UILM Solution Architecture

An introduction to SAP UI data security solutions – Part 1 of 3

by

This is the first of a multi-part blog series talking about the topic of SAP UI data security. In this blog, I would like to talk about the general issues and risks to which today’s SAP companies are exposed.

Other articles in this series include:

Before we walk together into this blog series, let me give you a small definition of SAP UI data security solutions:

These SAP high-level solutions allow you to control and detect which data a user can fetch from the back-end. You can also delineate your own security rules at the field level, by defining which sensitive field values are visible or invisible for each user according to your organization’s requirements.

This Blog seeks to evaluate the adoption of security practices in the user interface. It addresses both user interface and security issues together by talking about security mechanisms inside your SAP systems.

Risks

Most people don’t want to think about the security breaches, data leakage, or what damage the data leaks might cause. As the scientist, AJIT VARKI argues in his 2013 book Denial, “avoiding the negative is a natural human tendency”.

Occurrences of data leakage have rapidly grown over recent years, and an unknown number of users have leaked the sensitive information’s system where they involved. Let us call this action an “insider threat”.

Data security issues are (not very surprisingly) quite often perpetrated by insiders, not just hackers. This is a problem in itself, as “an insider threat” is a thousand times worse than a hacker threat because it is so hard to defend against.

Christopher Hadnagy, Security Expert

A little research on the Internet will show that around 35% of the Organizations were affected over the past four years by data leakage from “insider threats”.

The SAP systems in your company carry a massive amount of sensitive data and critical business information to which users will have access – some of them necessarily, others less so. We can define them as „untrusted clients‟. A user with dishonest intent is optimally in a very good position in your system, having the important authorizations and basic knowledge required to gain access to the critical and sensitive information, meaning that at the end of the day, perhaps the data in your Enterprise has been leaked.

Because of today’s increasingly decentralized lifestyle, where organizations allow users to connect to information systems from anywhere in the world via many different devices, the users therefore carry part of the information system out of the secure infrastructure. Insecurity in SAP UI is caused by the user himself.

Security breaches rapidly become public knowledge today, and the risks we encounter every time we give a user access to our important systems together with the necessary authorizations to access our data are very real.

To avoid those risks, we recommend every SAP organization increases their data security by introducing UI field masking and UI logging from SAP (UILM).

UILM high level solution architecture (example: SAP GUI)

UILM Solution Architecture

In this table you see that UI Masking and UI logging are working in SAP UI Layer, technically each UI technology has specifics that we have to implement on this solution:

UI TechnologyUI MaskingUI Logging
S/4HANA native (covers all UI below channels)supportedsupported
SAP GUI for Windows / HTML / Javasupportedsupported
UI5/Fiorisupportedsupported
CRM Web Client UIsupportedsupported
WebDynpro ABAPsupportedsupported
BW Access (BEx Web/Analyser, BW-IP, BICS, MDX)Can be offered as projectsupported
RFC/BAPI and Web ServicesCan be offered as projectsupported

Note: Each solution can be installed individually or jointly depending on the requirements in your Enterprise.

UI Masking: “a strong” approach to data security, which mean technically restricting specific data from reaching certain users by masking specified data values partly or completely.

UI Logging: “a soft “approach to data security, it determines and documents on the UI level which data a user requested, and what he eventually accessed, and provides functionality to analyze the log in depth or through reports.

By using SAP UI data security, you can limit access to an entire resource in your organization – e.g. all salary reports – or define more complex rules for a resource. SAP UI data security solution is enforced at the service endpoint. So, the sensitive information in your company or enterprise is always secure and can’t be misused by people with criminal intent or an aggressive competitor.

Stay tuned for the next blog and we will explore the use case for each of the solutions.