UI Logging of SAP GUI for Windows

UI Masking in SAP GUI for Windows – Part 3 of 3

by


This is the third and last part of our blog series talking about SAP’s UI data security solution UI Masking and UI Logging.

In this article, I would like to talk about the details of UI Masking which conceals specific data like tax IDs or social security numbers within SAP GUI (and other supported UI technologies). The solution masks values in desired fields and columns, unless that information is required for a task.

Other articles in this blog series include:

Introduction

Do you want to protect your enterprise against damaging disclosure of internal, secrets, or otherwise sensitive data? Have you ever thought about increase transparency of access to sensitive data on your organization? Also, what about your “employee of the year”?

Has it ever struck you that sometimes, he or she could be the black sheep sneaking away with vital data? Alternatively, maybe it might be an innocuous act that may reveal more than what you would want. Research decisively revealed that 60% of attacks are perpetrated by insiders (people you trust!) and the majority of these have malicious intent.

So, if you are thinking about how to “Tackle the Inside Risk” in your SAP landscape, then let me tell you that you are welcome, and you are in the right hand.

Overview about UI Masking

UI Masking is a solution to mask the screen output of restricted and sensitive data values at the field level. Technically this means restricting specific data from reaching certain users by concealing it; thus data values either wholly or partly. This also affects high-level “admin” system users (in dynamic transactions, e.g., SE11, SE12, SE16, SE16n) – unless they are explicitly authorized for a field.

It enables anonymization (de-personification) in business transactions, technical transactions and applies during actions such as view, download, export or print. It works with many UI technologies such as SAP GUI for Windows / HTML / Java, UI5/Fiori, Web Dynpro ABAP and more.

Of course, UI Masking provides an enhancement spot, via Business Add-In (BAdI). This means your desired custom logic about what, when and how to mask, can be implemented down to the field level using BAdIs. You can also control how the trace entries might be enriched.

SAP’s UI Masking solution in high level consists of the two functions:

  1. Field masking which provides configurable options to increase data security in SAP user interfaces by mask sensitive values in screen fields for refined data access on top of the existing role/authorization setup.
  2. Field access trace which creates an access trace entry when the user accesses the fields which are configured for masking.
Unmasked fields values
Unmasked fields values
Masked Fields Values
Masked Fields Values

How UI Masking for SAP GUI works

Field masking allows only users with field-level authorization to view the field value, period. If a user is not authorized, the data is masked with masking characters. Only users who are allowed to view the field value can see the original value.

Just before the user interface is displayed, masking and field access trace is enabled, based on how the field is configured in UI masking and the user’s field-level authorization(s). The masking of the data value depends on the field type and character pattern as configured in customizing.

By other words, UI Masking is active on the point just before the data are handled back to the user. The original data which should be displayed to the user is compared with the data elements which are configured for protection (masking). The solution checks if the user is authorized to see that information or not. If you like, UI Masking is also capable of writing a short trace that the user has requested the masked data.

The following figure provides an overview of the process, as you see UI Masking does neither affect the database layer nor the Business Logic of your SAP system.

User Interaction with Masked Interface
User Interaction with Masked Interface (Source SAP SE)

Highlights of SAP UI Masking

Maintain Global Masking switch: at this stage, you can decide if you want to enable or disable masking for a particular client. This system level setting sets masking at the highest level. If masking at this level not active, then any of the configured entries will not be masked, and the original field’s value (unmasked) will be shown for the user.

Field Access Trace: writes an access data entry when the user accesses the fields configured for masking. The trace contains various information such as the user who accesses to masked values, date and time when the user accessed the value and the transaction the user used to view the configured fields. Also, you have wide filters options to restrict and minimize the information in the log record.

Display and Delete Field Access Trace
Transaction (UIM_VIEW_FAT)

In the Field Access Trace, you have the three choices to decide how you want to trace your masked fields, lets to review them one by one:

  • (L) Trace If Original Field Value is Displayed Without Masking: The values are logged if the field is obtained by a user allowed to view the unmasked value of the field.
  • (A) Always Trace Regardless of Masking: The values are logged if the field is accessed by an authorized or unauthorized user.
  • (N) Never Trace Regardless of Masking: Field Access Trace is disabled for this field or role.
Field access trace
This is an optional feature at field level

Configure E-Mail Notification for PFCG role changes: On this customizing, you can trigger an E-Mail notification (alert) if anyone messes in with PFCG roles.

Configure E-Mail Notification for PFCG Role changes
Configure E-Mail Notification for PFCG Role changes

BAdI: UI Masking and Field Access Tracking: By using BAdIs you can build your own rules and implement own business logic to redesign the masked values just before they are transferred to the end user. For every field name maintained in the masking configuration, you can access the original data and masked data.

Conclusion

SAP UI Masking is a robust approach to data security which technically prevents unauthorized employees from accessing sensitive data. The solution helps to decrease the risk of leaking sensitive data by merely hiding information “not required for the job” and thus following the principle of data minimization. It is considered as a cost-effective alternative to data “blocking” solutions such as SAP ILM and allows you to comply with data privacy regulations like GDPR, HIPAA or Sarbanes–Oxley.

Here some Benefits what you get from SAP UI Masking:

  • Helps to avoid damaging and costly cases of data loss
  • Increases transparency of access to sensitive data with audit trail on the field level
  • Prevents opportunistic leaking of data
  • Builds a human firewall and empower employees by raising the data security awareness
  • Protects your employees against inadvertent data security breaches
  • Increases employees to confidently do their work

In the end, I wish you always safe and secure system and hope you enjoyed our short journey into the world of SAP UI Masking and UI Logging.