Dear Samuli,

Thanks for the reply. Can you please provide more information on how data masking can be achieved by custom means (ABAP programs).  Can this be developed in house.

Secondly, is there any way HR data access can be restricted using authorization.(Means restricting HR table access by SE16)

Well data masking can certainly be developed in house, I have done it couple of times. In case of HR you just need to know all relevant HR infotypes (and possibly clusters) and change all entries with random (but meaningful) data. Some infotypes can be more complicated than others (for example the salary infotype 0008) but nothing an experienced ABAP programmer can't handle. It will certainly take some time to do the inhouse implementation (+ verify it) so you should ofcourse do the pros and cons of the inhouse solution vs. TDMS.

I am not the right person to ask about HR authorizations but I do know that they can be quite complicated. You can limit them by infotype, subtype, company code, personnel area, etc. Then there are structural and context authorizations to complicate things further. My point being that it is more complicated than limiting table access.

Can you try in auth object S_TABU_DIS  remove values for  field  "Authorization Group" starting with "P".Dont leave any * in object field values of S_TABU_DIS

Dear Shahnas, I have already restricted the access with all auth grps starting with P*.  But my question is whether this restriction is enough to restrict people to view any HR Sensistive data. 

Does the SAP will recommend the same or they will suggest for TDMS as a correct solution.

Samuli thanks again for your reply, I am trying to see which is the correct solution for us, whether to restrict using Auth groups, TDMS or will check for in house development also.