Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
Showing results for 
Search instead for 
Did you mean: 
Product and Topic Expert
Product and Topic Expert


In this blog, we will learn how to configure Data Block/Suppression in Analytical Queries in SAP Analytics Cloud to block access of certain sensitive Company Code records displayed in it. Analytical Queries are used for reporting and analysis.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible value of S/4HANAS/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

SAP Analytics Cloud

SAP Analytics Cloud is an end-to-end cloud solution that brings together business intelligence and enterprise planning, augmented with the power of artificial intelligence, machine learning technology, and predictive analytics in a single system.

The main benefits of SAP Analytics Cloud include ease of viewing content, connectivity to trusted data, access to various visualization tools, augmented analytic capabilities, and financial planning features. In a single cloud system one can analyze, ask, predict, plan, and report.

Stories are main part of SAP Analytics to explore data and to find deep insight using charts and tables. An SAP Analytics Cloud Story is a presentation-style document that uses charts, visualizations, text, images, and pictograms to describe data.

Here, we will use Story to showcase Data Blocking/Suppression of sensitive records of analytical queries in SAP Analytics Cloud. We will configure masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Before Data Block/Suppression Configuration:

Company records highlighted in the below image need to be suppressed in Aging Analysis for Small Business Story in SAP Analytics Cloud.

After Data Block/Suppression Configuration:

After suppression configuration, highlighted Company records in above image has been suppressed and unauthorized users cannot access those records anymore.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in an SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:

  • Create, update, and delete sensitive attributes

  • Define masking and blocking configurations

  • Manage technical attribute mappings

  • Create and assign context attributes

  • Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet, or smartphone.


UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUISAPUI5/SAP FioriCRM Web Client UI, and Web Dynpro ABAP.


Here, we want to configure Data Blocking/Suppression for Sensitive Company records in Aging Analysis for Small Business story in SAP Analytics Cloud using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Data Block/Suppression in SAP Analytics Cloud

Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.

Maintain Sensitive Attributes

Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

  • Click on Add icon

  • Enter “LA_EA_COMP_CODE” in Sensitive Attribute field

  • Enter “EA Company Code” in Description field

  • Click on “Create” button

  • Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.

To suppress the records in Analytical Queries in SAP Analytics Cloud, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Refer to this blog to know how to use the Recording tool.

Under Technical Mapping > Analytics, choose the Add icon.

Use the value help to select the InfoProviderQuery, and InfoObject information. You can also enter the referenced query name as a comment to describe the mapping.

Maintain Additional Attributes – Configure Value Range

In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.

Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.

To create a new value range for,Sensitive Business Partners

  • Navigate to “Additional Attributes” tab

  • Click on “Value Ranges” option

  • Click on “Add” icon

  • Select “Create New

  • Select Range Type as “List of Values

  • Enter the name of the value range beginning with VR_ for a list of values as “VR_PROTECTED_COMPANY_CODE

  • Description as “Protected Company Codes”

  • Click on “Create” button.

  • Value Range with specified details will be created.

  • Click on VR_PROTECTED_COMPANY_CODE link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app

  • Click on Include Value option under Maintain List of Values tab

  • Click on “Add” icon under Include Value section

  • Enter “Value” as “FAF1”

  • Enter “Comment” as “BUKRS for FAF (V3)”

  • Click on “Create” button

Enter following entries in “VR_PROTECTED_COMPANY_CODE” Value Range

Data Blocking Configuration

In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.

Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.

To configure blocking for LA_EA_COMP_CODE sensitive attribute, under Configuration > Data Blocking Configuration, choose Edit.

  • Enable Data Blocking.

  • Click on “Add” icon next to “Policy” edit box

  • Enter Policy Name as “POL_BLOCK_ENAQRY“.

  • Enter Description as “Block Sensitive Records in Embedded Analytics Query“.

  • Click on “Create” button.

  • Policy will get created.

  • Click on “Save” button.

  • Click on “Block Sensitive Records in Embedded Analytics Query (POL_BLOCK_ENAQRY)” link. You will be navigated to “Manage ABAC Policies” app

  • Choose “Edit” under “Rule” section of Policy

  • ABAC Policy Cockpit will be opened

Write following logic into Policy

Data Blocking/Suppression in SAP Analytics Cloud Story

  • Login to SAP Analytics Cloud and Click on Stories menu option

  • Click on “Aging Analysis for Small Business app” Story

  • Proper message “Certain records are blocked via UI Data Protection” will be displayed

  • Sensitive Company records will not appear in the query result


In this blog post, we have learnt how Data Block/Suppression is achieved in Analytical Queries in SAP Analytics Cloud through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution to block access of certain sensitive Company records.