The global and independent platform for the SAP community.

Customized Masking

From protected personal to privileged financial information: SAP applications contain large amounts of sensitive data. These always also harbor risks that companies must counter.
Ralf Kempf, Pathlock
19 January 2023
This text has been automatically translated from German to English.

Attribute-based data masking protects ERP data and reduces compliance risks

In SAP ERP, there are no masking functions for accurate anonymization in the views by default. The potential leakage of unhindered data disclosure thus represents a huge attack surface. Although add-ons and solutions exist from SAP and third-party vendors, significant challenges still exist. This is where attribute-based data masking comes in.

Particularly in the course of progressive internationalization and especially since Corona and frequent home offices, process-relevant but sensitive data are increasingly in danger of being viewed by external or internal observers whose insight is neither necessary nor desired in terms of the situation or in general. Three examples: If an employee in the HR department works from abroad and maintains master data, only absolutely necessary fields should be visible so that no one external inadvertently gains insight into sensitive data. If a sales person works with master data to create quotations, he must be able to find the right product in the master card, see the right packaging unit, the container, but not know all purchase prices. A packer must of course know which package to take based on the material master number, but he does not need to know en détail what the contents are.

Data masking is not about reducing abusive views (fraud) of personal data, about pure anonymization and pseudonymization of personal and address data, but it is broader. Ultimately, all types of data can be masked. The goal of masking original data is so-called data loss prevention, to solve the problem of data theft, data misuse or other forms of data crime by changing the views of the database itself: Basically, it's about protecting data that is necessarily there but that you don't want everyone to see, about limiting views to situationally relevant information. This still poses some challenges for most SAP and third-party data masking solutions because they operate purely at the permission level. However, static masking policies do not take into account the context of access risk and force a trade-off between data security and accessibility.

Privileged users can access sensitive data fields, even if this is not required or desired in a specific context. Data masking add-ons also require customizations to be replicated in each field of the application, resulting in a non-scalable ad hoc solution. Unlike such off-the-shelf masking solutions, the Pathlock approach centralizes data masking enforcement in SAP into a single rule set to define and mask data across the application. And, without requiring further customization of SAP for implementation, it additionally leverages dynamic policies that incorporate risk context to more precisely protect sensitive data.

Freely configurable attributes

An attribute-based masking function thus means fine-grained control over what information is masked for a particular user in a particular situation. This is particularly important when a multinational company wants to prevent abusive views. Data is then masked, for example, for accesses from countries that do not belong to the company locations, for accesses that originate from remote workstations outside the network, unknown IP addresses or VPNs, or that take place outside the respective business or plausible times. Content that is actually readable and permitted for the role is thus not visible, depending on the characteristics of freely configurable attributes such as the user, the IP address, the time, countries or locations, the type of access - remote work from outside or access within the network - or the network type (such as VPN). If access is made with unusual parameters, data that is unnecessary for the specific case will also not be readable, depending on the attribute.

Different criticality

This cannot be implemented using user authorizations alone and takes into account the different criticality of master data such as: Personnel, location and logistics data as well as supplier information or parts lists, purchase prices and recipes. Attribute-based data masking means improved protection of sensitive company data through fine-grained restriction of views. The policy-based dynamic masking function of the centralized and scalable masking solution thus offers, in addition to authorization protection, customizable control over which sensitive data fields are masked for a specific user in a specific situation. By implementing full or partial masking of a data set, the solution minimizes the risk of a data breach and also meets encryption and anonymization requirements, such as those of regulatory agencies. By filtering out sensitive data without further adjustments to SAP, there is no additional maintenance effort.

Pathlock Partner Entry
Ralf Kempf, Pathlock

Ralf Kempf is Vice President ABAP Architecture Pathlock Inc. at Pathlock

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.