Configuration Guide Document Version: 1.1 – Final Date: May 21, 2018 CUSTOMER Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide
Document Version: 1.1 – Final
Date: May 21, 2018
CUSTOMER
Field Masking for Web Dynpro for ABAB
1.0 SP01
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 2
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they are
surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as they
appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with
appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 3
Document History
Version Status Date Change
1.0 Final 2017-11-28
1.1 Final 2018-05-21 Expanded DP&P chapter in security section, 5.2
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 4
Table of Contents
1.1 Purpose and Scope .......................................................................................................................... 5 1.2 Target Audience ............................................................................................................................... 5 1.3 Glossary ........................................................................................................................................... 5 1.4 Related Information .......................................................................................................................... 5 1.5 Important SAP Notes ........................................................................................................................ 6
2 Solution Overview .......................................................................................................7 2.1 System Landscape ........................................................................................................................... 8 2.2 Implementation and Configuration – Basic Settings ......................................................................... 8
2.2.1 Basic Settings ................................................................................................................... 8 2.2.2 Masking Configuration ...................................................................................................... 9 2.2.3 Business Add-Ins (BAdIs) ............................................................................................... 11
3 Business Scenarios ...................................................................................................13 3.1 Field Masking for Web Dynpro for ABAP ........................................................................................ 13
3.1.1 Overview ......................................................................................................................... 13 3.1.2 Technical System Landscape ......................................................................................... 14 3.1.3 Configuration Details....................................................................................................... 14
4 Solution Manager Information .................................................................................15 4.1 Project Administration ..................................................................................................................... 15
4.1.1 System and Application Landscape ................................................................................ 15 4.2 Business Scenarios ........................................................................................................................ 15 4.3 Additional Configuration Details...................................................................................................... 15
5 Security Information .................................................................................................16 5.1 Authorization Concept .................................................................................................................... 16
5.1.1 Roles............................................................................................................................... 16 5.1.2 Authorization Objects ...................................................................................................... 17
5.2 Data Protection and Privacy ........................................................................................................... 17 5.2.1 Generic Fields ................................................................................................................. 17 5.2.2 Glossary.......................................................................................................................... 18 5.2.3 Deletion of Personal Data ............................................................................................... 19
5.3 Security-Relevant Logging and Tracing .......................................................................................... 20 5.4 Dispensable Functions with Impacts on Security............................................................................ 20
6 Operations Information.............................................................................................21
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 5
1.1 Purpose and Scope
The configuration guide provides a central starting point for the technical implementation and configuration of field
masking for Web Dynpro for ABAP. It describes all activities necessary for the implementation and configuration of
field masking for Web Dynpro for ABAP. In addition, this configuration guide provides information about the
components and guides that are required during the implementation process.
This solution supports the following business scenario: field masking for Web Dynpro for ABAP.
1.2 Target Audience
This document is intended for the following target audiences:
• Consultants
• Partners
• Customers
• System administrators
• Business process owners
• Support specialists
1.3 Glossary
Term Abbreviation Definition
Field masking for Web Dynpro for
ABAP
Framework including masking and field access
trace in Web Dynpro ABAP (WDA)
Field access trace Function to trace access of masked fields
1.4 Related Information
• User Guide
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 6
1.5 Important SAP Notes
Recommendation
Make sure that you read the SAP Notes before you start implementing the software. The SAP Notes contain
the latest information about the installation as well as corrections to the installation information.
Also make sure that you have the up-to-date version of each SAP Note, which is available on SAP Service
Marketplace at https://service.sap.com/notes.
SAP Note Number Title
2392399
UIMWDA 100: Master Note for Field Masking for Web Dynpro for ABAP
2392421
UIMWDA 100: Add-On UIMWDA 100 Installation Note
2392440
Release Strategy for ABAP Add-On UIMWDA 100
2392451
UIMWDA 100: Considerations When Using Field Masking for Web Dynpro
for ABAP
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 7
2 Solution Overview
The solution masks and traces access of the data set based on field-level authorization. Just before the Web Dynpro
ABAP screen is displayed, masking and field access trace are enabled based on how the field is configured in Web
Dynpro for ABAP masking and the user’s field-level authorization. Masking does not affect the database layer.
How the data value is masked depends on the field type and character pattern as configured in Customizing.
The following figure provides an overview of the process:
Figure 1: Web Dynpro ABAP Interaction with Masked Interface
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 8
2.1 System Landscape
Recommendation
We strongly recommend that you use a minimal system landscape for test and demo purposes only. For
reasons of performance, scalability, high availability, and security, do not use a minimal system landscape as
your productive landscape. For more information about creating productive system landscapes, see SAP
Service Marketplace at https://service.sap.com.
Logical Component Product (Main Instance) Product Version
SAP_BASIS SAP NetWeaver 700 SP030 (minimum version)
SAP_BASIS SAP NetWeaver 750 SP004 (maximum version)
2.2 Implementation and Configuration – Basic Settings
The configuration guide contains the information necessary for configuring the SAP system to meet customer
requirements. The actual configuration is done in Customizing with the help of the implementation guide (IMG;
transaction SPRO). It covers all steps of the implementation process as well as the SAP standard (factory)
Customizing settings and the system configuration activities. The Customizing activities and their documentation are
structured from a functional perspective.
2.2.1 Basic Settings
2.2.1.1 Maintain Global Masking Switch
In this Customizing activity, you can enable or disable Web Dynpro ABAP masking for a particular client. This
system-level setting activates masking at the highest level. If masking is disabled at this level, masking is not applied
to any of the entries configured.
You maintain the global masking switch in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for
ABAP → Basic Settings → Maintain Global Masking Switch.
For more information on how to use this activity, see the associated Customizing documentation.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 9
2.2.2 Masking Configuration
2.2.2.1 Maintain Masking Pattern
In this Customizing activity, you maintain the masking pattern that determines the way masked values are displayed
on the user interface (UI). Two masking pattern strategies are available, which determine the masking pattern of a
particular field.
o Masking BAdI
If Masking BAdI is selected, the masking string for a field to be displayed on the UI is dynamic and returned
by the BAdI. The BAdI implementation must have the filter value that has the same name as the masking
pattern.
o Masking Pattern Set
If Masking Pattern Set is selected, the original value of the field is masked as per the masking pattern
maintained. You can maintain three masking pattern sets.
Example
If you want to mask the string as *****&&&&&#####, set the position and masking characters as follows:
Set Position Masking Character(s)
Set 1 1 ****
Set 2 6 &&&&&
Set 3 11 #####
The following sample masking patterns are delivered with the product:
Masking Pattern Strategy Description
EXCEPT_ONE BADI Except One
FIRST_FIVE SET First Five
LAST_THREE BADI Last Three
MIDDLE SET Middle
SAMPLE SET Sample Pattern
You maintain the masking pattern in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP
→ Masking Configuration → Maintain Masking Pattern.
For more information on how to use this activity, see the associated Customizing documentation.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 10
2.2.2.2 Maintain Masking Configuration
In this Customizing activity, you maintain the data required to perform field masking. Based on the entries maintained
in the configuration, the system determines whether a field is to be masked. You can specify for a particular field
whether masking is to be applied, as well as the authorization details and masking pattern.
Note
Before you start this activity, you must have maintained the masking pattern strategy in the Customizing
activity Maintain Masking Pattern (for more information, see Maintain Masking Pattern).
To maintain the masking configuration, proceed as follows:
1. In the WD Masking Configuration view, choose New Entries and enter the field values as specified below:
o Application Name: Enter the Web Dynpro ABAP application containing the view in which data is to be
masked.
o Component Name: Enter the Web Dynpro ABAP component containing the view in which data is to be
masked.
o View Name: Enter the view containing the context node in which data is to be masked.
o Description: Enter the text that best describes the entry.
o Application Type: Select whether the application is a Floorplan Manager (FPM) application or WDA
application (default setting).
o Component Configuration: Enter the component configuration name (applies to FPM application only).
o Masking Control: Select this checkbox to enable masking for the fields at application, component, and view
level.
Note
To view the application, component, and view details of a Web Dynpro ABAP screen, right-click anywhere on
the screen and choose Technical Help. The details are shown on the View Element Adapter tab.
2. In the Maintain Field Data view, choose New Entries and enter the attribute details for the field to be masked:
o Field ID: Enter the field name that is to be masked.
o Description: Enter the text that best describes the entry.
o Field Access Tracking: Select whether you want to trace access to this field. The following options are
available:
o Trace If Original Field Value Is Displayed Without Masking
o Always Trace Regardless of Masking
o Never Trace Regardless of Masking
o Masking Control: This checkbox controls masking at application, component, view, and field level. The field is
masked only if this checkbox is selected at both application and field level.
o PFCG Role Name: Enter the PFCG role for the authorization check. The default value is
/UIMWDA/PFCG_ROLE. Only users assigned to the PFCG role entered here can view the original value of the
field.
o Masking Pattern: Specify the masking pattern to be used to replace the content of a field when rendered on
the UI.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 11
You maintain the masking configuration in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for
ABAP→ Masking Configuration → Maintain Masking Configuration.
For more information on how to use this activity, see the associated Customizing documentation.
2.2.2.3 Maintain BAdI Filter Value
In this Customizing activity, you maintain the filter value that is used when the authorization BAdI is called for the
relevant field configured for masking. This allows you to implement customer-specific authorization checks that you
have defined in the BAdI: Authorization Check.
Before you start this activity, you must have maintained the Web Dynpro masking configuration in the Customizing
activity Maintain Masking Configuration.
You maintain the BAdI filter value in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP
→Advanced Configuration→ Maintain BADI Filter Value.
For more information on how to use this activity, see the associated Customizing documentation.
2.2.3 Business Add-Ins (BAdIs)
2.2.3.1 BAdI: Masking Pattern
You can use this BAdI to implement any masking pattern for unauthorized users. The BAdI implementation must be
based on the filtering of the masking pattern maintained for the field in the Web Dynpro ABAP masking configuration.
The BAdI contains the following method:
o EXECUTE_MASKING_PATTERN
This method allows you to implement your own masking pattern to be displayed on the Web Dynpro ABAP
screen for unauthorized users.
You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP→
Business Add-Ins (BAdIs) → BAdI: Masking Pattern.
For more information on how to use this BAdI, see the associated Customizing documentation.
2.2.3.2 BAdI: Authorization Check
You can use this BAdI to perform any authorization check in addition to the authorization check that is carried out as
per the configuration and also to make changes to the final output that is displayed on the screen.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 12
The BAdI implementation must be based on the filter value maintained in the Web Dynpro masking configuration for
the field. The BAdI contains the following methods:
o EXECUTE_AUTHORIZATION
This method allows you to implement your own business logic for authorization checks.
o EXECUTE_VALUE
This method allows you to implement your own business logic to modify the masked value before it is sent to
the Web Dynpro ABAP screen for output.
You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for
ABAP→Business Add-Ins → BAdI: Authorization Check.
For more information on how to use this BAdI, see the associated Customizing documentation.
2.2.3.3 BAdI: Field Access Tracking
You can use this BAdI to change the record saved in the access trace table by the field access trace function.
The BAdI contains the following method:
o EXECUTE_LOGGING
This method allows you to modify the access trace details including the free text that is saved in the access
trace table. You can also save the field value for the fields configured for masking by implementing
CV_SAVE_LOG value flag in the BAdI.
You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP→
Business Add-Ins (BAdIs) → BAdI: Field Access Tracking.
For more information on how to use this BAdI, see the associated Customizing documentation.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 13
3 Business Scenarios
3.1 Field Masking for Web Dynpro for ABAP
The following topics are covered for this business scenario:
o Overview
o Technical system landscape
o Configuration details
3.1.1 Overview
This software consists of the following processes:
3.1.1.1 Web Dynpro ABAP Masking
Web Dynpro ABAP masking allows only users with field-level authorization to view field values. If a user does not
have authorization to view the value for a field, then the data is masked with masking characters. Only users who
have authorization to view the field value can see the original value. The fields configured for masking are masked on
the Web Dynpro ABAP screen.
For masking to happen, you need to follow the process below:
Step 1: Maintain the basic settings as explained in Section 2.2.1.
Step 2: Maintain the masking configuration as explained in Section 2.2.2.
Example
The following is an example of Web Dynpro ABAP masking in a UI table:
CoCd Company Name City
001 #####@@* Walldorf
0MB1 #####@@**erbankDeutschl. Walldorf
AR01 #####@@**emplateAR Argentina
AT01 #####@@**emplateAT Austria
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 14
3.1.1.2 Field Access Trace
Field access trace writes an access trace entry when the user accesses the fields configure for masking. Since the
fields configured for masking are considered important for business, the customer wants to know who, when, and by
which business role these fields are accessed. Field access trace uses the same configuration tables as those used
for field masking for Web Dynpro ABAP and is carried out for Web Dynpro ABAP screens.
The field access trace process is as follows:
Step 1: Field access trace works only if you have maintained fields in the masking configuration by following
the steps described under Section 3.1.1.1.
Step 2: When maintaining the fields in the masking configuration, you need to select one of the following
options in the Field Access Tracking field.
a. Trace If Original Field Value Is Displayed Without Masking
b. Always Trace Regardless of Masking
c. Never Trace Regardless of Masking
Field access trace is then enabled based on the option selected.
Step 3: View and delete the field access trace entries: You can display and delete the access trace entries
from the access trace table using report /UIMWDA/R_VIEW_DEL_UI_FAT.
Details on archiving access trace data are provided in the Application Help.
3.1.2 Technical System Landscape
Refer to Section 2.1
3.1.3 Configuration Details
Refer to Section 2.2
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 15
4 Solution Manager Information
4.1 Project Administration
Field masking for Web Dynpro for ABAP can either be documented in a separate project or embedded in an
existing implementation project.
The documentation language must be English. Documents to be uploaded into SAP Solution Manager must have a
commonly readable format (PDF is recommended).
4.1.1 System and Application Landscape
The following systems are the basis for field masking for Web Dynpro for ABAP
Refer to section 2.1
4.2 Business Scenarios
Refer to Section 3.
4.3 Additional Configuration Details
When data is printed from a UI element table in Web Dynpro for ABAP, the content is not masked in the output. This
is not part of the solution scope.
If at least one UI table column is configured for the masking authorization check, the Print button in the toolbar of the
UI table must also be configured for masking in Customizing to ensure that the Print button is completely disabled.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 16
5 Security Information
Field masking for Web Dynpro for ABAP is based on SAP NetWeaver 700 SP30 and highest level supported is
SAP_BASIS 750 SP04. Therefore, the related guides also apply to field masking for Web Dynpro for ABAP.
For more information about specific security-related topics, see the following resources on SAP Service Marketplace
or SDN:
Topic Quick Link on SAP Service Marketplace or SDN
Security http://service.sap.com/security
http://sdn.sap.com/irj/sdn/security
Platforms http://service.sap.com/platforms
Infrastructure http://service.sap.com/securityguide
→ Infrastructure Security
Related SAP Notes http://service.sap.com/notes
http://service.sap.com/securitynotes
SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver
http://service.sap.com/security
For a complete list of available SAP Security Guides, see SAP Service Marketplace at
http://service.sap.com/securityguide.
5.1 Authorization Concept
5.1.1 Roles
You can assign the default role /UIMWDA/PFCG_ROLE to the user to whom the required authorization needs to be
provided.
Alternatively, you can also create or use existing PFCG roles and assign these roles to authorized users. You have to
maintain the same role in the configuration corresponding to the Web Dynpro application, component, view,
component configuration (if applicable), and field ID.
Furthermore, you can assign the role to the authorization object /UIMWDA/AO for field access trace.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 17
5.1.2 Authorization Objects
The following table lists the security-relevant authorization objects that are used by field masking for Web Dynpro
for ABAP.
Authorization Object Field Value Description
/UIMWDA/AO ACTVT - Authorization Object for
Web Dynpro Masking
5.2 Data Protection and Privacy
Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with
general data protection and privacy acts, it is necessary to consider compliance with industry-specific legislation in
different countries. SAP provides specific features and functions to support compliance with regard to relevant legal
requirements, including data protection. SAP does not give any advice on whether these features and functions are
the best method to support company, industry, regional, or country-specific requirements. Furthermore, this
information should not be taken as advice or a recommendation regarding additional features that would be required
in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into
consideration the given system landscape and the applicable legal requirements. SAP does not provide legal advice
in any form. SAP software supports data protection compliance by providing security features and specific data
protection-relevant functions, such as simplified blocking and deletion of personal data. In many cases, compliance
with applicable data protection and privacy laws will not be covered by a product feature. Definitions and other terms
used in this document are not taken from a particular legal source.
CAUTION
The extent to which data protection is supported by technical means depends on secure system operation.
Network security, security note implementation, adequate logging of system changes, and appropriate usage
of the system are the basic technical requirements for compliance with data privacy legislation and other
legislation.
The personal or sensitive data is stored by the field masking for Web Dynpro for ABAP solution in the UI Log Table to
Trace Logging of Configured Fields (/UIMWDA/T_UI_FAT). You can mask fields such as the Bank Account Number.
5.2.1 Generic Fields
You need to make sure that no personal data enters the system in an uncontrolled or non-purpose related way, for
example, in free-text fields, through APIs, or customer extensions. Note that these are not subject to the read access
logging (RAL) example configuration.
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 18
5.2.2 Glossary
The following terms are general to SAP products. Not all terms may be relevant for this SAP product.
Term Definition
Blocking A method of restricting access to data for which the
primary business purpose has ended.
Consent
The action of the data subject confirming that the usage
of his or her personal data shall be allowed for a given
purpose. A consent functionality allows the storage of a
consent record in relation to a specific purpose and
shows if a data subject has granted, withdrawn, or
denied consent.
Data subject
An identified or identifiable natural person. An
identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an
identifier such as a name, an identification number,
location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic,
mental, economic, cultural, or social identity of that
natural person.
Deletion
Deletion of personal data so that the data is no longer
available.
End of business Date where the business with a data subject ends, for
example, the order is completed, the subscription is
canceled, or the last bill is settled.
End of purpose (EoP)
End of purpose and start of blocking period. The point in
time when the primary processing purpose ends, for
example, a contract is fulfilled.
End of purpose (EoP) check
A method of identifying the point in time for a data set
when the processing of personal data is no longer
required for the primary business purpose. After the
EoP has been reached, the data is blocked and can
only be accessed by users with special authorization,
for example, tax auditors.
Personal data Any information relating to an identified or identifiable
natural person (a data subject).
Purpose The information that specifies the reason and the goal
for the processing of a specific set of personal data. As
a rule, the purpose references the relevant legal basis
for the processing of personal data.
Residence period
The period of time between the end of business and the
end of purpose (EoP) for a data set during which the
data remains in the database and can be used in case
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 19
Term Definition
of subsequent processes related to the original purpose.
At the end of the longest configured residence period,
the data is blocked or deleted. The residence period is
part of the overall retention period.
Retention period
The period of time between the end of the last business
activity involving a specific object (for example, a
business partner) and the deletion of the corresponding
data, subject to applicable laws. The retention period is
a combination of the residence period and the blocking
period.
Sensitive personal data
A category of personal data that usually includes the
following type of information:
3. Special categories of personal data, such as data
revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, trade union
membership, genetic data, biometric data, data
concerning health or sex life or sexual orientation.
4. Personal data subject to professional secrecy
5. Personal data relating to criminal or administrative
offenses
6. Personal data concerning insurances and bank or
credit card accounts
Where-used check (WUC)
A process designed to ensure data integrity in the case
of potential blocking of business partner data. An
application's where-used check (WUC) determines if
there is any dependent data for a certain business
partner in the database. If dependent data exists, this
means the data is still required for business activities.
Therefore, the blocking of business partners referenced
in the data is prevented.
5.2.3 Deletion of Personal Data
5.2.3.1 Simplified Blocking and Deletion
When considering compliance with data protection regulations, it is also necessary to consider compliance with
industry-specific legislation in different countries. A typical potential scenario in certain countries is that personal data
shall be deleted after the specified, explicit, and legitimate purpose for the processing of personal data has ended,
but only as long as no other retention periods are defined in legislation, for example, retention periods for financial
documents. Legal requirements in certain scenarios or countries also often require blocking of data in cases where
the specified, explicit, and legitimate purposes for the processing of this data have ended, however, the data still has
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 20
to be retained in the database due to other legally mandated retention periods. In some scenarios, personal data also
includes referenced data. Therefore, the challenge for deletion and blocking is first to handle referenced data and
finally other data, such as business partner data.
5.2.3.2 Deletion of Personal Data
The processing of personal data is subject to applicable laws related to the deletion of this data when the specified,
explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a legitimate
purpose that requires the retention and use of personal data, it must be deleted. When deleting data in a data set, all
referenced objects related to that data set must be deleted as well. Industry-specific legislation in different countries
also needs to be taken into consideration in addition to general data protection laws. After the expiration of the
longest retention period, the data must be deleted.
This SAP product might process data (personal data) that is subject to the data protection laws applicable in specific
countries as described in SAP Note 1825544.
In order to ensure that all personal data is protected, Field Masking for Web Dynpro for ABAP stores absolutely no
personal data.
5.3 Security-Relevant Logging and Tracing
The field masking for Web Dynpro for ABAP solution logs data access within the log table. Only authorized users can
access the log data.
5.4 Dispensable Functions with Impacts on Security
Not relevant
Field Masking for Web Dynpro for ABAB 1.0 SP01
Configuration Guide – Version: 1.1 – Final
May 21, 2018
© 2017 SAP SE or an SAP affiliate company. All rights reserved. 21
6 Operations Information
Designing, implementing, and running your SAP applications at peak performance 24 hours a day is vital for your
business success. This chapter contains important information on how to smoothly operate field masking for Web
Dynpro for ABAP. The major topic is monitoring. This chapter describes the tasks to execute and the tools to use.
Field masking for Web Dynpro for ABAP is currently based on SAP NetWeaver 700 SP 30 and highest level support
is SAP_BASIS 750 SP 04. Therefore, the general operations information that is covered in the related operations
guides also applies to field masking for Web Dynpro for ABAP.
For a complete list of available SAP Operations Guides, see SAP Service Marketplace at
http://service.sap.com/instguides.
www.sap.com/contactsap
© 2017 SAP SE or an SAP affiliate company. All rights reserved.