When working with SAP support, it is sometimes required to provide SAP a Web Intelligence document with saved data so that an issue can be reproduced and debugged in the SAP lab system. In the event that the data contained in the report is confidential it is often impossible for this document with saved data to be provided to SAP. The Webi Doc Masker was designed to allow the customer to obfuscate and scramble sensitive report data before sending this to SAP Support. The document formulas and structure are kept intact such that the original issue can still be reproduced.
How it works
The Webi Doc Masker works by first creating an xlsx datasource from each Webi dataprovider. It is then exported to the CMS, and recreates a new webi report based on this xlsx datasource by copying formulas & block definitons from the original reports. Finally the new Webi document is published back to the CMS as specified by the end user. The aim is really to recreate a faulty behaviour (as it appears in the original report) to be reproduced on sap support side. While doing this, one can choose to obfuscate along the way the DataProvider data dimensions & measures, reports strings & metadata, making it impossible to figure out the data or reverse-engineer it. The obfuscation process is generating a secure, randomly generated transient dictionary that is only used once per session.
Can SAP decrypt or unmask the data in the document?
No, the data is randomized not encrypted .
- We use internally a SecureRandom generated key/value map. This map only exists in the jvm memory of the BIPST client for the time of the masking. Once masking is processed, the map is gone forever.
- The masked copy of the document is actually a new Webi Document, there is no risk of having old serialized micro-cubes that are part of it.
- In the masking process we:
- start by extracting (real) data from original doc, generating masked DataProviders data as Excel Spreadsheet
- upload this masked excel spreadsheet to the target platform directory
- recreate a new webi doc with masked content & formulas, and which data is only based on this Xlsx datasource DP with masked data.
- By default, the measure values are left untouched, if really these numbers do matter, masking them will simply zero them
- By default, the dates are left untouched, if really these dates do matter, masking them will set them all to 1/1/1970.
- Be aware that “Same size string” option will preserve layouting of original document, but there is a risk attacker can infer the real strings names from their size…
Running the Webi Doc Masker
- Click on Landscape Tools → Webi Doc Masker
- Click Start Masker and logon to the desired CMS system
- Browse and select the Webi document you would like to mask then add it to the list using the >> button
- Browse and select the destination directory and add it to the Destination using the >> button
- Select the desired masking options (refer to: OptionsfortheWebiDocMasker)
Click Run Masker to begin the masking process. Once complete, you will be provided with a status dialog.
Troubleshooting Tip: In case of failure
Click on View log for debugging info on the masking process. Provide this log to the BIPST developer team for assistance
- Use Promotion Management to export the masked Webi Doc with saved data to biar format and send the biar to SAP support
Options for the Webi Doc Masker
The following is a list of options you can choose before executing the Webi Doc Masker:
| Option | Description | Default Setting |
|---|---|---|
Mask Data | Mask DataProvider data strings | on |
Mask MetaData | Mask all dimensions, measure, attributes, formulas names | on |
Mask Report Constants | Mask all other non-metadata related strings in reports cells | on |
Mask Numerics | Mask all measures & numeric formula values | off |
Mask Dates | Mask all date types | off |
Same Size strings | Try preserve as much as possible the report layout, obfuscates strings with same number of chars | off |
Sampling row limit | Useful when dealing with large reports & DP (eg > 100K rows) to avoid APS crashes during masking. The recreated xlsx datasource will be up to the # of specified rows that are sampled across the original DP | -1 (no limit) |
Enable PAD empty DP option | For all empty DPs, create a single blank row to overcome a webi sdk bug only fixed since 4.1SP6+ | on |
Limitations
The following are a list of known limitations with the Webi Doc Masker:
- Requires BOE 4.3 SP01 or above (2.1.11 and above)
Contexts & Prompts are not available with xlsx datasources, hence they will not be recreated on the obfuscated do. As a consequence, formulas referring to UserResponse(...) will not work
Multi-flow dataproviders are not supported (although it'll not halt in the masking process, only first flow will be processed)
Dates types are handled as strings
Numerics are zeroed when masking is requested for them.... only very primitive masking for now :-(
Input Controls are ignored
Track Data Changes setting is ignored
Formula with condition on Left(...) or Right(...) will not lead to any meaningfull output on masked data
Formula with ToNumber(...) will fail to work (as the obfuscated strings will not have any digits anymore)
Formula with ToNumber(...) will fail to work (as the obfuscated strings will not have any digits anymore)
Example formula that has clearly no chance to work on the obfuscated doc:
[CSAMAIN]Where(Left([Conso];4)=FormatNumber(ToNumber(Left([0-Current RFT];4))-3;"###0"))Where(Right([Period];3)=".12")
Troubleshooting Tips
- Very Long, never returning masker processing, try reducing the sampling row limit (for example, down to 1000)
- If resulting reports turns out empty or completely different, try to debug what has gone wrong by removing all masking, then progressivelly add only data masking, then add metadata masking, etc.