Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Implementing attribute based masking using UI Data Protection Masking for S/4 Hana On-Premise

pushpal_bhattacharya_1979
Newcomer
‎2024 Oct 24 10:50 AM
0 Likes
3,365

Implementing attribute based masking using UI Data Protection Masking for S/4 hana in 1809 On-Premise [Case Study of masking sensitive fields in Material BOM (T/code CS01/CS02/CS03 and COR1/COR2/COR3) based on Product Hierarchy of Main Material]

Business Requirement

Business Requirement1: Masking of BOM components for some selected values of Product Hierarchy

The business requirement is to mask some sensitive fields in Material BOM, only for some given values of Product Hierarchy for main Materials. As an example:

Consider Material B20000002 having Product Hierarchy as E7:

pushpal_bhattacharya_1979_4-1729587731160.png

When the Material BOM for this Material is displayed (using T/code CS03😞

pushpal_bhattacharya_1979_0-1729587879631.png

Press ENTER. The following screen will be displayed:

pushpal_bhattacharya_1979_1-1729587897368.png

Note that in the above screenshot, the columns Component, Component Description and Quantity are masked for un-authorized users.

The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:

pushpal_bhattacharya_1979_2-1729587920462.png

Press ENTER. Note that this Process Order uses the same main Material B20000002 having Product Hierarchy E7.

pushpal_bhattacharya_1979_3-1729587936359.png

Browse to the Master Data tab, and double-click on the Bill of Material 00000484 (as highlighted in the screen below):

pushpal_bhattacharya_1979_4-1729587955838.png

The same screen (as before) will be displayed with the masked values for the fields:

pushpal_bhattacharya_1979_5-1729587973043.png

 

Business Requirement 2: No Masking of BOM components for other values of Product Hierarchy

On the other hand, if the Product Hierarchy is something different from E7, then these fields should not be masked. Consider the example below:

Consider Material BULK_01 having Product Hierarchy as E6 (i.e. different from E7):

pushpal_bhattacharya_1979_6-1729587997753.png

When the Material BOM for this Material is displayed (using T/code CS03😞

pushpal_bhattacharya_1979_7-1729588013689.png

Press ENTER. The following screen will be displayed:

pushpal_bhattacharya_1979_8-1729588029677.png

Note that in the above screenshot, the columns Component, Component Description and Quantity are NOT masked (not even for un-authorized users).

The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:

pushpal_bhattacharya_1979_9-1729588050448.png

Press ENTER. Note that this Process Order uses the same main Material BULK_01 having Product Hierarchy E6.

pushpal_bhattacharya_1979_10-1729588066979.png

Browse to the Master Data tab, and double-click on the Bill of Material 00000412 (as highlighted in the screen below):

pushpal_bhattacharya_1979_11-1729588087020.png

The same screen (as before) will be displayed with the non-masked values for the highlighted fields:

pushpal_bhattacharya_1979_12-1729588107459.png

 

Security Requirements/Authorization Details

For the masking of Material BOM sensitive fields (based on Product Hierarchy), a custom PFCG role (in this example, ZTEST_UISM_PFCG_ROLE_BOM) needs to be configured by Security team. All users assigned to this role will be able to view/edit the sensitive fields. All remaining users (who are not assigned to this role) will not be able to view the contents of these sensitive fields.

pushpal_bhattacharya_1979_13-1729588129920.png

For our testing purposes, we have assigned the above role to only 2 Users. This means, only these 2 users should be able to view the contents of the sensitive fields in Material BOM (for Product Hierarchy E7), while all remaining users will see a masked value of the sensitive fields.

 

Technical Solution

To implement the above Business Requirement, we will be leveraging the Attribute based Masking capability of the addon UI Data Protection Masking for S/4HANA. It is important to note here that:

  • Our masking requirement here is based on a Derived Attribute (i.e. Product Hierarchy) which is derived from the Material Master for the given Material.
  • Product Hierarchy does not feature directly in the T/codes (CS01/02/03 or COR1/2/3) where the masking requirement is there. Instead, the Material number resides in these T/codes.

Perform the following steps in SPRO:

Step 1: Maintain Global Flag for Solution

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA --> Enable UI Data Protection Masking à Maintain Global Flag for Solution

pushpal_bhattacharya_1979_14-1729588178198.png

Step 2: Maintain Flag: Data Protection Options

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA --> Enable UI Data Protection Masking à Maintain Flag: Data Protection Options

pushpal_bhattacharya_1979_15-1729588197716.png

Step 3: Maintain Global Flag: Reveal on Demand

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA --> Enable UI Data Protection Masking à Maintain Global Flag: Reveal on Demand

pushpal_bhattacharya_1979_16-1729588270946.png

Step 4: Maintain Logical Attributes

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA --> Maintain Metadata Configuration --> Maintain Logical Attributes

pushpal_bhattacharya_1979_17-1729588308423.png

Step 5: Maintain Value Range Definition for Product Hierarchies

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration --> Maintain Attributes and Ranges for Policy

pushpal_bhattacharya_1979_18-1729588344420.png

Step 6: Maintain Value Range List for Product Hierarchies

Execute the standard SAP T/code /UISM/V_RANGE. Select the name of the Value Range (created in Step 5) and press the Display button.

pushpal_bhattacharya_1979_19-1729588364318.png

Maintain the list of values of Product Hierarchies, for which the sensitive fields in Material BOM should be masked (as shown in the screen below). This is like maintaining a SELECT-OPTION:

pushpal_bhattacharya_1979_20-1729588380488.png

Step 7: Maintain Derived Attribute for Product Hierarchy

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration --> Maintain Attributes and Ranges for Policy

pushpal_bhattacharya_1979_21-1729588422220.png

Step 8: Create call-back ABAP Class for Derived Attribute for Product Hierarchy

In Step 7, notice that we assigned a call-back ABAP Class ZCLTEST_PRODH_CS03 for the Derived Attribute DA_PRODUCTHIERARCHY. This Class must include the standard SAP Interface /UISM/IF_DERIVED_ATTR_VALUE. Inside this Class, we will write the code to derive the value for Main Material (which will reside in different higher level memory stacks based on the T/code). Thereafter, determine the value of the Product Hierarchy for this main Material, from the Material Master. The following is a sample code for the above Class:

CLASS zcltest_prodh_cs03 DEFINITION
  PUBLIC
  FINAL
  CREATE PUBLIC .

  PUBLIC SECTION.

    INTERFACES /uism/if_derived_attr_value .
  PROTECTED SECTION.
  PRIVATE SECTION.
ENDCLASS.

 

CLASS zcltest_prodh_cs03 IMPLEMENTATION.

* <SIGNATURE>---------------------------------------------------------------------------------------+
* | Instance Public Method ZCLTEST_PRODH_CS03->/UISM/IF_DERIVED_ATTR_VALUE~EXECUTE
* +-------------------------------------------------------------------------------------------------+
* | [--->] IT_NAME_VALUE_PAIR TYPE /UISM/T_NAME_VALUE_PAIR
* | [<---] EV_OUTPUT TYPE STRING
* +--------------------------------------------------------------------------------------</SIGNATURE>
  METHOD /uism/if_derived_attr_value~execute.

    DATA: lv_matnr TYPE matnr,
              lv_prodh TYPE prodh_d.

* Get Material Number
IF line_exists( it_name_value_pair[ sem_attribute = 'LA_MATERIAL' ] ).
lv_matnr = it_name_value_pair[ sem_attribute = 'LA_MATERIAL' ]-value_int.
ELSEIF line_exists( it_name_value_pair[ field1 = 'COOISPI'
field2 = 'PPIO_ENTRY'
field3 = 'IOOPCOMP'
field_name = 'BAUGR' ] ).
lv_matnr = it_name_value_pair[ field1 = 'COOISPI'
field2 = 'PPIO_ENTRY'
field3 = 'IOOPCOMP'
field_name = 'BAUGR' ]-value_int.
ELSE.
* For BOM - CS02
ASSIGN ('(SAPLCSDI)RC29K-MATNR') TO FIELD-SYMBOL(<lv_matnr>).
IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.
lv_matnr = <lv_matnr>.
ELSE.
* For BOM in Materials tab in Recipe Group - C203
ASSIGN ('(SAPLCMDI)RCM01-MATNR') TO <lv_matnr>.
IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.
lv_matnr = <lv_matnr>.
ELSE.
* For Operations in Recipee Group
* Select any 1 Material assigned to the Recipee Group
ASSIGN ('(SAPLCPDI)PLKOD-PLNNR') TO FIELD-SYMBOL(<lv_plnnr>).
IF <lv_plnnr> IS NOT ASSIGNED.
ASSIGN ('(SAPLCPDO)PLKOD-PLNNR') TO <lv_plnnr>.
IF <lv_plnnr> IS NOT ASSIGNED.
* For COOISPI - Operations
ASSIGN it_name_value_pair[ field1 = 'COOISPI'
field2 = 'PPIO_ENTRY'
field3 = 'IOOPER'
field_name = 'PLNNR' ]-value_int TO <lv_plnnr>.
ENDIF.
ENDIF.
ASSIGN ('(SAPLCPDI)PLKOD-PLNAL') TO FIELD-SYMBOL(<lv_plnal>).
IF <lv_plnal> IS NOT ASSIGNED.
ASSIGN ('(SAPLCPDO)PLKOD-PLNAL') TO <lv_plnal>.
IF <lv_plnal> IS NOT ASSIGNED.
* For COOISPI - Operations
ASSIGN it_name_value_pair[ field1 = 'COOISPI'
field2 = 'PPIO_ENTRY'
field3 = 'IOOPER'
field_name = 'PLNAL' ]-value_int TO <lv_plnal>.
ENDIF.
ENDIF.
IF <lv_plnnr> IS ASSIGNED AND
<lv_plnal> IS ASSIGNED.
SELECT matnr UP TO 1 ROWS
INTO lv_matnr
FROM mapl
WHERE plnnr = <lv_plnnr>
AND plnal = <lv_plnal>.
ENDSELECT.
ENDIF.
ENDIF.
ENDIF.
ENDIF.

IF NOT lv_matnr IS INITIAL.
* Convert Material to internal format
CALL FUNCTION 'CONVERSION_EXIT_MATN1_INPUT'
EXPORTING
input = lv_matnr
IMPORTING
output = lv_matnr
EXCEPTIONS
length_error = 1
OTHERS = 2.
IF sy-subrc = 0.
* Get Product Hierarchy of Material
SELECT SINGLE prdha INTO @LV_prodh FROM mara
WHERE matnr = @LV_matnr.
IF sy-subrc = 0.
ev_output = lv_prodh.
ENDIF.
ENDIF.

ENDIF.

ENDMETHOD.
ENDCLASS.

 

Step 9: Maintain Policy Details for Attribute based Authorizations

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration --> Maintain Policy Details for Attribute based Authorizations

pushpal_bhattacharya_1979_23-1729588884656.png

After creating the above entry for Policy, select the Policy Name and press ABAP Policy Cockpit button to formulate the Policy (as highlighted in the screen below):

pushpal_bhattacharya_1979_24-1729588899820.png

The following screen will be displayed, where we can define the Preconditions and the Rule for Masking:

pushpal_bhattacharya_1979_25-1729588976663.pngpushpal_bhattacharya_1979_26-1729588994802.pngpushpal_bhattacharya_1979_27-1729589009124.png

Step 10: Maintain Field Level Security and Masking Configuration

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration --> Maintain Field Level Security and Masking Configuration

pushpal_bhattacharya_1979_28-1729589047722.pngpushpal_bhattacharya_1979_29-1729589059013.pngpushpal_bhattacharya_1979_30-1729589097451.pngpushpal_bhattacharya_1979_31-1729589108382.png

Step 11: Maintain Technical Address

SAP IMG --> SAP NetWeaver --> UI Data Protection Masking for SAP S/4HANA --> Maintain Metadata Configuration --> Maintain Technical Address

pushpal_bhattacharya_1979_32-1729589146542.png

Mass Configuration also carried out to Generate Customizing for the following Screens:

pushpal_bhattacharya_1979_33-1729589177912.png

Also, all Programs generated by pressing the following button:

pushpal_bhattacharya_1979_34-1729589206873.png

[Note: This step (of generating the programs) must be performed manually in each and every system and client after the Transport requests are moved]