Field Masking for Web Dynpro for ABAB 1.0 SP01

Configuration Guide

Document Version: 1.1 – Final

Date: May 21, 2018

CUSTOMER

Field Masking for Web Dynpro for ABAB

1.0 SP01

Field Masking for Web Dynpro for ABAB 1.0 SP01

Configuration Guide – Version: 1.1 – Final

May 21, 2018

© 2017 SAP SE or an SAP affiliate company. All rights reserved. 2

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they are

surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as they

appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters with

appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .



May 21, 2018


Document History

Version Status Date Change

1.0 Final 2017-11-28

1.1 Final 2018-05-21 Expanded DP&P chapter in security section, 5.2



May 21, 2018


Table of Contents

1.1 Purpose and Scope .......................................................................................................................... 5 1.2 Target Audience ............................................................................................................................... 5 1.3 Glossary ........................................................................................................................................... 5 1.4 Related Information .......................................................................................................................... 5 1.5 Important SAP Notes ........................................................................................................................ 6

2 Solution Overview .......................................................................................................7 2.1 System Landscape ........................................................................................................................... 8 2.2 Implementation and Configuration – Basic Settings ......................................................................... 8

2.2.1 Basic Settings ................................................................................................................... 8 2.2.2 Masking Configuration ...................................................................................................... 9 2.2.3 Business Add-Ins (BAdIs) ............................................................................................... 11

3 Business Scenarios ...................................................................................................13 3.1 Field Masking for Web Dynpro for ABAP ........................................................................................ 13

3.1.1 Overview ......................................................................................................................... 13 3.1.2 Technical System Landscape ......................................................................................... 14 3.1.3 Configuration Details....................................................................................................... 14

4 Solution Manager Information .................................................................................15 4.1 Project Administration ..................................................................................................................... 15

4.1.1 System and Application Landscape ................................................................................ 15 4.2 Business Scenarios ........................................................................................................................ 15 4.3 Additional Configuration Details...................................................................................................... 15

5 Security Information .................................................................................................16 5.1 Authorization Concept .................................................................................................................... 16

5.1.1 Roles............................................................................................................................... 16 5.1.2 Authorization Objects ...................................................................................................... 17

5.2 Data Protection and Privacy ........................................................................................................... 17 5.2.1 Generic Fields ................................................................................................................. 17 5.2.2 Glossary.......................................................................................................................... 18 5.2.3 Deletion of Personal Data ............................................................................................... 19

5.3 Security-Relevant Logging and Tracing .......................................................................................... 20 5.4 Dispensable Functions with Impacts on Security............................................................................ 20

6 Operations Information.............................................................................................21



May 21, 2018


1.1 Purpose and Scope

The configuration guide provides a central starting point for the technical implementation and configuration of field

masking for Web Dynpro for ABAP. It describes all activities necessary for the implementation and configuration of

field masking for Web Dynpro for ABAP. In addition, this configuration guide provides information about the

components and guides that are required during the implementation process.

This solution supports the following business scenario: field masking for Web Dynpro for ABAP.

1.2 Target Audience

This document is intended for the following target audiences:

• Consultants

• Partners

• Customers

• System administrators

• Business process owners

• Support specialists

1.3 Glossary

Term Abbreviation Definition

Field masking for Web Dynpro for

ABAP

Framework including masking and field access

trace in Web Dynpro ABAP (WDA)

Field access trace Function to trace access of masked fields

1.4 Related Information

• User Guide



May 21, 2018


1.5 Important SAP Notes

Recommendation

Make sure that you read the SAP Notes before you start implementing the software. The SAP Notes contain

the latest information about the installation as well as corrections to the installation information.

Also make sure that you have the up-to-date version of each SAP Note, which is available on SAP Service

Marketplace at https://service.sap.com/notes.

SAP Note Number Title

2392399

UIMWDA 100: Master Note for Field Masking for Web Dynpro for ABAP

2392421

UIMWDA 100: Add-On UIMWDA 100 Installation Note

2392440

Release Strategy for ABAP Add-On UIMWDA 100

2392451

UIMWDA 100: Considerations When Using Field Masking for Web Dynpro

for ABAP

https://service.sap.com/notes



May 21, 2018


2 Solution Overview

The solution masks and traces access of the data set based on field-level authorization. Just before the Web Dynpro

ABAP screen is displayed, masking and field access trace are enabled based on how the field is configured in Web

Dynpro for ABAP masking and the user’s field-level authorization. Masking does not affect the database layer.

How the data value is masked depends on the field type and character pattern as configured in Customizing.

The following figure provides an overview of the process:

Figure 1: Web Dynpro ABAP Interaction with Masked Interface



May 21, 2018


2.1 System Landscape

Recommendation

We strongly recommend that you use a minimal system landscape for test and demo purposes only. For

reasons of performance, scalability, high availability, and security, do not use a minimal system landscape as

your productive landscape. For more information about creating productive system landscapes, see SAP

Service Marketplace at https://service.sap.com.

Logical Component Product (Main Instance) Product Version

SAP_BASIS SAP NetWeaver 700 SP030 (minimum version)

SAP_BASIS SAP NetWeaver 750 SP004 (maximum version)

2.2 Implementation and Configuration – Basic Settings

The configuration guide contains the information necessary for configuring the SAP system to meet customer

requirements. The actual configuration is done in Customizing with the help of the implementation guide (IMG;

transaction SPRO). It covers all steps of the implementation process as well as the SAP standard (factory)

Customizing settings and the system configuration activities. The Customizing activities and their documentation are

structured from a functional perspective.

2.2.1 Basic Settings

2.2.1.1 Maintain Global Masking Switch

In this Customizing activity, you can enable or disable Web Dynpro ABAP masking for a particular client. This

system-level setting activates masking at the highest level. If masking is disabled at this level, masking is not applied

to any of the entries configured.

You maintain the global masking switch in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for

ABAP → Basic Settings → Maintain Global Masking Switch.

For more information on how to use this activity, see the associated Customizing documentation.

https://service.sap.com/



May 21, 2018


2.2.2 Masking Configuration

2.2.2.1 Maintain Masking Pattern

In this Customizing activity, you maintain the masking pattern that determines the way masked values are displayed

on the user interface (UI). Two masking pattern strategies are available, which determine the masking pattern of a

particular field.

o Masking BAdI

If Masking BAdI is selected, the masking string for a field to be displayed on the UI is dynamic and returned

by the BAdI. The BAdI implementation must have the filter value that has the same name as the masking

pattern.

o Masking Pattern Set

If Masking Pattern Set is selected, the original value of the field is masked as per the masking pattern

maintained. You can maintain three masking pattern sets.

Example

If you want to mask the string as *****&&&&&#####, set the position and masking characters as follows:

Set Position Masking Character(s)

Set 1 1 ****

Set 2 6 &&&&&

Set 3 11 #####

The following sample masking patterns are delivered with the product:

Masking Pattern Strategy Description

EXCEPT_ONE BADI Except One

FIRST_FIVE SET First Five

LAST_THREE BADI Last Three

MIDDLE SET Middle

SAMPLE SET Sample Pattern

You maintain the masking pattern in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP

→ Masking Configuration → Maintain Masking Pattern.




May 21, 2018


2.2.2.2 Maintain Masking Configuration

In this Customizing activity, you maintain the data required to perform field masking. Based on the entries maintained

in the configuration, the system determines whether a field is to be masked. You can specify for a particular field

whether masking is to be applied, as well as the authorization details and masking pattern.

Note

Before you start this activity, you must have maintained the masking pattern strategy in the Customizing

activity Maintain Masking Pattern (for more information, see Maintain Masking Pattern).

To maintain the masking configuration, proceed as follows:

1. In the WD Masking Configuration view, choose New Entries and enter the field values as specified below:

o Application Name: Enter the Web Dynpro ABAP application containing the view in which data is to be

masked.

o Component Name: Enter the Web Dynpro ABAP component containing the view in which data is to be

masked.

o View Name: Enter the view containing the context node in which data is to be masked.

o Description: Enter the text that best describes the entry.

o Application Type: Select whether the application is a Floorplan Manager (FPM) application or WDA

application (default setting).

o Component Configuration: Enter the component configuration name (applies to FPM application only).

o Masking Control: Select this checkbox to enable masking for the fields at application, component, and view

level.

Note

To view the application, component, and view details of a Web Dynpro ABAP screen, right-click anywhere on

the screen and choose Technical Help. The details are shown on the View Element Adapter tab.

2. In the Maintain Field Data view, choose New Entries and enter the attribute details for the field to be masked:

o Field ID: Enter the field name that is to be masked.

o Description: Enter the text that best describes the entry.

o Field Access Tracking: Select whether you want to trace access to this field. The following options are

available:

o Trace If Original Field Value Is Displayed Without Masking

o Always Trace Regardless of Masking

o Never Trace Regardless of Masking

o Masking Control: This checkbox controls masking at application, component, view, and field level. The field is

masked only if this checkbox is selected at both application and field level.

o PFCG Role Name: Enter the PFCG role for the authorization check. The default value is

/UIMWDA/PFCG_ROLE. Only users assigned to the PFCG role entered here can view the original value of the

field.

o Masking Pattern: Specify the masking pattern to be used to replace the content of a field when rendered on

the UI.



May 21, 2018


You maintain the masking configuration in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for

ABAP→ Masking Configuration → Maintain Masking Configuration.


2.2.2.3 Maintain BAdI Filter Value

In this Customizing activity, you maintain the filter value that is used when the authorization BAdI is called for the

relevant field configured for masking. This allows you to implement customer-specific authorization checks that you

have defined in the BAdI: Authorization Check.

Before you start this activity, you must have maintained the Web Dynpro masking configuration in the Customizing

activity Maintain Masking Configuration.

You maintain the BAdI filter value in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP

→Advanced Configuration→ Maintain BADI Filter Value.


2.2.3 Business Add-Ins (BAdIs)

2.2.3.1 BAdI: Masking Pattern

You can use this BAdI to implement any masking pattern for unauthorized users. The BAdI implementation must be

based on the filtering of the masking pattern maintained for the field in the Web Dynpro ABAP masking configuration.

The BAdI contains the following method:

o EXECUTE_MASKING_PATTERN

This method allows you to implement your own masking pattern to be displayed on the Web Dynpro ABAP

screen for unauthorized users.

You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP→

Business Add-Ins (BAdIs) → BAdI: Masking Pattern.

For more information on how to use this BAdI, see the associated Customizing documentation.

2.2.3.2 BAdI: Authorization Check

You can use this BAdI to perform any authorization check in addition to the authorization check that is carried out as

per the configuration and also to make changes to the final output that is displayed on the screen.



May 21, 2018


The BAdI implementation must be based on the filter value maintained in the Web Dynpro masking configuration for

the field. The BAdI contains the following methods:

o EXECUTE_AUTHORIZATION

This method allows you to implement your own business logic for authorization checks.

o EXECUTE_VALUE

This method allows you to implement your own business logic to modify the masked value before it is sent to

the Web Dynpro ABAP screen for output.

You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for

ABAP→Business Add-Ins → BAdI: Authorization Check.


2.2.3.3 BAdI: Field Access Tracking

You can use this BAdI to change the record saved in the access trace table by the field access trace function.

The BAdI contains the following method:

o EXECUTE_LOGGING

This method allows you to modify the access trace details including the free text that is saved in the access

trace table. You can also save the field value for the fields configured for masking by implementing

CV_SAVE_LOG value flag in the BAdI.

You make the relevant settings in Customizing for SAP NetWeaver under Field Masking for Web Dynpro for ABAP→

Business Add-Ins (BAdIs) → BAdI: Field Access Tracking.




May 21, 2018


3 Business Scenarios

3.1 Field Masking for Web Dynpro for ABAP

The following topics are covered for this business scenario:

o Overview

o Technical system landscape

o Configuration details

3.1.1 Overview

This software consists of the following processes:

3.1.1.1 Web Dynpro ABAP Masking

Web Dynpro ABAP masking allows only users with field-level authorization to view field values. If a user does not

have authorization to view the value for a field, then the data is masked with masking characters. Only users who

have authorization to view the field value can see the original value. The fields configured for masking are masked on

the Web Dynpro ABAP screen.

For masking to happen, you need to follow the process below:

Step 1: Maintain the basic settings as explained in Section 2.2.1.

Step 2: Maintain the masking configuration as explained in Section 2.2.2.

Example

The following is an example of Web Dynpro ABAP masking in a UI table:

CoCd Company Name City

001 #####@@* Walldorf

0MB1 #####@@**erbankDeutschl. Walldorf

AR01 #####@@**emplateAR Argentina

AT01 #####@@**emplateAT Austria



May 21, 2018


3.1.1.2 Field Access Trace

Field access trace writes an access trace entry when the user accesses the fields configure for masking. Since the

fields configured for masking are considered important for business, the customer wants to know who, when, and by

which business role these fields are accessed. Field access trace uses the same configuration tables as those used

for field masking for Web Dynpro ABAP and is carried out for Web Dynpro ABAP screens.

The field access trace process is as follows:

Step 1: Field access trace works only if you have maintained fields in the masking configuration by following

the steps described under Section 3.1.1.1.

Step 2: When maintaining the fields in the masking configuration, you need to select one of the following

options in the Field Access Tracking field.

a. Trace If Original Field Value Is Displayed Without Masking

b. Always Trace Regardless of Masking

c. Never Trace Regardless of Masking

Field access trace is then enabled based on the option selected.

Step 3: View and delete the field access trace entries: You can display and delete the access trace entries

from the access trace table using report /UIMWDA/R_VIEW_DEL_UI_FAT.

Details on archiving access trace data are provided in the Application Help.

3.1.2 Technical System Landscape

Refer to Section 2.1

3.1.3 Configuration Details

Refer to Section 2.2



May 21, 2018


4 Solution Manager Information

4.1 Project Administration

Field masking for Web Dynpro for ABAP can either be documented in a separate project or embedded in an

existing implementation project.

The documentation language must be English. Documents to be uploaded into SAP Solution Manager must have a

commonly readable format (PDF is recommended).

4.1.1 System and Application Landscape

The following systems are the basis for field masking for Web Dynpro for ABAP

Refer to section 2.1

4.2 Business Scenarios

Refer to Section 3.

4.3 Additional Configuration Details

When data is printed from a UI element table in Web Dynpro for ABAP, the content is not masked in the output. This

is not part of the solution scope.

If at least one UI table column is configured for the masking authorization check, the Print button in the toolbar of the

UI table must also be configured for masking in Customizing to ensure that the Print button is completely disabled.



May 21, 2018


5 Security Information

Field masking for Web Dynpro for ABAP is based on SAP NetWeaver 700 SP30 and highest level supported is

SAP_BASIS 750 SP04. Therefore, the related guides also apply to field masking for Web Dynpro for ABAP.

For more information about specific security-related topics, see the following resources on SAP Service Marketplace

or SDN:

Topic Quick Link on SAP Service Marketplace or SDN

Security http://service.sap.com/security

http://sdn.sap.com/irj/sdn/security

Platforms http://service.sap.com/platforms

Infrastructure http://service.sap.com/securityguide

→ Infrastructure Security

Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

SAP NetWeaver http://sdn.sap.com/irj/sdn/netweaver

http://service.sap.com/security

For a complete list of available SAP Security Guides, see SAP Service Marketplace at

http://service.sap.com/securityguide.

5.1 Authorization Concept

5.1.1 Roles

You can assign the default role /UIMWDA/PFCG_ROLE to the user to whom the required authorization needs to be

provided.

Alternatively, you can also create or use existing PFCG roles and assign these roles to authorized users. You have to

maintain the same role in the configuration corresponding to the Web Dynpro application, component, view,

component configuration (if applicable), and field ID.

Furthermore, you can assign the role to the authorization object /UIMWDA/AO for field access trace.


http://sdn.sap.com/irj/sdn/security

http://service.sap.com/platforms

http://service.sap.com/securityguide

http://service.sap.com/notes

http://service.sap.com/securitynotes

http://sdn.sap.com/irj/sdn/netweaver


http://service.sap.com/securityguides



May 21, 2018


5.1.2 Authorization Objects

The following table lists the security-relevant authorization objects that are used by field masking for Web Dynpro

for ABAP.

Authorization Object Field Value Description

/UIMWDA/AO ACTVT - Authorization Object for

Web Dynpro Masking

5.2 Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to compliance with

general data protection and privacy acts, it is necessary to consider compliance with industry-specific legislation in

different countries. SAP provides specific features and functions to support compliance with regard to relevant legal

requirements, including data protection. SAP does not give any advice on whether these features and functions are

the best method to support company, industry, regional, or country-specific requirements. Furthermore, this

information should not be taken as advice or a recommendation regarding additional features that would be required

in specific IT environments. Decisions related to data protection must be made on a case-by-case basis, taking into

consideration the given system landscape and the applicable legal requirements. SAP does not provide legal advice

in any form. SAP software supports data protection compliance by providing security features and specific data

protection-relevant functions, such as simplified blocking and deletion of personal data. In many cases, compliance

with applicable data protection and privacy laws will not be covered by a product feature. Definitions and other terms

used in this document are not taken from a particular legal source.

CAUTION

The extent to which data protection is supported by technical means depends on secure system operation.

Network security, security note implementation, adequate logging of system changes, and appropriate usage

of the system are the basic technical requirements for compliance with data privacy legislation and other

legislation.

The personal or sensitive data is stored by the field masking for Web Dynpro for ABAP solution in the UI Log Table to

Trace Logging of Configured Fields (/UIMWDA/T_UI_FAT). You can mask fields such as the Bank Account Number.

5.2.1 Generic Fields

You need to make sure that no personal data enters the system in an uncontrolled or non-purpose related way, for

example, in free-text fields, through APIs, or customer extensions. Note that these are not subject to the read access

logging (RAL) example configuration.



May 21, 2018


5.2.2 Glossary

The following terms are general to SAP products. Not all terms may be relevant for this SAP product.

Term Definition

Blocking A method of restricting access to data for which the

primary business purpose has ended.

Consent

The action of the data subject confirming that the usage

of his or her personal data shall be allowed for a given

purpose. A consent functionality allows the storage of a

consent record in relation to a specific purpose and

shows if a data subject has granted, withdrawn, or

denied consent.

Data subject

An identified or identifiable natural person. An

identifiable natural person is one who can be identified,

directly or indirectly, in particular by reference to an

identifier such as a name, an identification number,

location data, an online identifier or to one or more

factors specific to the physical, physiological, genetic,

mental, economic, cultural, or social identity of that

natural person.

Deletion

Deletion of personal data so that the data is no longer

available.

End of business Date where the business with a data subject ends, for

example, the order is completed, the subscription is

canceled, or the last bill is settled.

End of purpose (EoP)

End of purpose and start of blocking period. The point in

time when the primary processing purpose ends, for

example, a contract is fulfilled.

End of purpose (EoP) check

A method of identifying the point in time for a data set

when the processing of personal data is no longer

required for the primary business purpose. After the

EoP has been reached, the data is blocked and can

only be accessed by users with special authorization,

for example, tax auditors.

Personal data Any information relating to an identified or identifiable

natural person (a data subject).

Purpose The information that specifies the reason and the goal

for the processing of a specific set of personal data. As

a rule, the purpose references the relevant legal basis

for the processing of personal data.

Residence period

The period of time between the end of business and the

end of purpose (EoP) for a data set during which the

data remains in the database and can be used in case



May 21, 2018


Term Definition

of subsequent processes related to the original purpose.

At the end of the longest configured residence period,

the data is blocked or deleted. The residence period is

part of the overall retention period.

Retention period

The period of time between the end of the last business

activity involving a specific object (for example, a

business partner) and the deletion of the corresponding

data, subject to applicable laws. The retention period is

a combination of the residence period and the blocking

period.

Sensitive personal data

A category of personal data that usually includes the

following type of information:

3. Special categories of personal data, such as data

revealing racial or ethnic origin, political opinions,

religious or philosophical beliefs, trade union

membership, genetic data, biometric data, data

concerning health or sex life or sexual orientation.

4. Personal data subject to professional secrecy

5. Personal data relating to criminal or administrative

offenses

6. Personal data concerning insurances and bank or

credit card accounts

Where-used check (WUC)

A process designed to ensure data integrity in the case

of potential blocking of business partner data. An

application's where-used check (WUC) determines if

there is any dependent data for a certain business

partner in the database. If dependent data exists, this

means the data is still required for business activities.

Therefore, the blocking of business partners referenced

in the data is prevented.

5.2.3 Deletion of Personal Data

5.2.3.1 Simplified Blocking and Deletion

When considering compliance with data protection regulations, it is also necessary to consider compliance with

industry-specific legislation in different countries. A typical potential scenario in certain countries is that personal data

shall be deleted after the specified, explicit, and legitimate purpose for the processing of personal data has ended,

but only as long as no other retention periods are defined in legislation, for example, retention periods for financial

documents. Legal requirements in certain scenarios or countries also often require blocking of data in cases where

the specified, explicit, and legitimate purposes for the processing of this data have ended, however, the data still has



May 21, 2018


to be retained in the database due to other legally mandated retention periods. In some scenarios, personal data also

includes referenced data. Therefore, the challenge for deletion and blocking is first to handle referenced data and

finally other data, such as business partner data.

5.2.3.2 Deletion of Personal Data

The processing of personal data is subject to applicable laws related to the deletion of this data when the specified,

explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a legitimate

purpose that requires the retention and use of personal data, it must be deleted. When deleting data in a data set, all

referenced objects related to that data set must be deleted as well. Industry-specific legislation in different countries

also needs to be taken into consideration in addition to general data protection laws. After the expiration of the

longest retention period, the data must be deleted.

This SAP product might process data (personal data) that is subject to the data protection laws applicable in specific

countries as described in SAP Note 1825544.

In order to ensure that all personal data is protected, Field Masking for Web Dynpro for ABAP stores absolutely no

personal data.

5.3 Security-Relevant Logging and Tracing

The field masking for Web Dynpro for ABAP solution logs data access within the log table. Only authorized users can

access the log data.

5.4 Dispensable Functions with Impacts on Security

Not relevant

https://service.sap.com/sap/support/notes/



May 21, 2018


6 Operations Information

Designing, implementing, and running your SAP applications at peak performance 24 hours a day is vital for your

business success. This chapter contains important information on how to smoothly operate field masking for Web

Dynpro for ABAP. The major topic is monitoring. This chapter describes the tasks to execute and the tools to use.

Field masking for Web Dynpro for ABAP is currently based on SAP NetWeaver 700 SP 30 and highest level support

is SAP_BASIS 750 SP 04. Therefore, the general operations information that is covered in the related operations

guides also applies to field masking for Web Dynpro for ABAP.

For a complete list of available SAP Operations Guides, see SAP Service Marketplace at

http://service.sap.com/instguides.

http://service.sap.com/instguides

www.sap.com/contactsap

© 2017 SAP SE or an SAP affiliate company. All rights reserved.