SAP GRC, SAP S/4HANA

UI Data Protection – How to protect sensitive data displayed in PDF Forms

Introduction

In this blog, we will learn how to configure masking in PDF Forms to protect the sensitive information displayed in it.

Adobe Forms are used frequently in SAP to generate Portable Document Format (PDF) files of various business documents like Invoices, Order Confirmations, Account Statements, Purchase orders etc. In this blog, we will see how to configure masking in PDF Forms.

There are two types of Adobe Forms:

  • Old PDF Form Framework
  • New PDF Form Framework

Old PDF Framework Forms:

This is the traditional approach which is used to generate the PDF forms in which each Adobe form has an interface associated with it. Since every PDF form is associated with a unique function module that gets generated when we activate a form/interface, so it is technically not feasible to have a common hook point to trigger masking in such cases. Hence, we have provided a Masking API for PDF Forms that needs to be inserted in PDF Interface’s “Code Initialization” segment.

Here, we use the transaction ME23N to showcase masking of sensitive fields of purchase order.

Let’s get started !!

API Implementation:

UI Data Protection Masking for SAP S/4 HANA” solution provides an API which can be incorporated to mask the required fields in Adobe forms.

Below steps should be followed to implement the API:

  • Go to ‘Code Initialization’ in form Interface and call the API at the end as below:
  • Once the API is called, save, and activate the interface or function module.

Steps to capture sensitive field details and configure Adobe forms for masking:

Activate the “Recording Tool” to capture the technical details of the fields.

This blog refers to the usage of Recording Tool to mask sensitive field in classical reports and similar approach needs to be followed to capture sensitive fields for Adobe Forms.

Post activation of the Recording Tool execute the transaction ME23N, enter PO Number and click on Print Preview button.

The preview of the form is displayed:

Navigate to the recording tool and view the technical fields captured along with their values.

The technical addresses of the fields will be displayed as below:

Using the “Field Value” column, you can identify the values being printed in the output form and can configure a specific field with the help of its technical address.

For instance, the technical address – “MEDRUCK_PO.CONTACTINFO.EKNAM” indicates that MEDRUCK_PO is the form name which is triggered when we “Print Preview” the purchase order, CONTACTINFO is the name of parameter which identifies which fields belongs to which node of the form and EKNAM is the actual field name which needs to be protected.

Alternatively, to find the technical address of a specific field from the form itself, view the form in transaction SFP and navigate to the “Context” tab. All the fields which are printed on the form are in “Active” status.

Here, the “Field” indicates “CONTACTINFO-EKNAME“, maintain the parameter name (Parameter name in Adobe Forms is equivalent to a structure in ABAP) as “CONTACTINFO” and field name as “EKNAM” in the path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address -> PDF Technical Mapping

The use of the Recording Tool is a simplified approach to identify the sensitive fields and one can easily mask the fields using the “Assign Logical Attribute” option.

Assign a logical attribute in the popup screen and provide a customizing transport when prompted and an information message appears on the screen “Records updated“. The logical attribute will be successfully configured for the selected technical address.

Execute the transaction ME23N and the configured field will appear as masked:

The user can also maintain configuration directly by following the below steps:

Create Logical Attribute by following the below path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Maintain configuration of the fields to be masked using the below path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address -> PDF Field Mapping

The data can therefore be protected after maintaining the fields in the configuration:

New PDF Framework Forms:

Unlike the traditional Adobe Forms, the advanced Adobe Form framework uses OData services as data provider to fetch data from the backend system. The OData service converts the data that it fetched from the backend, converts the data into XML format, and returns it to the Adobe layout. Adobe layout uses that XML data to print the form using the concept of binding available on the Adobe layer.

Unlike old framework PDF Forms, we don’t need an explicit API call in every form of New Framework. Generic masking hook takes care of enabling masking in PDF Forms processed using new framework.

Let’s see how to protect the advanced framework PDF forms using below example.

Let’s configure another purchase order for a new framework form and follow the same process.

Activate the Recording Tool to capture the technical field details of the form.

Execute the transaction ME23N and view the recording to display the captured technical fields.

Assign a logical attribute in the popup screen and provide a customizing transport when prompted and an information message appears on the screen “Records Updated“.

The logical attribute will be successfully configured for the selected technical address.

Execute the transaction ME23N and the configured field will appear as masked:

Similarly, other sensitive fields can also be configured for masking by following the above approach:

Leave a Reply

Your email address will not be published. Required fields are marked *