IT systems often keeping sensitive information like Protected Health Information (PHI), Personally Identifiable Information (PII), Sensitive Personal Information (SPI) etc. Companies are responsibility to adhere policies to be complaint with data protection laws such as GDPR, HIPAA, PIPEDA, APPI as well as ISO 27001 standard that represents an international standard for security certification that outlines the best practice framework for managing processes, technology, and people.

It is important to mask sensitive data in non-production environments to make it not available for authorized users like developers, solution architects, testers, and others both internal employees and vendors who are usually working in entire landscape that is been refreshed from the production system.

To achieve this goal there are some SAP products that can do data masking like SAP TDMS as well as 3rd party tools that works on DB level. Obviously, they consider additional license costs and time for implementation.

Solution described here is a custom build ABAP program masks data of table fields. Sensitive data can exist in both standard and custom tables, so list of table fields can vary, but can be covered with editable template. Program was developed some years ago, but currently can be shared as open source. Hope it can be helpful.

For the demo we can use well known tables used in trainings. Firstly, install DST from GitHub using abapGit to one of your sandbox systems. Link to DST GitHub is provided at the end of this article. Generate some test data for tables SPFLI, SFLIGHT, SBOOK using generator t-code BC_DATA_GEN. Similarly, we can generate data in tables STICKET and SNVOICE with the report SFLIGHT_DATA_GEN. After data was generated run t-code ZDST.

Template Editor

First. with a help of a template editor, it is needed to create a template that will be contain tables with fields names that should be scrambled. After going to Change Mode (‘Change / View’ button) let’s add some data. Most probably in example below only personal data like SBOOK-PASSNAME (‘Name of the Passenger’) should be scrambled but let’s add some more fields just to extend demo template. It is possible to scramble key fields but adding them to the template will show a warning pop-up.

Double click on Table Name will show the table content that will be used for scrambling. It is handy to check data before/after scrambling. That how the SBOOK looks like now (Table Keys + Fields selected for scrambling).

What if not all the data from entered to the template Table-Field should be scrambled. For example, we need to scramble data from ADR6 and ADRP tables but need to exclude certain groups of persons. For this typical requirement there it is possible to add keys that will be used to scramble data. Going back to our demo template – let’s add keys that will allow to apply scrambling of SBOOK-PASSNAME only Business Class passengers (SBOOK-CLASS = ‘C’). To do this in Template Editor double click on ‘+’ in Key column for required line of Table/Field, select ‘Class’, then ‘Apply Selected Items, add ‘Business Class’ in Dynamic Selection and Save.

Added keys are flagged in Key column with Key icon.

Double click on SBOOK will show data of Business Class passengers that is ready to be scrambled in SBOOK.

Template can be edited only in sandbox/development systems (client role – C – Customizing).

Scrambling functionality.

Scrambled data has the same data length as original data but filled with random alpha-numeric characters. Considering scrambling different amounts of data, it can be run both in foreground and background mode.

Background mode is working perfectly fine, but honestly for now foreground mode was fast enough to scramble data for cases I was using it and amount of data required masking was not small.

Let’s scramble data in foreground based on the created template. After finishing a pop-up with details on amount of scrambled data will be shown. Double-clicking on SBOOK will assure data can not be read anymore.

DST will not run Scrambling on Production system (Client role – P – Production). If you brave enough, you can try, but most probably it will just show a funny message.

Application Log

All action made in DST are being saved to Application Log with Object ZDST. Log can can be checked by hitting ‘Application Log’ button or directly from tcode SLG1 using object ZDST.

In the log there could be found details on performed scrambling as well as on template change.

Transport

After template was created, saved, and tested it can be transported from development system to other systems of the landscape. Transport with template data can be created by pressing ‘Transport’ button.

Authorization

DST was meant to be used by 2 groups of users. One group should be able to edit a template (functional consultants) and second to run data scrambling after system refreshes from Production (BASIS).

Accordingly, there is a custom authorization object Z_S_DST with activity ‘02’ for template edit and ‘16’ to execute scrambling.

Information

Pressing ‘Information’ button will show a document with DST details including prerequisites.

Thanks for reading this article. I hope you found it interesting Data Scrambling Tools will be useful. Please feel free to reach me in case of any suggestions.

https://github.com/vlutsas/DST