Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitKrSingh
Product and Topic Expert
Product and Topic Expert
3,577

Introduction


In this blog post, we will learn how to configure Data Blocking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control(ABAC) concept.

Manage Sensitive Attributes app


The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.


This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:


  • Create, update and delete sensitive attributes




  • Define masking and blocking configurations




  • Manage technical attribute mappings




  • Create and assign context attributes




  • Create and assign derived attributes and lists of values





You can use the app on your desktop, tablet or smartphone.



Prerequisite


UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.

The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.

Requirement


Data Blocking is required for BP transaction. Some Business Partner records which are for "Military Use" need to be protected from unauthorized access by configuring Data Blocking on this transaction and on "Manage Business Partner Master Data" Fiori app. There is a flag "Military Use" under "Trade Compliance" section of "Identification" tab of BP transaction. If this flag is checked that means the Business Partner is sensitive and only authorized users can see the details.



Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin


Configuration to achieve Data Blocking in BP transaction


Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.




Maintain Sensitive Attributes


Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

  • Click on Add icon




  • Enter “LA_BP_ID” in Sensitive Attribute field

  • Enter “BP ID Number” in Description field

  • Click on “Create” button





  • Sensitive Attribute with specified details will be created.



Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.


  • Under Technical Mapping > SAP GUI, choose the Add icon and maintain following entries -







  • Under Technical Mapping > SAPUI5, choose the Add icon and maintain following entry -




Mass Configuration


For mass configuration, select the Mass Configuration icon. The system generates additional customizing for SAP GUI and data element entries. Once the application will be refreshed, entries will get listed under Module Pool.

  • Select all the records and click on “Mass Configuration” button





  • On completion, navigate to Technical Mapping > SAP GUI (Module Pool) section to see the generated entries





Maintain Context Attributes


In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.

context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.

  • To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.

  • To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.

  • Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute










  • Click on "Fallback Option: via code" tab and maintain "Class Name" as "ZCL_DETERMINE_MILVE"




Write following logic into Class

METHOD /uism/if_ca_code_fallback~execute.
CLEAR ev_output.
READ TABLE it_name_value_pair ASSIGNING FIELD-SYMBOL(<fa_nvp>) WITH KEY sem_attribute = 'LA_BP_ID'.
IF sy-subrc EQ 0.
SELECT SINGLE milve FROM but000 INTO ev_output WHERE partner = <fa_nvp>-value_int.
ENDIF.
ENDMETHOD.

Policy Configuration


Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-based Authorizations – Follow below mentioned steps:

  • Click on “New Entries” button

  • Enter “Policy Name” as “POL_BLOCK_BP

  • Select “Type” as “Data Blocking

  • Enter “Description” as “Block Sensitive Business Partners in BP transaction

  • Click on “Save” button




Write following logic into Policy



Maintain Programs for Data Blocking


To achieve Data Blocking for SAP GUI transactions, there is an additional mandatory step i.e. configure the program name of the SAP GUI transaction in Customizing under SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Programs for Data Blocking. Follow the below steps –

  • Click on “New Entries” button

  • Enter Calling Program as “SAPLBUPA_DIALOG_JOEL

  • Check the “Enable” checkbox

  • Enter Description as “Block Sensitive BP Records

  • Click on “Save” button



Data Blocking Configuration


In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.

Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.

To configure blocking for a sensitive attribute, under Configuration > Data Blocking Configuration, choose Edit.

  • Enable Data Blocking.

  • Use the value help to select “POL_BLOCK_BP” policy for attribute-based authorization,

  • Save the configuration.




Data Blocking in BP transaction



  • Enter T-Code as “BP” and press “Enter” key




  • Enter “2000*” in “Business Partner” field and click on “Start” button


Following BP Records will not appear in grid as they are blocked –





  • Enter “20001” in “Business Partner” field and click on “Start” button


BP Record 20001 will not appear in grid as it is blocked.




  • Click on “Open BP” button




  • Enter “20003” in “Business Partner” field and click on “Enter” button





  • BP Record 20003 details will not be displayed and proper message will be displayed that “Certain records are blocked via UI Data Protection”.




Data Blocking in Manage Business Partner Master Data fiori app



  • Click on Manage Business Partner Master Data application





  • Click on "Business Partner" field





  • Enter Search Condition and click on "OK" button





  • Click on "Go" button





  • Sensitive BP Records will not be displayed and proper message will be displayed that “Some of the records have been suppressed! Fetching available records...".




Conclusion


In this blog post, we have learnt how Data Blocking is achieved in BP transaction and Manage Business Partner Master Data fiori app through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution.

 

 

 

 
2 Comments