SAP Data Protection

Apply intelligent data masking to SAP data while preserving business process integrity and functional consistency.

Overview

SAP data protection in the Synthesized Platform is designed with SAP-specific knowledge:

  • Process Integrity - Certain fields must remain unchanged to maintain SAP functionality

  • Business Sensitivity - Fields containing manufacturer, pricing, and quantity data are masked

  • Referential Consistency - Masked values remain consistent across related tables

Protection Levels

The SAP Workflow Wizard offers two protection levels:

Mask Sensitive Data (Recommended)

Applies intelligent masking while preserving SAP functionality:

  • Manufacturer and vendor identifiers are hashed

  • Pricing and quantities are noised

  • Descriptions are partially redacted

  • Key fields remain unchanged for process integrity

No Protection

All fields pass through unchanged:

  • Use only in secure, approved environments

  • Suitable when data protection is handled elsewhere

  • Fastest processing (no transformation overhead)

Using "No Protection" may expose sensitive business data. Ensure appropriate security controls are in place.

Field Categories

Always Protected (Passthrough)

These fields are never masked because they are essential for SAP functionality:

Field Description Reason

MANDT

Client/Mandant

Multi-tenant isolation

MATNR

Material Number

Primary key, references across tables

MTART

Material Type

Process determination

MATKL

Material Group

Classification logic

MEINS

Base Unit of Measure

Quantity calculations

SPART

Division

Organizational assignment

WERKS

Plant

Organizational unit

DISMM

MRP Type

Planning logic

BESKZ

Procurement Type

Process flow

BWART

Movement Type

Document processing

TCODE

Transaction Code

Authorization checks

USNAM

User Name

Audit trail

Sensitive Fields (Masked)

These fields contain business-sensitive data and are masked:

Field Description Transformation

MFRNR

Manufacturer Number

Unique Hashing

MFRPN

Manufacturer Part Number

Unique Hashing

EAN11

EAN/UPC/GTIN

Unique Hashing

DISPO

MRP Controller

Unique Hashing

EKGRP

Purchasing Group

Unique Hashing

PRCTR

Profit Center

Unique Hashing

VKORG

Sales Organization

Unique Hashing

HERKL

Country of Origin

Enum Unique Hashing

VTWEG

Distribution Channel

Enum Unique Hashing

MAKTX

Material Description

Redaction (first 4 chars)

Numeric Fields (Noised)

Numeric values are perturbed while maintaining realistic distributions:

Field Description Transformation

LABST

Unrestricted Stock

Noising

STPRS

Standard Price

Noising

VERPR

Moving Average Price

Noising

DMBTR

Amount in Local Currency

Noising

MENGE

Quantity

Noising

Transformation Types

Unique Hashing

Replaces values with consistent hashed versions:

Original:  MFRNR = "ACME-CORP"
Masked:    MFRNR = "X7K2M9P4"  (consistent across all records)

Characteristics:

  • Same input always produces same output

  • Original value cannot be recovered

  • Maintains referential integrity

Enum Unique Hashing

Preserves the set of possible values while scrambling assignments:

Original values: {DE, US, CN, JP}
Masked mapping:  DE→US, US→CN, CN→JP, JP→DE

Characteristics:

  • Enum values remain valid

  • Distribution is preserved

  • Lookups continue to work

Redaction

Replaces portions of text with masking characters:

Original:  MAKTX = "Precision Ball Bearing 25mm"
Masked:    MAKTX = "XXXX ision Ball Bearing 25mm"

Characteristics:

  • Partial visibility retained

  • Sensitive prefixes hidden

  • Length preserved

Noising

Adds statistical noise to numeric values:

Original:  STPRS = 125.50
Masked:    STPRS = 128.73  (±5% noise)

Characteristics:

  • Values remain realistic

  • Statistical properties preserved

  • Individual values changed

Generated Configuration

When "Mask Sensitive Data" is selected, the wizard generates:

tables:
  - table_name_with_schema: "SCHEMA.MARA"
    transformations:
      # Passthrough - functional fields
      - columns: ["MANDT"]
        params:
          type: passthrough
      - columns: ["MATNR"]
        params:
          type: passthrough
      - columns: ["MTART"]
        params:
          type: passthrough

      # Unique Hashing - identifiers
      - columns: ["MFRNR"]
        params:
          type: unique_hashing
      - columns: ["MFRPN"]
        params:
          type: unique_hashing

      # Enum Hashing - geographic
      - columns: ["HERKL"]
        params:
          type: enum_unique_hashing

  - table_name_with_schema: "SCHEMA.MAKT"
    transformations:
      - columns: ["MANDT", "MATNR"]
        params:
          type: passthrough

      # Redaction - descriptions
      - columns: ["MAKTX"]
        params:
          type: redaction
          redact_first: 4

  - table_name_with_schema: "SCHEMA.MBEW"
    transformations:
      - columns: ["MANDT", "MATNR"]
        params:
          type: passthrough

      # Noising - pricing
      - columns: ["STPRS"]
        params:
          type: noising
          noise_percentage: 5
      - columns: ["VERPR"]
        params:
          type: noising
          noise_percentage: 5

Customizing Protection

Additional Sensitive Fields

To mask additional fields, edit the workflow configuration:

# Add masking for custom field
- columns: ["ZCUSTOM_FIELD"]
  params:
    type: unique_hashing

Adjusting Noise Levels

Modify the noise percentage for numeric fields:

# Increase noise for more privacy
- columns: ["STPRS"]
  params:
    type: noising
    noise_percentage: 10  # Changed from 5

Preserving Additional Fields

To exclude fields from masking:

# Keep field unchanged
- columns: ["CUSTOM_CODE"]
  params:
    type: passthrough

Validation

After running a workflow with data protection:

Verify Key Processes Work

Test critical SAP functions:

  • Material creation/modification

  • Goods movements

  • Purchase order processing

  • Inventory management

Verify Masking Applied

Query sample data to confirm transformations:

-- Check manufacturer numbers are hashed
SELECT DISTINCT MFRNR FROM SCHEMA.MARA LIMIT 10;

-- Verify descriptions are redacted
SELECT MAKTX FROM SCHEMA.MAKT LIMIT 10;

-- Confirm prices are noised (compare to source)
SELECT MATNR, STPRS FROM SCHEMA.MBEW LIMIT 10;

Verify Referential Integrity

Ensure masked values are consistent:

-- Check MATNR consistency between tables
SELECT m.MATNR, t.MATNR
FROM SCHEMA.MARA m
JOIN SCHEMA.MAKT t ON m.MANDT = t.MANDT AND m.MATNR = t.MATNR
LIMIT 10;

Best Practices

Test Protection Settings

  1. Run on a small dataset first

  2. Validate SAP transactions work correctly

  3. Adjust protection as needed

  4. Document any custom configurations

Document Exemptions

If certain fields must remain unmasked for business reasons:

  • Document the exemption

  • Obtain appropriate approvals

  • Implement compensating controls

  • Review periodically

Monitor for Sensitive Data

Periodically review masked data for:

  • Accidentally exposed fields

  • New fields added to tables

  • Changes in data sensitivity

See Also