SAP UI Logging & Masking

Why SAP UI Logging & Masking?

Enterprises today are exposed to an ever-broadening range of IT security threats, from emailed viruses, to targeted phishing-style attacks that trick employees into clicking on dangerous links that install malware, steal credentials, or in some other way jeopardise the security of the enterprise. As threats have evolved over time, new approaches to threat detection and remediation have become necessary for organisations that are at risk.


Winterhawk recently asked SAP’s Tobias Keller, who is the Solution Owner for UI Data Security, for his insights into SAP’s UI Logging & Masking application. We posed the question:

How can UI  Logging and Masking help our customers refine their approach to security?

Tobias’s reply:

Basically, you’re talking about a two-step approach to tackle the risk posed by preferred insiders. Masking is about restricting access to sensitive data, be it PII or business critical information, with the intention of building a per-need base access on top of your existing authorisations.

UI Logging comes in when you suspect data abuse, because you want to be able to know exactly what happened and take the right decisions and actions. For that you need detailed logging of who really saw what and under which circumstances. Now, tie this up with SAP Enterprise Threat Detection, and you take your protection to the next level as you can effectively build a real-time monitoring of data access where suspicious activities can immediately be flagged.

UI Logging

Provides a way to record and analyse data displayed in SAP. All database accesses are logged (search / read / store / update); it provides real time configurable alerts/ notifications which can be integrated with SAP Enterprise Threat Detection (ETD).

UI Logging runs in the background with minimal impact on system resources and without changing any functionality.


  • Logging of exact set of data being displayed, printed or exported
  • Prevent unwanted data access while keeping data openly available to your teams and customers
  • Log access to payment run data
  • Allow users to take on tasks more flexibly and efficiently, while logging individual access to prompt users to access data only when needed for a specific task
  • Log access to reports to be able to identify and sanction abuse by management who may intend to measure employee performance (example, how many records employees processed per week)
  • For inappropriate actions: identify perpetrator(s) and collaborate with authorities on severity of leak and identify system/authorisation setup weaknesses
  • A log analyser dashboard of powerful filters to identify and trace security incidents

UI Masking

Is an active form of masking the display of sensitive data in SAP which allows for easy configuration of who (role/user) is authorised to see unmasked data.

Avoid abuse of information and damaging cases of data loss, ensure compliance with data privacy regulations and increase transparency of access to sensitive data with audit trail on field level.


  • Prevent theft or inappropriate use of data by masking access (examples, SE16, SM30, similar transactions, custom transactions, downloads, reports).
  • Protect information in Bill of Material (BOMs) – protecting your IP.
  • Mask specific fields in HR and Payroll to protect sensitive and confidential data (examples, Social Security Numbers, Salaries, Pensions, Tax Information, Personal Data – GDPR).
  • Mask pricing/costing information (examples, conditions, end prices, resulting price list) to avoid leaking to customers/vendors.
  • Mask customer data & pricing/costing information (examples, conditions, end prices, resulting price list) for 3rd parties (examples, usually partners/vendors) working in the system.
  • Divestiture, where you may have a company split of spin off. Segregate data access.
  • Mask depending on attributes of data/user (examples, country, company code, org unit) to decrease authorisation system setup and ensure seamless data protection in case of role/job changes.
  • Mask data for external/temporary roles (show only what is strictly required for the task (examples, only last names, only parts of identifying numbers like bank accounts, telephone and customer numbers.


In a nutshell, UI Logging and UI Masking can be purchased separately, but these two products work so well together that most clients use both.

  • Use UI Logging to detect and act on misuse of legally protected or business critical data.
  • Use UI Masking to prevent data leaks by restricting access to legally protected or business critical data.

Get in touch

Looking to protect your data with UI Logging / Masking? Drop us a line for a full demo.