify the validity date and click on “Next” button.
- On Reveal on Demand wizard in Enter Reason (Step 3), select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “Submit” button.
- On Reveal on Demand wizard in Summary step, “Status” will be displayed as “Pending“. click on “OK” button.
- Login to the system using Approver’s login credentials. Open SAP Business Workplace screen. An “Approval Request” will be generated and will be displayed under Workflow section of Inbox on SAP Business Workplace screen.
- Select the Workflow Request and click on “Execute” button
- Set the “Status” as “Approved” or click on “Approve All” button and click on “Save” button
- Approval process will get completed.
- Login to the system using Requestor’s login credentials and execute PA30 transaction.Field value will get unmasked for “Social Security Number” field.
- To Again, mask the Field values, Follow the given path –
In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Hide Data” option.
- On Reveal on Demand wizard in Hide Sensitive Data screen, select “ID number” field by clicking on “Select” checkbox, and click on “Hide Data” button.
- Click on “Continue” button on the pop-up screen.
- “Social Security Number” field will again appear as masked.
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
Requirement
Here, we want to configure masking for Social Security Number field in Infotype 2 (Personal Data) in transaction PA30 using Role-based authorization concept with Workflow Reveal type based on Enhanced Reveal method.
Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Let’s begin!
Basic Settings for Reveal on Demand
To enable the Reveal on Demand feature, follow the below given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags
Follow below mentioned steps:
- Select the “Reveal on Demand” checkbox to enable the Reveal on Demand functionality.
- Once you have enabled Reveal on Demand feature, set the Reveal Method as Enhanced Reveal
Maintain Reveal on Demand Configuration
If Reveal Method is set as Enhanced Reveal, following settings need to be performed –
Timeout Period: Applies to Self Service scenarios and specifies how long, in minutes, the requesting user will be allowed to access the revealed data.
Validity Period: Applies to Workflow scenarios and specifies how long, in days, the requesting user will be allowed to access the revealed data. This default value can be changed by the requesting user and the approver as needed.
Follow the below given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reveal on Demand Configuration
Maintain Reason Codes
Reason Codes need to be maintained which will appear in the Reason field and these Reason Codes need to be selected by the user when data of the UI fields configured for masking is revealed.
Follow the below given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reason Codes
Configuration to achieve masking for Social Security Number field
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes
Follow below mentioned steps:
Under “Maintain Logical Attributes”, maintain following logical attribute.
Social Security Number
- Click on “New Entries” button
- Enter “Logical Attribute” as “LA_SOCSECNO”
- Enter “Description” as “Social Security Number”
- Select “Is Sensitive” checkbox
- Click on “Save” button
Maintain Technical Address
To mask the fields on SAP GUI Module Pool screens, Technical Information (Program Name-Screen Number-Field Name) is required which users can get by pressing “F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “SAP GUI (Module Pool) Field Mapping”, maintain technical address for following field.
- Click on “New Entries” button
- Enter “Program Name” as “MP000200”
- Enter “Screen Number” as “2010”
- Enter “Field Name” as “Q0002-PERID”
- Enter “Logical Attribute” as “LA_SOCSECNO”
- Click on “Save” button
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in the above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
Social Security Number
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_SOCSECNO” and press “Enter” key. “Description” will get populated in corresponding fields
- Check “Enable Configuration” checkbox
- Select “Role Based Authorization” option
- Enter “PFCG Role” as “/UISM/ALL“. The role “/UISM/ALL” must be assigned to the logged-in user. Customers can use any role as per their requirement.
- Enter “Field Level Action” as “MASK_FIELD”
- Check “Reveal on Demand” checkbox
- Select “Reveal Type” as “Workflow“
- Enter “Approver Type” as “User“
- Enter “Approver” as “USERNAME”
- Click on “Save” button
