Introduction
In this blog post, we will learn how to configure
Data Block in
Payment Transactions tab of
BP transaction to block access to
Bank Details information of certain business partners.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the
context attributes of the user and data (for example, price of certain sensitive materials are masked).
The end result for authorized users will appear as:
The end result for unauthorized users will appear as:
Prerequisite
UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.
Product “
UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the
S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in
SAP GUI,
SAPUI5/SAP Fiori,
CRM Web Client UI, and
Web Dynpro ABAP.
Let’s begin
Configuration to achieve data block
Logical Attribute is a functional modelling of how any attribute such as
Social Security Number,
Bank Account Number,
Amounts,
Pricing information,
Quantity etc. should behave with masking.
Configure Logical Attribute – Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Bank Details
Configure Derived Attribute
Derived Attributes are user defined attributes which are populated at run time. The derivation of these attributes can be maintained in a class method. The name of the Class can be specified while maintaining a derived attribute in the IMG.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy – Follow below mentioned steps:
Business Partner
- Click on “New Entries” button
- Enter “Derived Field” as “DA_BUSINESS_PARTNER”
- Enter “Class Name” as “ZCL_BUSINESS_PARTNER”
- Select “Application Module” as “* Cross-Application”
- Enter “Description” as “Business Partner”
- Click on “Save” button
Implementation of Derived Attribute for Business Partner
For the given case, we are blocking
Bank Details information of
Business Partners in
BP transaction. The context for our rule i.e.
BP Number (
BUT000-PARTNER) is not available as context in
Payment Transaction tab (as in case of Module Pool programs, Context of only sub-screen fields are available), Hence, there is a need to create a
Derived Attribute for
Business Partner.
Steps to implement
Class for
Derived Attribute:
- Execute transaction SE24
- Create Derived Attribute Class mentioned in the configuration (i.e. ZCL_BUSINESS_PARTNER)
- Implement the Interface: /UISM/IF_DERIVED_ATTR_VALUE in the Class
- Sample implementation of Method: /UISM/IF_DERIVED_ATTR_VALUE~EXECUTE
Configure Value Range
Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy – Follow below mentioned steps:
Range of Blocked BP
- Click on “New Entries” button
- Enter “Value Range” as “VR_BLOCKED_BP”
- Select “Application Module” as “F Financial accounting”
- Enter “Description” as “Range of Blocked BP”
- Click on “Save” button
Enter entries in “VR_BLOCKED_BP” Value Range
- Execute Transaction Code “/UISM/V_RANGE”
- Click on “VR_BLOCKED_BP” Value Range
- Click on “Display<- -> Change” button
- Click on “Add New Entry” button
- Add following entries under “Include Value” tab and click on “Save” button
Value Description
0000000011 Global Business Properties
0000000012 Food for You
0000000382 Petra Planstelle
Maintain Technical Address
In this step, we will associate the
Technical Address of the fields to be masked with the
Logical Attributes.
You can get the Technical Address of a GUI field by pressing “
F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “
GUI Table Field Mapping”, maintain technical address for following fields.
Business Partner
- Enter “Table Name” as “BUSBANKCHECK”
- Enter “Field Name” as “BANKN”
- Enter “Logical Attribute” as “LA_BP_SUPPRESSION”
- Enter “Description” as “Bank Account”
- Click on “Save” button
- Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs
Policy Configuration
A
Policy is a combination of
rules and
actions which are defined in one or more
blocks. The
actions are executed on a
sensitive entity (field to be protected) which has to be assigned to a
Policy. The conditions are based on
contextual attributes which help derive the context.
Context Attributes are
logical attributes which are used in designing the
rules of a
policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a
sensitive entity.
Sensitive Entities are
logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “BP_SUPPRESSION”
- Select “Type” as “Data Blocking”
- Select “Application Module” as “Cross-Application”
- Enter “Description” as “BP Suppression”
- Click on “Save” button
Write following logic into Policy
Maintain Data Blocking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Data Blocking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_BP_SUPPRESSION” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Attribute Based Authorization” option
- Enter “Policy Name” as “BP_SUPPRESSION”
- Enter “Message Class” as “/UISM/UI“
- Enter “Message Number” as “902“
- Click on “Save” button
API Implementation
“
UI Data Protection Masking for SAP S/4HANA” solution provides an API which can be employed to completely block access to a Business transaction within SAP. The API can also be used to suppress some records from a list.
The below approach needs to be followed to implement
Data Block API:
- Developer need to analyze the business transaction to find a relevant enhancement option ( E.g. BAdI, Customer Exit, User Exit or Implicit enhancement Point, etc.) where UI Data Protection Data Block API can be called.
- Call the Data Blocking API in interception point by passing the data reference of the key information which needs to be blocked/suppressed.
- Optionally, pass the underlying Table name-Field name of the key information.
- The API will suppress the applicable records from the Bank Details list.
- Raise a relevant message if Indicator is ‘Blocked’ or ‘Suppressed’.
Sample code is given below –
IF GT_BUT0BK IS NOT INITIAL.
data : lt_field_map TYPE /UISM/T_FIELD_SEM_MAP.
data : ls_field_map TYPE /UISM/S_FIELD_SEM_MAP.
ls_field_map-tabname = 'BUSBANKCHECK'.
ls_field_map-fieldname = 'BANKN'.
append ls_field_map to lt_field_map.
DATA : cr_data TYPE REF TO data.
GET REFERENCE OF GT_BUT0BK[] INTO cr_data.
/UISM/CL_DATA_PROTECTION_API=>data_block_api(
EXPORTING
it_field_map = lt_field_map " Field name & Sementic Attributes Mapping
* iv_uname = " ABAP System Field: Name of Current User
IMPORTING
ev_indicator = data(lv_indicator) " Data block = 'B' or Suppression = 'S'
es_return = data(ls_return) " Return Parameter
CHANGING
cr_data = cr_data
).
ENDIF.
Conclusion
In this blog post, we have learnt how
Data Blocking is achieved in
Payment transactions tab of
BP transaction for blocking access to
Bank Details information of certain business partners using
API.