Introduction
In this blog post, we will learn how to configure masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.
Manage Sensitive Attributes app
The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.
This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:
- Create, update and delete sensitive attributes
- Define masking and blocking configurations
- Manage technical attribute mappings
- Create and assign context attributes
- Create and assign derived attributes and lists of values
You can use the app on your desktop, tablet or smartphone.
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.
Requirement
Attribute-based masking is required for Manage Suppliers fiori app. Address information of Sensitive Suppliers needs to be masked on this app. Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Let’s begin
Configuration to achieve masking in Manage Supplier fiori app
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
- Click on Add icon
- Enter “LA_SUPPLIER_ADDRESS” in Sensitive Attribute field
- Enter “Supplier Address Details” in Description field
- Click on “Create” button
- Sensitive Attribute with specified details will be created.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
To find the technical address of a field on a UI5 screen, do the following:
- Right-click the field and choose Inspect.
- Select the Network tab and refresh the application.
- Find the relevant request that fetches data from the backend.
- Select the request and find the field to be masked in the response of the call.
Under Technical Mapping > SAP Fiori, choose the Add icon.
Use the value help to select the service name, entity name and property name. Entering the name of the UI5 applications in the Comments field will provide useful information by which to identify the mappings.
Maintain Context Attributes
In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.
A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.
- To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
- To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
- Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute
Maintain Addition Attributes – Configure Value Range
In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.
A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.
To create a new value range,
- Select “Create New“
- Select Range Type as “List of Values“
- Enter the name of the value range beginning with VR_ for a list of values as “VR_PROTECTED_SUPPLIERS_LIST“
- Description as “Protected Supplier’s List”
- Click on “Create” button.
- Value Range with specified details will get created.
Enter following entries in “VR_PROTECTED_SUPPLIERS_LIST” Value Range
Follow below mentioned steps:
- Execute Transaction Code “/UISM/V_RANGE”
- Click on “VR_PROTECTED_SUPPLIERS_LIST” Value Range
- Click on “Display<- -> Change” button
- Click on “Add New Entry” button
- Add following entries under “Include Value” tab and click on “Save” button
Policy Configuration
A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.
Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.
Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_PROTECT_SUPPLIER”
- Select “Type” as “Field Level Masking”
- Enter “Description” as “Protect Address of Sensitive Supplier”
- Click on “Save” button
Write following logic into Policy
Masking Configuration
In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.
To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.
- Enable masking.
- Select Attribute-Based authorization concept. For attribute-based authorization, use the value help to select POL_PROTECT_SUPPLIER Policy
- Save the configuration.
Masking in Manage Suppliers fiori app
- Click on Manage Suppliers application
- Masking in Manage Suppliers application – Overview screen
- Masking in Manage Suppliers application – Detail screen
Reveal on Demand
Reveal on demand provides additional data protection by masking the field value by default, even if the user is authorized to view the data. The authorized user then explicitly chooses the option to reveal the field value on the user interface.
When the authorized user reveals the data, a dialog box (which can be configured to display a confirmation message, reason code, and free text) is displayed. The user then has to specify, for example, a reason for revealing the data. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal option.
- To unmask the “Address” field information using Reveal on Demand feature, click on “Eye” icon and then click on “Reveal” option
- On Reveal On Demand pop-up, select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “Submit” button
- Field value will get unmasked for “Address” field of all those Suppliers which has not been protected
- To again mask the “Address” field value, click on “Eye” icon and then click on “Mask” option
- On Reveal On Demand pop-up, click on “OK” button
- “Address” field will again appear as masked
