Introduction
In this blog post, we will learn how to mask different segment of
Material Description for different user groups in transactions
SE16 and
MM03.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the
context attributes of the user and data (for example, price of certain sensitive materials are masked).
Requirement
In this scenario,
Material Description is made up of 3 pieces or segments of data. In other words, Material Description comprises 30-characters and divided into 3-sections of 10-character segment.
User want to mask the Material Description partially but different segment for different User Groups. For Example, for User Group 01, first segment will remain masked and second and third segment will remain visible (**********SEGEMENT002SEGMENT003), for User Group 02, second segment will remain masked and first and third segment will remain visible (SEGEMENT001**********SEGMENT003), and for User Group 03, third segment will remain masked and first and second segment will remain visible (SEGMENT001SEGMENT002**********).
In order to distinguish one User Group from other, we have created three different PFCG Roles -
LEVEL01,
LEVEL02, and
LEVEL03. We also have three different Users -
TESTUSER01,
TESTUSER02, and
TESTUSER03.
User “
TESTUSER01” is assigned with
PFCG Role “
LEVEL01”, User “
TESTUSER02” is assigned with
PFCG Role “
LEVEL02”, and User “
TESTUSER03” is assigned with
PFCG Role “
LEVEL03”
The end result for
TESTUSER01 which is assigned with
PFCG Role “
LEVEL01” will appear as:
SE16
MM03
The end result for
TESTUSER02 which is assigned with
PFCG Role “
LEVEL02” will appear as:
SE16
MM03
The end result for
TESTUSER03 which is assigned with
PFCG Role “
LEVEL03” will appear as:
SE16
MM03
Prerequisite
UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.
Product “
UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the
S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in
SAP GUI,
SAPUI5/SAP Fiori,
CRM Web Client UI, and
Web Dynpro ABAP.
Let’s begin
Configuration to achieve masking
Logical Attribute is a functional modelling of how any attribute such as
Social Security Number,
Bank Account Number,
Amounts,
Pricing information,
Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Material Number
Material Description
Maintain Technical Address
In this step, we will associate the
Technical Address of the fields to be masked with the
Logical Attributes.
You can get the Technical Address of a GUI field by pressing “
F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:
Under “
GUI Table Field Mapping”, maintain technical address for following fields.
Mass Configuration
For all the above entries, “
Mass Configuration” report should be executed which is required to generate technical addresses.
Follow below mentioned steps:
- Select the entry in GUI Table Field Mapping
- Click on “Mass Configuration” button
- Click on “Select All” button
- Click on “Generate Customizing” button
- Save the information
Maintain Masking Pattern
In this step, we will configure
Masking Patterns using the
Masking Pattern Set strategy which will determine the way masked masked values will be displayed on the UI. Through
Masking Pattern Set strategy, the original value of the field is masked as per the masking pattern maintained.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Optional Configuration -> Maintain Masking Pattern – Follow below mentioned steps:
Maintain Field-Level Actions
In this step, we will configure the actions to be applied to a field that is configured for UI data protection. An action determines how a field appears and behaves when it is rendered on the user interface. Predefined patterns can be applied to specific actions to define how the field is displayed.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Optional Configuration -> Maintain Field-Level Actions – Follow below mentioned steps:
Policy Configuration
A
Policy is a combination of
rules and
actions which are defined in one or more
blocks. The
actions are executed on a
sensitive entity (field to be protected) which has to be assigned to a
Policy. The conditions are based on
contextual attributes which help derive the context.
Context Attributes are
logical attributes which are used in designing the
rules of a
policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a
sensitive entity.
Sensitive Entities are
logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_MATDESCR_SEGMENT”
- Select “Type” as “Field Level Masking”
- Enter “Description” as “Mask Segmented Material Description”
- Click on “Save” button
Write following logic into Policy
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Sensitive Entity” as “LA_MATDESCR” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
- Check “Enable Configuration” check-box
- Select “Attribute Based Authorization” option
- Enter “Policy Name” as “POL_MATDESCR_SEGMENT”
- Click on “Save” button
Conclusion
In this blog post, we have learnt how
Attribute-based masking is achieved to mask different segment of Material Description for different user groups in transactions
SE16 and
MM03.