SAP UI Logging & Masking

Why SAP UI Logging & Masking?

Enterprises today are exposed to an ever-broadening range of IT security threats, from emailed viruses, to targeted phishing-style attacks that trick employees into clicking on dangerous links that install malware, steal credentials, or in some other way jeopardise the security of the enterprise. As threats have evolved over time, new approaches to threat detection and remediation have become necessary for organisations that are at risk.

Purchase options

Available either On Premise (client hosted – perpetual license) or via Cloud for UI Logging & Cloud for UI Masking (SAP hosted – subscription license).

Solution Insight:
Tobias Keller, Solution Owner for UI Data Security, SAP

UI  Logging and Masking helps our customers refine their approach to security. Basically, you’re talking about a two-step approach to tackle the risk posed by preferred insiders. Masking is about restricting access to sensitive data, be it PII or business critical information, with the intention of building a per-need base access on top of your existing authorisations.

UI Logging comes in when you suspect data abuse, because you want to be able to know exactly what happened and take the right decisions and actions. For that you need detailed logging of who really saw what and under which circumstances. Now, tie this up with SAP Enterprise Threat Detection, and you take your protection to the next level as you can effectively build a real-time monitoring of data access where suspicious activities can immediately be flagged.

Click the thumbnail to read Winterhawk’s History of SAP Solutions: UI Logging & UI Masking

UI Logging

Provides a way to record and analyse data displayed in SAP. All database accesses are logged (search / read / store / update); it provides real time configurable alerts/ notifications which can be integrated with SAP Enterprise Threat Detection (ETD).

UI Logging runs in the background with minimal impact on system resources and without changing any functionality.


  • Logging of exact set of data being displayed, printed or exported
  • Prevent unwanted data access while keeping data openly available to your teams and customers
  • Log access to payment run data
  • Allow users to take on tasks more flexibly and efficiently, while logging individual access to prompt users to access data only when needed for a specific task
  • Log access to reports to be able to identify and sanction abuse by management who may intend to measure employee performance (example, how many records employees processed per week)
  • For inappropriate actions: identify perpetrator(s) and collaborate with authorities on severity of leak and identify system/authorisation setup weaknesses
  • A log analyser dashboard of powerful filters to identify and trace security incidents

UI Masking

Is an active form of masking the display of sensitive data in SAP which allows for easy configuration of who (role/user) is authorised to see unmasked data.

Avoid abuse of information and damaging cases of data loss, ensure compliance with data privacy regulations and increase transparency of access to sensitive data with audit trail on field level.


  • Prevent theft or inappropriate use of data by masking access (examples, SE16, SM30, similar transactions, custom transactions, downloads, reports).
  • Protect information in Bill of Material (BOMs) – protecting your IP.
  • Mask specific fields in HR and Payroll to protect sensitive and confidential data (examples, Social Security Numbers, Salaries, Pensions, Tax Information, Personal Data – GDPR).
  • Mask pricing/costing information (examples, conditions, end prices, resulting price list) to avoid leaking to customers/vendors.
  • Mask customer data & pricing/costing information (examples, conditions, end prices, resulting price list) for 3rd parties (examples, usually partners/vendors) working in the system.
  • Divestiture, where you may have a company split of spin off. Segregate data access.
  • Mask depending on attributes of data/user (examples, country, company code, org unit) to decrease authorisation system setup and ensure seamless data protection in case of role/job changes.
  • Mask data for external/temporary roles (show only what is strictly required for the task (examples, only last names, only parts of identifying numbers like bank accounts, telephone and customer numbers.



In a nutshell, UI Logging and UI Masking can be purchased separately, but these two products work so well together that most clients use both.

  • Use UI Logging to detect and act on misuse of legally protected or business critical data.
  • Use UI Masking to prevent data leaks by restricting access to legally protected or business critical data.

Winterhawk Insight

Winterhawk SAP

Steve Hewison, CEO


While the SAP Security Authorisation concept enables an administration to restrict sensitive access by transaction code (and different values), and Access Control systems can help to detect Segregation of Duties, there are two key things that they cannot do – and that’s where UI Logging and Masking have become critical applications, providing an additional security layer.

Masking allows you to make specific data unusable to all but specifically-defined users; Logging keeps data accessible while logging & analysing access, to then take appropriate measures. Both UI Logging and Masking are quick to deploy. With no additional infrastructure required, they’re proving increasingly popular with clients seeking to increase data protection assurance.


Implementation of SAP UI Logging or UI Masking can be as quick as 6 weeks by leveraging Winterhawk’s Rapid Deployment Services (RDS), enabling fast, efficient roll-out at a lowered cost.

Using Winterhawk’s cost-effective and best practice RDS approach, you can plan for a GRC go-live in less than 2 months from when the project commences. Click here to find out more.

GRC Upgrades by SAP Winterhawk

Get in touch

Looking to protect your data with UI Logging / Masking? Drop us a line.