Introduction
In this blog post, we will learn how to configure
Data Block/Suppression in
Hierarchical Sequential List Report to block access of certain sensitive document records.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).
Before Data Block/Suppression Configuration:
Document records highlighted in the below image need to be suppressed in
S_ALR_87012347 Report.
![](/legacyfs/online/storage/blog_attachments/2022/09/1-67.png)
After Data Block/Suppression Configuration:
After suppression configuration, highlighted Document records in above image has been suppressed and unauthorized users cannot access those records anymore.
![](/legacyfs/online/storage/blog_attachments/2022/09/2-50.png)
Prerequisite
UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.
Product “
UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the
S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in
SAP GUI,
SAPUI5/SAP Fiori,
CRM Web Client UI, and
Web Dynpro ABAP.
Let’s begin
Configuration to achieve Data Block/Suppression
Logical Attribute is a functional modelling of how any attribute such as
Social Security Number,
Bank Account Number,
Amounts,
Pricing information,
Quantity etc. should behave with masking.
Configure Logical Attribute – Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes
Hierarchical Sequential List
![](/legacyfs/online/storage/blog_attachments/2022/09/3-45.png)
Configure Value Range
Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:
Sensitive Document List
- Click on “New Entries” button
- Enter "List of Values” as “VR_SENSITIVE_DOCS”
- Enter “Description” as “List of Sensitive Documents”
- Click on “Save” button
![](/legacyfs/online/storage/blog_attachments/2022/09/8-32.png)
Enter following entries in “VR_SENSITIVE_DOCS” Value Range
Follow below mentioned steps:
- Execute Transaction Code “/UISM/V_RANGE”
- Click on “VR_SENSITIVE_DOCS” Value Range
- Click on “Display<- -> Change” button
- Click on “Add New Entry” button
- Add following entries under “Include Value” tab and click on “Save” button
![](/legacyfs/online/storage/blog_attachments/2022/09/9-29.png)
![](/legacyfs/online/storage/blog_attachments/2022/09/10-28.png)
![](/legacyfs/online/storage/blog_attachments/2022/09/11-25.png)
![](/legacyfs/online/storage/blog_attachments/2022/09/12-23.png)
![](/legacyfs/online/storage/blog_attachments/2022/09/13-19.png)
Maintain Technical Address
In this step, we will associate the
Technical Address of the fields to be masked with the
Logical Attributes.
You can get the Technical Address of a GUI field by pressing “
F1” on the field.
![](/legacyfs/online/storage/blog_attachments/2022/09/7-26.png)
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “
SAP GUI (Table Field) Field Mapping”, maintain technical address for following fields.
![](/legacyfs/online/storage/blog_attachments/2022/09/4-38.png)
Policy Configuration
A
Policy is a combination of
rules and
actions which are defined in one or more
blocks. The
actions are executed on a
sensitive entity (field to be protected) which has to be assigned to a
Policy. The conditions are based on
contextual attributes which help derive the context.
Context Attributes are
logical attributes which are used in designing the
rules of a
policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a
sensitive entity.
Sensitive Entities are
logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_BLOCK_HIRSEQLIST”
- Select “Type” as “Data Blocking”
- Enter “Description” as “Data Blocking in Hierarchical Sequential List”
- Click on “Save” button
![](/legacyfs/online/storage/blog_attachments/2022/09/155.png)
Write following logic into Policy
![](/legacyfs/online/storage/blog_attachments/2022/09/5-31.png)
Maintain Data Blocking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Data Blocking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_HIRSEQLIST” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Attribute Based Authorization” option
- Enter “Policy Name” as “POL_BLOCK_HIRSEQLIST”
- Click on “Save” button
![](/legacyfs/online/storage/blog_attachments/2022/09/6-34.png)
Conclusion
In this blog post, we have learnt how
Data Block/Suppression is achieved in
Hierarchical Sequential List Report to block access of certain sensitive document records.