Discuss business intelligence, integration, compliance and a host of other SAP-related topics – implementation, best practices and resources to negotiate the world of SAP better!

« The Next Normal for Everyone's Business | Main | Self-service password reset using email in SAP »

Data Protection in SAP using UI Masking and Logging Solution

Today's world is data driven and it is extremely important to protect sensitive data such as personal information and critical business data. Enterprises today are exposed to IT security threats evolved over time and they need to comply with number of data privacy regulations.

Organizations need to define the right approach for threat detection and remediation for threats coming from both insiders and outsiders. SAP supported protective means such as Single Sign On (SSO) can be used to protect networks and systems from outside attacks. However, protection against insider data thefts is not covered by standard functionality and it requires one step beyond a basic system security and authorization setup.

This blog discusses SAP's solution for UI Data protection - UI Masking and UI Logging, which can be used to achieve data security in SAP landscape.

SAP systems contain massive amount of sensitive and business critical information. Internal users in the organization have access to such information.

In many cases, SAP users get excess access in SAP system due bad role design or incorrect role assignments. In addition, standard SAP authorization framework has some imitation and it cannot handle every data security or legal requirements concerning data privacy independently. Users with dishonest intention can exploit such loopholes to access sensitive and critical information, which can ultimately result into data leaks.

SAP provides two-step security approach to protect data from insiders -

UI Masking and UI Logging.

UI Masking is preventative control for handling data security. It is an active form of masking the display of sensitive data to conceal specific data unless required for the task. Masking solution can mask data within multiple UI technologies such as SAP GUI, WebDynpro ABAP, CRM Web Client UI UI5 /Fiori etc. making sure that sensitive fields are masked for unauthorized users. This solution masks field values of sensitive (configured) fields by default. Unmasking of these field values requires explicit access on top of existing user access. In case a customer is looking for conditional based masking, the same can also be achieved with the implementation of UI masking BADI. e.g. Masking should only be applied in case vendor account number is mapped to specific accounting group in SAP.

UI Logging is soft and detective approach in data security. This functionality allows an individual to document and analyze data requested and eventually accessed by the user. It provides a detailed and structured data access log required for analysis. It prevents illegitimate access to data, its theft by introducing complaint behavior. UI logging configuration options allow individuals to determine for which users, and data logging should be enabled. The logged data in SAP can be transferred to the external repository (SAP or non-SAP) for further analysis.

As of today, UI masking and UI logging solution is applicable for below SAP UI technologies. The solution can be enabled after installing add-on specific to respective SAP system. 

UI Technology


UI Masking


UI Logging


S/4HANA native



SAP GUI for Windows / HTML / Java






CRM Web Client UI



WebDynpro ABAP



BW Access (BEx Web/Analyser, BW-IP, BICS, MDX)

Can be offered as project


RFC/BAPI and Web Services

Can be offered as project



With the help of UI masking and UI logging solution on top of existing SAP authorization set up, organizations can achieve data security.

This will help organizations in

·        Avoiding damaging cases of data abuse and data loss.

·        Identifying and proving irregular data access.

·        Comply better with legal requirements concerning data privacy e.g. GDPR (General Data Protection Regulation)

·        Increase transparency of access to sensitive data.

·        Detect potentially problematic access to sensitive data rapidly and conduct a meaningful analysis in order to take the corrective actions.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter