Governance Risk Compliance (GRC) and Cybersecurity, SAP Analytics Cloud, SAP S/4HANA Embedded Analytics, UI Data Security

Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Browser app

Introduction

In this blog, we will learn how to mask Stock Quantity field information based on Stock Material field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query. Analytical Queries are used for reporting and analysis.

Stock Quantity field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query need to be masked where “Stock Material” is “CCMPROD01”, “CCMPROD03”, “CCMPROD05”, “CCMPROD07”, and “CCMPROD09”. For other “Stock Material”, “Stock Quantity” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible value of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

SAP Query Browser app

SAP Query Browser is a powerful Fiori app for embedded analytics which is used to view, retrieve, and analyze analytical queries. It is used to search, browse, and tag the analytical queries quickly and easily. It is available as a tile in SAP Fiori Launchpad. It displays all the authorized SAP standard and custom analytical queries to which the user has access.

SAP_BR_EMPLOYEE Query Browser role must be assigned to a user to access the Query Browser app.

To launch the Query Browser application, choose Query Browser from the Query Browser catalog.

In Query Browser app, analytical queries can be searched using view names, view descriptions, view column names, annotations, tables, and user added tags.

Here, we will use SAP Query Browser to showcase masking of sensitive fields of analytical queries. We will configure Masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in an SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:

  • Create, update, and delete sensitive attributes
  • Define masking and blocking configurations
  • Manage technical attribute mappings
  • Create and assign context attributes
  • Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet, or smartphone.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for Stock Quantity field information based on Stock Material field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve masking Stock Quantity field
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.

Maintain Sensitive Attributes

A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

  • Click on Add icon

  • Enter “LA_EA_STOCK_QTY” in Sensitive Attribute field
  • Enter “EA Stock Quantity” in Description field
  • Click on “Create” button

  • Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Under Technical Mapping > Analytics, choose the Add icon.

Use the value help to select the InfoProvider, Query, and InfoObject information. You can also enter the referenced query name as a comment to describe the mapping.

Maintain Context Attributes

In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.

A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.

  • To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
  • To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
  • Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute

Maintain Additional Attributes – Configure Value Range

In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.

A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.

To create a new value range for,Sensitive Stock Materials

  • Navigate to “Additional Attributes” tab
  • Click on “Value Ranges” option
  • Click on “Add” icon

  • Select “Create New“
  • Select Range Type as “List of Values“
  • Enter the name of the value range beginning with VR_ for a list of values as “VR_STOCK_MATERIAL“
  • Description as “List of Stock Materials”
  • Click on “Create” button.

  • Value Range with specified details will be created.

  • Click on VR_STOCK_MATERIAL link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app
  • Click on Include Value option under Maintain List of Values tab

  • Click on “Add” icon under Include Value section

  • Enter “Value” as “CCMPROD01”
  • Enter “Comment” as “CCM Product 1”
  • Click on “Create” button

Enter following entries in “VR_STOCK_MATERIAL” Value Range

Masking Configuration

In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.

To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.

  • Enable masking.
  • Select Attribute Based authorization concept.
  • Click on “Add” icon next to “Policy” edit box

  • Enter Policy Name as “POL_MASK_STOCKINFO“.
  • Enter Description as “Mask Stock info based on Stock Material in Embedded Analytics Query“.
  • Click on “Create” button.

  • Policy will get created.
  • Click on “Save” button

  • Click on “Mask Stock info based on Stock Material in Embedded Analytics Query (POL_MASK_STOCKINFO)” link. You will be navigated to “Manage ABAC Policies” app

  • Choose “Edit” under “Rule” section of Policy

  • ABAC Policy Cockpit will be opened

Write following logic into Policy

Masking in Analytical Query

  • Click on Query Browser app
  • Enter “C_STOCKQUANTITYCURRENTVALUE” in Search field and click on “Search” button

  • Select the checkbox and click on “Open for Analysis” button

  • Enter highlighted search criteria in the corresponding fields and click on “OK” button

  • Stock Quantity field value will appear as masked where Stock Material is “CCMPROD01“, “CCMPROD03“, “CCMPROD05“, “CCMPROD07“, and “CCMPROD09“.

Note: For Stock Quantity field, original value will be replaced by 0.00 as the same is a Key figure and a notification will also be displayed by the system for the same.