Home | Safeguard Data in Your Cloud| DAE as a Service


as a Service

Protect data and ensure need-to-know access anywhere & everywhere

Ensure privacy & protection of data with real-time filtering & masking controls

NextLabs Data Access Enforcer (DAE) for SAP allows companies to dynamically enforce policies independent of UI, API, Microservice, Batch job, Report, Transaction, and Fiori app, regardless of how the data are being accessed.

DAE Brochure

Explore the brochure on how to safeguard data across an evolving application landscape

Solvay Customer Story

Learn how Solvay improved access management and protection of Export-Controlled and EH&S Data

Data Access Enforcer for SAP ERP Enterprise Edition

Discover how dynamic authorization secures SAP data in real-time through native data-level entitlement and security controls

Helping Enterprises Achieve


Enforce Data Privacy

Dynamically enforce data masking and filtering controls


Automate Compliance

Comply with industry regulations including GDPR, ITAR/EAR, & SOX


Improve Agility

Secure any SAP ERP data with a single policy


Reduce Security Costs

Reduce compliance mgmt. costs, with the elimination of custom code

Why Data Access Enforcer?

Data Access Enforcer (DAE) controls access to your sensitive information at the data access point, so no unauthorized access can occur, regardless of the approach.

  • Field-Level Data Masking: Data masking is the process of hiding original data with modified content to protect data that is sensitive. Data Access Enforcer (DAE) for SAP ensures that users can only view the fields on the record to which they have been granted access. For those not granted access, the value of the field will be masked.
  • Record-Level Data Filtering: DAE for SAP shields data from unauthorized users until access is granted. Authorization can be determined based on the industry, location, department, position, project assignment, or any other attribute of the user.
  • Transaction-Independent Data Manipulation Control: DAE uses attribute-based policies to control Create, Read, Update and Delete (CRUD) operations regardless of how or where the data is being accessed. Users can be given permission to view a set of data and other entities while being authorized to edit, create, or delete only a subset of these records.
  • Rapid Time to Value: DAE can be deployed and configured for your specific use cases in under 4 weeks, much quicker than alternatives. This is because policies are managed centrally, and no custom code is required.


DAE provides unmatched flexibility and security in defining and enforcing data access controls

Attribute-Based Security

Access to data based on policies that examine attributes of the data being accessed, the context of the request, and user identity. DAE for SAP dynamically applies the relevant policies, factoring in changes in the attributes of data or the user to always enforce fine-grained security controls to mask, protect, and segregate data. Rules are validated in real-time when a user attempts to access data, before granting permission to access.

Dynamic Field-level Data Masking

The need for data masking is more crucial than ever due to the various requirements mandating the protection of sensitive data, such as personally identifiable information (PII), customer data, financial data—the list goes on. Through a policy-driven approach, DAE for SAP ensure that users can only view the fields on records they have been granted access to and masks the information that they have not been authorized to view. Centrally managed policies define masking patterns and rules to determine who, what, when, where, and why to mask field(s) in real-time.

SAP Business Object, User Attributes, and Identity Management Integration

SAP Business Object attributes and metadata can be combined with user attributes from existing sources, including SAP Central User Administration, Identity Management, Human Capital Management, and other third- party identity management providers, directory servers, or federated identities. These attributes are dynamically accessed at runtime to allow access to the data.

Granular Record-level Data Filtering

DAE for SAP’s comprehensive dynamic data filtering capability guarantees that users can only view records that they have been authorized to access. Authorization can be determined based on user attributes such as industry, location, department, position, project assignment, etc. and attributes of data accessed like the sensitivity level or the type of transaction. Policy can be written to make authorization decision by comparing user attributes against the attributes of data. For example, you can filter data in charts and reports to only allow authorized users to see the inventory and pricing data in US for the Consumer Electronics business unit.

Dynamic Runtime Policy Enforcement

Using contextual information (e.g., location, device, department), DAE for SAP can determine if a user is authorized to access data at runtime and virtually compartmentalizes the data with field-level security controls for added granularity. This approach of enforcing policy based on attributes also simplify role administration as attributes and conditions change.

Centralized Policy Management

Authorization policies can be centrally managed and reviewed across all an organization’s SAP applications, substantially reducing administration costs.

OOTB Support of Custom Applications and API Calls

In addition to native support of several SAP applications, DAE for SAP supports batch programs, reports, and custom applications (aka “Z Programs”) without code modifications.

Transaction-Independent Data Manipulation Control

DAE for SAP uses policy to grant users permission to view certain records while being authorized to edit, create, and delete, only a subset of these records. Policy is enforced regardless of the business transaction used to access the data. For instance, a finance manager may be given permission to view detailed cost information on all oil pipeline projects in North America but only allowed to create and edit information for similar projects in Texas.

Centralized Audit and Monitoring

DAE for SAP tracks and stores user activities and data access across all SAP applications in a central audit server, simplifying compliance management. Analytics for user behavior and access patterns are provided via dashboards, reports, and automated monitoring facilities.