Introduction
In this blog post, we will learn how to configure Data Blocking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control(ABAC) concept.
Manage Sensitive Attributes app
The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.
This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:
- Create, update and delete sensitive attributes
- Define masking and blocking configurations
- Manage technical attribute mappings
- Create and assign context attributes
- Create and assign derived attributes and lists of values
You can use the app on your desktop, tablet or smartphone.
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.
Requirement
There are different types of Trees in SAP and several transactions use Tree displays to represent data. In this blog, we use the Flight Overview ALV Tree program to showcase how suppression can be achieved using SAP UI Data Protection Masking for SAP S/4HANA. However, the same steps would apply on any transaction/report which represents data through any sort of Tree.
Data Blocking is required for ALV TREE program. Some sensitive Flight records need to be protected from unauthorized access by configuring Data Blocking on this transaction. Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Let’s begin
Configuration to achieve Data Blocking in ALV Tree program
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
- Click on Add icon
- Enter “LA_FLIGHT_ALV” in Sensitive Attribute field
- Enter “Suppression in ALV TREE Scenario” in Description field
- Click on “Create” button
- Sensitive Attribute with specified details will be created.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
To find the technical addresses for ALV Tree screens.
- Under Technical Mapping > SAP GUI, choose the Add icon.
- Use the the value help to select the table name and the field name. You can also enter the referenced transaction codes as a comment to describe the mapping.
Maintain Additional Attributes – Configure Value Range
In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.
A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.
To create a new value range for,Sensitive Flight Records,
- Navigate to “Additional Attributes” tab
- Click on “Value Ranges” option
- Click on “Add” icon
- Select “Create New“
- Select Range Type as “List of Values“
- Enter the name of the value range beginning with VR_ for a list of values as “VR_FLIGHT_LIST“
- Description as “Flight List in ALV Tree”
- Click on “Create” button.
- Value Range with specified details will be created.
- Click on VR_FLIGHT_LIST link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app
- Click on Include Value option under Maintain List of Values tab
- Click on “Add” icon under Include Value section
- Enter “Value” as “AA”
- Enter “Comment” as “AA”
- Click on “Create” button
Enter following entries in “VR_FLIGHT_LIST” Value Range
Data Blocking Configuration
In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.
Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.
To configure blocking for LA_FLIGHT_ALV sensitive attribute, under Configuration > Data Blocking Configuration, choose Edit.
- Enable data blocking.
- Click on “Add” icon next to “Policy” edit box
- Enter Policy Name as “POL_SUPPRESS_FLIGHT“.
- Enter Description as “Suppress Flight Information in ALV Tree“.
- Click on “Create” button.
- Policy will get created.
- Click on “Save” button.
- Click on “Suppress Flight Information in ALV Tree (POL_SUPPRESS_FLIGHT)” link. You will be navigated to “Manage ABAC Policies” app
- Choose “Edit” under “Rule” section of Policy
- ABAC Policy Cockpit will be opened
Write following logic into Policy
Data Blocking in ALV Tree Program
- Enter T-Code as “SE38” and press “Enter” key
- Enter “BCALV_TREE_DEMO*” in “Program” field and click on “Execute” button
Following Flight Records will not appear in grid as they are blocked/suppressed –
- Flight Details will not be displayed as these sensitive Flight records are configured to be blocked, and proper message will be displayed that “Certain records are blocked via UI Data Protection”.
