In this blog, we will learn how to mask Chart of Account field information based on G/L Account field information of Aging Analysis Smart Business app Analytical Query. Analytical Queries are used for reporting and analysis.

Chart of Account field information of Aging Analysis Smart Business app Analytical Query need to be masked where “G/L Account” is “0011230000”, “0013111000”, “0022010001”, “0022020001”, and “0024643000”. For other “G/L Account”, “Chart of Account” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible values of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

Query Monitor (RSRT TCode)

The Query Monitor tests, checks, and is used to test or regenerate queries and query views, and to check or change query properties. A detailed analysis of queries can be done with the transaction RSRT (Query Monitor) in a very convenient way. With the help of the Query Monitor you can run and analyze queries without a BW front end.

To launch the Query Monitor, execute transaction RSRT.

Here, we will use Query Monitor to showcase masking of sensitive fields of analytical queries. We will configure masking through UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for Chart of Account field information based on G/L Account field information in Aging Analysis Smart Business app Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Masking

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Context Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

G/L Account

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_GL_ACCOUNT”
  
• Enter “Description” as “EA G/L Account”
  
• Click on “Save” button

Configure Sensitive Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

• Chart of Account
  
• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_CHART_ACCOUNT”
  
• Enter “Description” as “EA Chart of Account”
  
• Select “Is Sensitive” checkbox
  
• Click on “Save” button

Maintain Analytics Technical Address

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Analytics Technical Address

Follow below mentioned steps:

Under “Analytics Technical Address”, maintain technical address for following field.

G/L Account

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CIAPFLXBLAGING”
  
• Enter “Query” as “2CCAPFLXBLAGING”
  
• Enter “InfoObject” as “2CIAPFLXBLAGING-GLACCOUNT”
  
• Enter “Logical Attribute” as “LA_EA_GL_ACCOUNT”
  
• Enter “Description” as “EA G/L Account”
  
• Click on “Save” button

Chart of Account

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CIAPFLXBLAGING”
  
• Enter “Query” as “2CCAPFLXBLAGING”
  
• Enter “InfoObject” as “2CMBIWEI883S4US8477V0EERIY7”
  
• Enter “Logical Attribute” as “LA_EA_CHART_ACCOUNT”
  
• Enter “Description” as “EA Chart of Account”
  
• Click on “Save” button

Configure Value Range

Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:

Sensitive G/L Account List

• Click on “New Entries” button
  
• Enter “List of Values” as “VR_GL_ACCOUNT”
  
• Enter “Description” as “List of G/L Accounts”
  
• Click on “Save” button

Enter following entries in “VR_GL_ACCOUNT” Value Range

Follow below mentioned steps:

• Execute Transaction Code “/UISM/V_RANGE”
  
• Click on “VR_GL_ACCOUNT” Value Range
  
• Click on “Display<- -> Change” button
  
• Click on “Add New Entry” button
  
• Add following entries under “Include Value” tab and click on “Save” button

Policy Configuration

A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Policy Name” as “POL_MASK_COA”
  
• Select “Type” as “Field Level Masking”
  
• Enter “Description” as “Mask Chart of Account based on G/L Account in EA Query”
  
• Click on “Save” button

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Sensitive Entity” as “LA_EA_CHART_ACCOUNT” and press “Enter” key. “Description” will get populated in corresponding fields
  
• Check “Enable Configuration” checkbox
  
• Select “Attribute Based Authorization” option
  
• Enter “Policy Name” as “POL_MASK_COA”
  
• Click on “Save” button

Masking in WD Grid Query Display Mode

Follow below mentioned steps:

• Execute “RSRT” TCode
  
• Enter “Query” as “2CIAPFLXBLAGING/2CCAPFLXBLAGING”
  
• Select “Query Display” mode as “WD Grid”
  
• Click on “Execute” button

• Enter highlighted search criteria in the corresponding fields and click on “Go” button.

• Chart of Account Code and Description field value will appear as masked where “G/L Account” is “0011230000”, “0013111000”, “0022010001”, “0022020001”, and “0024643000”.

The post Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Monitor (RSRT TCode) in WD Grid Query Display mode first appeared on ERP Q&A.

In this blog, we will learn how to mask IBAN field information based on Company Code field information of SAF-T PL Bank Statement Item Analytical Query. Analytical Queries are used for reporting and analysis.

IBAN field information of SAF-T PL Bank Statement Item Analytical Query need to be masked where “Company Code” is “0001”, “PEG1”, and “PCZ1”. For other “Company Code”, “IBAN” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible values of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

Query Monitor (RSRT TCode)

The Query Monitor tests, checks, and is used to test or regenerate queries and query views, and to check or change query properties. A detailed analysis of queries can be done with the transaction RSRT (Query Monitor) in a very convenient way. With the help of the Query Monitor you can run and analyze queries without a BW front end.

To launch the Query Monitor, execute transaction RSRT.

Here, we will use Query Monitor to showcase masking of sensitive fields of analytical queries. We will configure masking through UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for IBAN field information based on Company Code field information in SAF-T PL Bank Statement Item Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Masking

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Context Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

• Company Code
  
• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_COMP_CODE”
  
• Enter “Description” as “EA Company Code”
  
• Click on “Save” button

Configure Sensitive Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

IBAN

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_IBAN”
  
• Enter “Description” as “EA IBAN Information”
  
• Select “Is Sensitive” checkbox
  
• Click on “Save” button

Maintain Analytics Technical Address

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Analytics Technical Address

Follow below mentioned steps:

Under “Analytics Technical Address”, maintain technical address for following field.

Company Code

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CCSAFTBNKSTITMC”
  
• Enter “Query” as “2CCSAFTBNKSTITMQ”
  
• Enter “InfoObject” as “2CF9SZ7VRFLVGPX8LFP23YH2722”
  
• Enter “Logical Attribute” as “LA_EA_COMP_CODE”
  
• Enter “Description” as “EA Company Code”
  
• Click on “Save” button

IBAN

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CCSAFTBNKSTITMC”
  
• Enter “Query” as “2CCSAFTBNKSTITMQ”
  
• Enter “InfoObject” as “2CCSAFTBNKSTITMC-IBAN”
  
• Enter “Logical Attribute” as “LA_EA_IBAN”
  
• Enter “Description” as “EA IBAN Information”
  
• Click on “Save” button

Configure Value Range

Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:

Sensitive Company List

• Click on “New Entries” button
  
• Enter “List of Values” as “VR_PROTECTED_COMPANY_CODE”
  
• Enter “Description” as “Protected Company Codes”
  
• Click on “Save” button

Enter following entries in “VR_PROTECTED_COMPANY_CODE” Value Range
Follow below mentioned steps:

• Execute Transaction Code “/UISM/V_RANGE”
  
• Click on “VR_PROTECTED_COMPANY_CODE” Value Range
  
• Click on “Display<- -> Change” button
  
• Click on “Add New Entry” button
  
• Add following entries under “Include Value” tab and click on “Save” button

Policy Configuration

A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Policy Name” as “POL_MASK_IBAN”
  
• Select “Type” as “Field Level Masking”
  
• Enter “Description” as “Mask IBAN based on Company Code in EA Query”
  
• Click on “Save” button

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Sensitive Entity” as “LA_EA_IBAN” and press “Enter” key. “Description” will get populated in corresponding fields
  
• Check “Enable Configuration” checkbox
  
• Select “Attribute Based Authorization” option
  
• Enter “Policy Name” as “POL_MASK_IBAN”
  
• Click on “Save” button

Masking in ABAP BICS Query Display Mode

Follow below mentioned steps:

• Execute “RSRT” TCode
  
• Enter “Query” as “2CCSAFTBNKSTITMC/2CCSAFTBNKSTITMQ”
  
• Select “Query Display” mode as “ABAP BICS”
  
• Click on “Execute” button

• Enter highlighted search criteria in the corresponding fields and click on “OK” button

• IBAN field value will appear as masked where Company Code is “0001″, “PEG1″, and “PCZ1″.

The post Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Monitor (RSRT TCode) in ABAP BICS Query Display mode first appeared on ERP Q&A.

In this blog, we will learn how to mask Supplier field information based on Company Code field information of Cash Discount Forecast Analytical Query. Analytical Queries are used for reporting and analysis.

Supplier field information of Cash Discount Forecast Analytical Query need to be masked where “Company Code” is “KR01”, “RU04”, and “TP02”. For other “Company Code”, “Supplier” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible values of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

Query Monitor (RSRT TCode)

The Query Monitor tests, checks, and is used to test or regenerate queries and query views, and to check or change query properties. A detailed analysis of queries can be done with the transaction RSRT (Query Monitor) in a very convenient way. With the help of the Query Monitor you can run and analyze queries without a BW front end.

To launch the Query Monitor, execute transaction RSRT.

Here, we will use Query Monitor to showcase masking of sensitive fields of analytical queries. We will configure masking through UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for Supplier field information based on Company Code field information in Cash Discount Forecast Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Masking

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Context Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Company Code

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_COMP_CODE”
  
• Enter “Description” as “EA Company Code”
  
• Click on “Save” button

Configure Sensitive Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Supplier Code

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_EA_SUPL_CODE”
  
• Enter “Description” as “EA Supplier Information”
  
• Select “Is Sensitive” checkbox
  
• Click on “Save” button

Maintain Analytics Technical Address

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Analytics Technical Address

Follow below mentioned steps:

Under “Analytics Technical Address”, maintain technical address for following field.

Company Code

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CIFIAPCSHDISC”
  
• Enter “Query” as “2CCFIAPCSHDISCFCST”
  
• Enter “InfoObject” as “2CIFICOMPANYCODE”
  
• Enter “Logical Attribute” as “LA_EA_COMP_CODE”
  
• Enter “Description” as “EA Company Code”
  
• Click on “Save” button

Supplier Code

• Click on “New Entries” button
  
• Enter “InfoProvider” as “2CIFIAPCSHDISC”
  
• Enter “Query” as “2CCFIAPCSHDISCFCST”
  
• Enter “InfoObject” as “2CI_SUPPLIER_CDS”
  
• Enter “Logical Attribute” as “LA_EA_SUPL_CODE”
  
• Enter “Description” as “EA Supplier Code”
  
• Click on “Save” button

Configure Value Range

Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:

Sensitive Company List

• Click on “New Entries” button
  
• Enter “List of Values” as “VR_PROTECTED_COMPANY_CODE”
  
• Enter “Description” as “Protected Company Codes”
  
• Click on “Save” button

Enter following entries in “VR_PROTECTED_COMPANY_CODE” Value Range

Follow below mentioned steps:

• Execute Transaction Code “/UISM/V_RANGE”
  
• Click on “VR_PROTECTED_COMPANY_CODE” Value Range
  
• Click on “Display<- -> Change” button
  
• Click on “Add New Entry” button
  
• Add following entries under “Include Value” tab and click on “Save” button

Policy Configuration

A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Policy Name” as “POL_MASK_SUPPLIER”
  
• Select “Type” as “Field Level Masking”
  
• Enter “Description” as “Mask Supplier based on Company Code in EA Query”
  
• Click on “Save” button

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Sensitive Entity” as “LA_EA_SUPL_CODE” and press “Enter” key. “Description” will get populated in corresponding fields
  
• Check “Enable Configuration” checkbox
  
• Select “Attribute Based Authorization” option
  
• Enter “Policy Name” as “POL_MASK_SUPPLIER”
  
• Click on “Save” button

Masking in WD Grid (embedded) Query Display Mode

Follow below mentioned steps:

• Execute “RSRT” TCode
  
• Enter “Query” as “2CIFIAPCSHDISC/2CCFIAPCSHDISCFCST”
  
• Select “Query Display” mode as “WD Grid (embedded)”
  
• Click on “Execute” button

• Enter highlighted search criteria in the corresponding fields and click on “Go” button.

• Supplier Code and Description field value will appear as masked where Company Code is “KR01”, “RU04”, and “TP02”.

The post Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Monitor (RSRT TCode) in WD Grid (Embedded) Query Display mode first appeared on ERP Q&A.

In this blog, we will learn how to mask Controlling Area field information based on Order Number field information of Production Cost by Order (C_PRODUCTCOSTBYORDERQUERY) Analytical Query displayed in SAP Analytics Cloud Story. Analytical Queries are used for reporting and analysis.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible value of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

SAP Analytics Cloud

SAP Analytics Cloud is an end-to-end cloud solution that brings together business intelligence and enterprise planning, augmented with the power of artificial intelligence, machine learning technology, and predictive analytics in a single system.

The main benefits of SAP Analytics Cloud include ease of viewing content, connectivity to trusted data, access to various visualization tools, augmented analytic capabilities, and financial planning features. In a single cloud system one can analyze, ask, predict, plan, and report.

Stories are main part of SAP Analytics to explore data and to find deep insight using charts and tables. An SAP Analytics Cloud Story is a presentation-style document that uses charts, visualizations, text, images, and pictograms to describe data.

Here, we will use Story to showcase masking of sensitive fields of analytical queries in SAP Analytics Cloud. We will configure masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in an SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:

• Create, update, and delete sensitive attributes
  
• Define masking and blocking configurations
  
• Manage technical attribute mappings
  
• Create and assign context attributes
  
• Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet, or smartphone.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for Controlling Area field based on Order Number field information in Production Cost by Order story in SAP Analytics Cloud using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve masking Controlling Area field

Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.

Maintain Sensitive Attributes

A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

• Click on Add icon

• Enter “LA_EA_CONTROL_AREA” in Sensitive Attribute field
  
• Enter “EA Controlling Area” in Description field
  
• Click on “Create” button

• Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Under Technical Mapping > Analytics, choose the Add icon.

Use the value help to select the InfoProvider, Query, and InfoObject information. You can also enter the referenced query name as a comment to describe the mapping.

Maintain Context Attributes

In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.

A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.

• To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
  
• To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
  
• Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute

Maintain Additional Attributes – Configure Value Range

In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.

A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.

To create a new value range for,Sensitive Stock Materials

• Navigate to “Additional Attributes” tab
  
• Click on “Value Ranges” option
  
• Click on “Add” icon

• Select “Create New“
  
• Select Range Type as “List of Values“
  
• Enter the name of the value range beginning with VR_ for a list of values as “VR_ORDER_NUMBER“
  
• Description as “List of Order Numbers”
  
• Click on “Create” button.

• Value Range with specified details will be created.

• Click on VR_ORDER_NUMBER link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app
  
• Click on Include Value option under Maintain List of Values tab

• Click on “Add” icon under Include Value section

• Enter “Value” as “0000001000121”
  
• Enter “Comment” as “1000121”
  
• Click on “Create” button

Enter following entries in “VR_ORDER_NUMBER” Value Range

Masking Configuration

In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.

To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.

• Enable masking.
  
• Select Attribute Based authorization concept.
  
• Click on “Add” icon next to “Policy” edit box.

• Enter Policy Name as “POL_MASK_CTRAREA“.
  
• Enter Description as “Mask Controlling Area based on Order Number in SAC Story“.
  
• Click on “Create” button.

• Policy will get created.
  
• Click on “Save” button.

• Click on “Mask Controlling Area based on Order Number in SAC Story (POL_MASK_CTRAREA)” link. You will be navigated to “Manage ABAC Policies” app.

• Choose “Edit” under “Rule” section of Policy.

• ABAC Policy Cockpit will be opened.

Write following logic into Policy

Masking in SAP Analytics Cloud Story

• Login to SAP Analytics Cloud and Click on Stories menu option.

• Click on “Production Cost by Order” Story.

• Controlling Area field value will appear as masked where Order Number is “0000001000121”, “0000001000123”, “0000001000125”, “0000001000127”, and “0000001000129”.

The post Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using SAP Analytics Cloud first appeared on ERP Q&A.

In this blog, we will learn how to mask Stock Quantity field information based on Stock Material field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query. Analytical Queries are used for reporting and analysis.

Stock Quantity field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query need to be masked where “Stock Material” is “CCMPROD01”, “CCMPROD03”, “CCMPROD05”, “CCMPROD07”, and “CCMPROD09”. For other “Stock Material”, “Stock Quantity” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible value of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

SAP Query Browser app

SAP Query Browser is a powerful Fiori app for embedded analytics which is used to view, retrieve, and analyze analytical queries. It is used to search, browse, and tag the analytical queries quickly and easily. It is available as a tile in SAP Fiori Launchpad. It displays all the authorized SAP standard and custom analytical queries to which the user has access.

SAP_BR_EMPLOYEE Query Browser role must be assigned to a user to access the Query Browser app.

To launch the Query Browser application, choose Query Browser from the Query Browser catalog.

In Query Browser app, analytical queries can be searched using view names, view descriptions, view column names, annotations, tables, and user added tags.

Here, we will use SAP Query Browser to showcase masking of sensitive fields of analytical queries. We will configure Masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in an SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:

• Create, update, and delete sensitive attributes
  
• Define masking and blocking configurations
  
• Manage technical attribute mappings
  
• Create and assign context attributes
  
• Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet, or smartphone.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for Stock Quantity field information based on Stock Material field information of C_STOCKQUANTITYCURRENTVALUE (Current Stock Quantity and Value) Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve masking Stock Quantity field
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.

Maintain Sensitive Attributes

A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

• Click on Add icon

• Enter “LA_EA_STOCK_QTY” in Sensitive Attribute field
  
• Enter “EA Stock Quantity” in Description field
  
• Click on “Create” button

• Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Under Technical Mapping > Analytics, choose the Add icon.

Use the value help to select the InfoProvider, Query, and InfoObject information. You can also enter the referenced query name as a comment to describe the mapping.

Maintain Context Attributes

In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.

A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.

• To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
  
• To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
  
• Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute

Maintain Additional Attributes – Configure Value Range

In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.

A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.

To create a new value range for,Sensitive Stock Materials

• Navigate to “Additional Attributes” tab
  
• Click on “Value Ranges” option
  
• Click on “Add” icon

• Select “Create New“
  
• Select Range Type as “List of Values“
  
• Enter the name of the value range beginning with VR_ for a list of values as “VR_STOCK_MATERIAL“
  
• Description as “List of Stock Materials”
  
• Click on “Create” button.

• Value Range with specified details will be created.

• Click on VR_STOCK_MATERIAL link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app
  
• Click on Include Value option under Maintain List of Values tab

• Click on “Add” icon under Include Value section

• Enter “Value” as “CCMPROD01”
  
• Enter “Comment” as “CCM Product 1”
  
• Click on “Create” button

Enter following entries in “VR_STOCK_MATERIAL” Value Range

Masking Configuration

In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.

To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.

• Enable masking.
  
• Select Attribute Based authorization concept.
  
• Click on “Add” icon next to “Policy” edit box

• Enter Policy Name as “POL_MASK_STOCKINFO“.
  
• Enter Description as “Mask Stock info based on Stock Material in Embedded Analytics Query“.
  
• Click on “Create” button.

• Policy will get created.
  
• Click on “Save” button

• Click on “Mask Stock info based on Stock Material in Embedded Analytics Query (POL_MASK_STOCKINFO)” link. You will be navigated to “Manage ABAC Policies” app

• Choose “Edit” under “Rule” section of Policy

• ABAC Policy Cockpit will be opened

Write following logic into Policy

Masking in Analytical Query

• Click on Query Browser app

• Enter “C_STOCKQUANTITYCURRENTVALUE” in Search field and click on “Search” button

• Select the checkbox and click on “Open for Analysis” button

• Enter highlighted search criteria in the corresponding fields and click on “OK” button

• Stock Quantity field value will appear as masked where Stock Material is “CCMPROD01“, “CCMPROD03“, “CCMPROD05“, “CCMPROD07“, and “CCMPROD09“.

Note: For Stock Quantity field, original value will be replaced by 0.00 as the same is a Key figure and a notification will also be displayed by the system for the same.

The post Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Browser app first appeared on ERP Q&A.

In this blog post, we will learn how the “Workflow” Reveal type of Enhanced Reveal method works in SAP GUI. We will explore the configuration process by masking the “Social Security Number” of Employees in Infotype 2 (Personal Data) in transaction PA30.

A PFCG Role will be used for the authorization check which will allow users with the specified role to view the field value. If a user does not have this role, it means the user is not authorized and data will be protected either through masking, clearing, or disabling the field.

The result for unauthorized users will look like below:

Reveal on Demand

UI Data Protection Masking introduces an intercept point for a user’s access to data based on a determination of authorization. Reveal on Demand constitutes a second intercept, refining and basing authorization on additional conditions. This feature provides an additional level of data protection in SAP GUI by masking the field value by default, irrespective of whether the user is authorized to view the original field value. The authorized user then explicitly chooses the option to reveal the field value on the user interface.

In the case of Workflow Reveal type, the user can choose the option “Reveal Data” to reveal the field value. When the authorized user tries to reveal the data, an Approval Request is being generated and sent to the Approver configured on the Masking Configuration screen. The request remains Pending until it is approved by the Approver. The user will be able to view the revealed data once the request is approved. The revealed data is masked again once the timeout takes effect or when the user switches off the reveal using “Hide Data” option.

• To unmask the Social Security Number field information using Reveal on Demand feature, Follow the given Path –

In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Reveal Data” option.

• On Reveal on Demand wizard in Field Selection (Step 1), Reveal Type will be displayed as “Request Approval“. Select “ID number” field by clicking on “Select” checkbox, and click on “Next” button.

• On Reveal on Demand wizard in Reveal Attribute (Step 2), “Valid Until” field will show the date calculated based on the “Workflow Validity” days configured on the Reveal on Demand configuration details screen. User can modify the validity date and click on “Next” button.

• On Reveal on Demand wizard in Enter Reason (Step 3), select “Reason” as “DVA Data Verification”, enter “Comments for Reveal” as “Unmask to view values”, and click on “Submit” button.

• On Reveal on Demand wizard in Summary step, “Status” will be displayed as “Pending“. click on “OK” button.

• Login to the system using Approver’s login credentials. Open SAP Business Workplace screen. An “Approval Request” will be generated and will be displayed under Workflow section of Inbox on SAP Business Workplace screen.

• Select the Workflow Request and click on “Execute” button

• Set the “Status” as “Approved” or click on “Approve All” button and click on “Save” button

• Approval process will get completed.

• Login to the system using Requestor’s login credentials and execute PA30 transaction.Field value will get unmasked for “Social Security Number” field.

• To Again, mask the Field values, Follow the given path –

In PA30 transaction “Display Personal Data” screen, click on “Help” -> “Hide Data” option.

• On Reveal on Demand wizard in Hide Sensitive Data screen, select “ID number” field by clicking on “Select” checkbox, and click on “Hide Data” button.

• Click on “Continue” button on the pop-up screen.

• “Social Security Number” field will again appear as masked.

Prerequisite

UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.

Requirement

Here, we want to configure masking for Social Security Number field in Infotype 2 (Personal Data) in transaction PA30 using Role-based authorization concept with Workflow Reveal type based on Enhanced Reveal method.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin!

Basic Settings for Reveal on Demand

To enable the Reveal on Demand feature, follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags

Follow below mentioned steps:

• Select the “Reveal on Demand” checkbox to enable the Reveal on Demand functionality.
  
• Once you have enabled Reveal on Demand feature, set the Reveal Method as Enhanced Reveal

Maintain Reveal on Demand Configuration

If Reveal Method is set as Enhanced Reveal, following settings need to be performed –

Timeout Period: Applies to Self Service scenarios and specifies how long, in minutes, the requesting user will be allowed to access the revealed data.

Validity Period: Applies to Workflow scenarios and specifies how long, in days, the requesting user will be allowed to access the revealed data. This default value can be changed by the requesting user and the approver as needed.

Follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reveal on Demand Configuration

Maintain Reason Codes

Reason Codes need to be maintained which will appear in the Reason field and these Reason Codes need to be selected by the user when data of the UI fields configured for masking is revealed.

Follow the below given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Reveal on Demand Configuration -> Maintain Reason Codes

Configuration to achieve masking for Social Security Number field

Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Logical Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Social Security Number

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_SOCSECNO”
  
• Enter “Description” as “Social Security Number”
  
• Select “Is Sensitive” checkbox
  
• Click on “Save” button

Maintain Technical Address

To mask the fields on SAP GUI Module Pool screens, Technical Information (Program Name-Screen Number-Field Name) is required which users can get by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “SAP GUI (Module Pool) Field Mapping”, maintain technical address for following field.

• Click on “New Entries” button
  
• Enter “Program Name” as “MP000200”
  
• Enter “Screen Number” as “2010”
  
• Enter “Field Name” as “Q0002-PERID”
  
• Enter “Logical Attribute” as “LA_SOCSECNO”
  
• Click on “Save” button

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

Social Security Number

• Click on “New Entries” button
  
• Enter “Sensitive Entity” as “LA_SOCSECNO” and press “Enter” key. “Description” will get populated in corresponding fields
  
• Check “Enable Configuration” checkbox
  
• Select “Role Based Authorization” option
  
• Enter “PFCG Role” as “/UISM/ALL“. The role “/UISM/ALL” must be assigned to the logged-in user. Customers can use any role as per their requirement.
  
• Enter “Field Level Action” as “MASK_FIELD”
  
• Check “Reveal on Demand” checkbox
  
• Select “Reveal Type” as “Workflow“
  
• Enter “Approver Type” as “User“
  
• Enter “Approver” as “USERNAME”
  
• Click on “Save” button

The post UI Data Protection – How Enhanced Reveal method works in Masking scenario when Reveal Type is set as Workflow in SAP GUI first appeared on ERP Q&A.

In this blog, as an example, we will be showing how a Long Text field can be protected in MM03, ME23N, and ME53N transactions.

Purchase Order Text

A Purchase Order Text is a text describing the material in more detail. This text is subsequently copied to purchasing documents (such as purchase requisitions or purchase orders) automatically, where it can be changed if needed. It is valid for all organizational levels, not for a specific plant. Purchase order text can be entered in the material master record in many languages though only one text is allowed per language.

Sales Text

A Sales Text is a text describing the material in more detail. This text is subsequently copied to sales documents (such as requests for quotations or sales orders) automatically, where it can be changed if needed. It is valid for a specific sales organization and distribution channel. Sales Text can be entered in the material master record in many languages though only one text is allowed per language.

Here, we will learn the configuration process to protect Purchase Order Text tab through MM03 TCode and using the same configuration process we can protect Text tab information in other TCodes like, ME23N, ME53N.

DISCLAIMER: This is not out of the box solution supported by UI Data protection masking product but customer can use the manual approach mentioned in this blog to protect the sensitive information displayed in Long Text controls.

Prerequisite

UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.

Requirement

Here, we want to protect sensitive information displayed in Purchase Order Text tab in MM03 TCode using Role-based authorization concept.

Since we cannot mask the Long Text field information, we will hide the Text control. To achieve this, we will have to do masking configuration of a field which displayed along with text control, for example, Language field, etc. This configuration is a dummy configuration which is just done to activate masking solution.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve protection for information displayed in Purchase Order Text tab
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Logical Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Purchase Order Text tab

• Click on “New Entries” button
  
• Enter “Logical Attribute” as “LA_PO_TEXT”
  
• Enter “Description” as “Purchase Order Text Tab”
  
• Select “Is Sensitive” checkbox
  
• Click on “Save” button

Maintain Technical Address

In order to mask the fields on SAP GUI Module Pool screens, Technical Information (Program Name-Screen Number-Field Name) is required which users can get by pressing “F1” on the field.

In this scenario, we will map Logical Attribute with Technical Address of any of the field available on the Purchase Order Text tab, for example, Language field. This is needed to trigger the masking framework.

To retrieve the Technical Address of Language field, you need to use Recording Tool feature as Technical Information on press of F1 key is not available here.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “SAP GUI (Module Pool) Field Mapping”, maintain technical address for following field.

Maintain Masking Pattern

In this step, we will configure Masking Patterns using the Masking BAdI strategy which will determine the way masked masked values will be displayed on the UI. Through Masking BAdI strategy, the masking string for a field to be displayed on the UI is dynamic and returned by the BAdI. The BAdI Implementation must have the filter value that has the same name as the masking pattern.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Field-Level Masking Patterns and Actions -> Maintain Masking Pattern – Follow below mentioned steps:

Maintain Field-Level Actions

In this step, we will configure the actions to be applied to a field that is configured for UI data protection. An action determines how a field appears and behaves when it is rendered on the user interface. Predefined patterns can be applied to specific actions to define how the field is displayed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Basic Settings -> Field-Level Masking Patterns and Actions -> Maintain Field-Level Actions – Follow below mentioned steps:

BAdI Implementation

The visibility of Purchase Order Text tab can be controlled by implementing Masking Pattern BAdI /UISM/BD_MASK_PATTERN.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Business Add-Ins -> BAdI: Masking Pattern – Follow below mentioned steps:

In method “/UISM/IF_MASK_PATTTERN~EXECUTE_MASKING_PATTERN” of the BAdI Implementation class, the logic to set the visibility of the Purchase Order Text tab is implemented.

Add the same filter value as the name of the Masking Pattern “MASK_TEXT”.

Sample code is given below –

METHOD /uism/if_mask_patttern~execute_masking_pattern.

* Transaction MM03
    DATA: lr_ref TYPE REF TO cl_gui_textedit.
    DATA(lv_value1) = '(SAPLMGD1)<EDITOR_OBJ>'.
    ASSIGN (lv_value1) TO FIELD-SYMBOL(<fs_gt_control>).

    IF <fs_gt_control> IS ASSIGNED AND <fs_gt_control> IS NOT INITIAL.

      lr_ref = <fs_gt_control>.
      lr_ref->set_visible(
        EXPORTING
          visible           =  abap_false                " Visible
        EXCEPTIONS
          cntl_error        = 1                " CNTL_ERROR
          cntl_system_error = 2                " CNTL_SYSTEM_ERROR
          OTHERS            = 3
      ).
      IF sy-subrc <> 0.
      ENDIF.
    ENDIF.

    cv_output_value = '******'.
ENDMETHOD.

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step. Here, we need to select the same Field Level Action which we have created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

Purchase Order Text tab

• Click on “New Entries” button
  
• Enter “Sensitive Entity” as “LA_PO_TEXT” and press “Enter” key. “Description” will get populated in corresponding fields
  
• Check “Enable Configuration” checkbox
  
• Select “Role Based Authorization” option
  
• Enter “PFCG Role” as “/UISM/PFCG_ROLE“. In this example, we have used a blank role “/UISM/PFCG_ROLE”. Customers can use any role as per their requirement.
  
• Enter “Field Level Action” as “MASK_TEXT”
  
• Click on “Save” button

Protecting Purchase Order Text tab information

Follow below mentioned steps:

• Execute “MM03” TCode

• Enter “Material” as “2257”
  
• Click on “Select View(s)” button

• Select “Purchase Order Text” view
  
• Click on “Continue” button

• Select “Plant” as “GT01“
  
• Click on “Continue” button

• Purchase Order Text information will not be displayed

The post UI Data Protection – How to protect sensitive data in Long Text controls in SAP GUI Transactions first appeared on ERP Q&A.

Creation and assignment of Mitigation Controls in SAP GRC 12.0. This document describes the Mitigation configuration proces in GRC12 Access Control in very simple and easy way.

What is Mitigation?

The Mitigation allows you to mitigate certain risk violations that you want available to specific users or roles. This is done by creating and assigning a Mitigation Control.

Why is Mitigation is required?

you can use mitigation controls when it is not possible to separate Segregation of duties SoD from the business process.

Use

You can use Mitigating Controls to associate controls with risks, and assign them to users, roles, profiles, or HR objects. You can then define individuals as control monitors, or approvers, and assign them to specific controls. You can also create organizations and business processes to help categorize mitigating controls.

Using the Mitigating Controls section, you can complete the following tasks:

• Create mitigating controls (that you cannot remove)

• Assign mitigating controls to users, roles, and profiles that contain a risk

• Establish a period of time during which the control is valid

• Specify steps to monitor conflicting actions associated with the risk

• Create administrator, control monitors, approvers, and risk owners, and assign them to mitigating controls

Now we will learn how to create and assign a Mitigation.

Step 1) As a pre requisite, the two Owners (Normal Dialog User Ids) should be created under SU01 and assign the below Roles.

and should be maintained under Path, NWBC > Setup > Access Owners > Access Control Owners, as below.

Assign one as Mitigation Monitors and Second as Mitigation Approvers

Now Save and Close.

Step 2) Now, we will be creating Root Organization

Path: SPRO > GRC > Shared Master Data Setting à Create Root Org Hierarchy

Give the name as per your requirement and execute.

Step 3) Now, Goto NWBC > Setup and maintain data for Root Organization

Open the Organization you created.

Details for General and Owners Tabs are compulsory

In Owners Tab maintain the Users which we have created in Step -1.

Step 4)

Now, we will create Mitigation Control Id

Goto NWBC > Setup > Mitigation Control

maintain the details

Give the Risk Id under Access Risks which you wanted to Mitigate. One Mitigation Id can be used to Mitigate multiple Risks.

In Owners tab maintain the same two users which we had created in Step -1. One as Approver and another as Monitor.

We have created Mitigation Control Id now Save and close this tab.

Step 5)

Now we will assign this Mitigation Control Id to the User who has a Risk.

Goto Mitigated User under Access Management under NWBC.

Goto Assign tab and fill all the required details, we already created the Control Id, Monitor and Approver, same we can maintain here, also give the user Name which you wanted to mitigate and click on save.

Step 6)

We may now proceed for Risk Analysis

Maintain all required details.

Upon executing Risk Analysis it will through as no Violation.

User is Mitigated, we achieved our goal, we learned End to End Process of MItigation Creationa and assignment here.

The post Mitigation Controls creation and assignment in SAP GRC 12.0 first appeared on ERP Q&A.

Recording Tool is used to store the Technical Address Entries for UI fields. It is used to activate recording for one or more users for specific timeframes. During this time, the system will record the technical addresses of the UI fields that the user accesses. It is used to track the users who have accessed certain fields that are configured. It is also used to delete the recorded entries.

This report can be used to activate and deactivate the user for storing the technical address for UI fields and to view the information that has been recorded in this way. This report can also be used to map logical attributes to UI fields.

Prerequisite

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, Web Dynpro ABAP, and Embedded Analytics.

Requirement

To mask the fields in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required but due to some technical limitation “F1” is not working for Analytical Queries.

In this scenario “Recording Tool for UI Fields” feature will help user to find technical address for UI Masking. This report logs/records User Trace, InfoProvider-Query-InfoObject, Field Value and other metadata information that helps users to find Technical Address for masking.

Even after running the Recording Tool, if you do not see the InfoProvider-Query-InfoObject information of the field that you want to mask in the query result then it is not possible to mask that field technically because of technical limitation.

How to use Recording Tool for Technical Address?

User should be activated for recording then he needs to execute the query for which masking is required. Then, after successful execution of query user can view InfoProvider-Query-InfoObject and other metadata information.

Let’s begin

Execute the Recording Tool Transaction

• Execute T-Code “/N/UISM/TTRACE”. “Recording Tool for UI Fields” screen will be displayed.

• Enable Recording – Click on “Global Enable” button to activate recording at Global Level.

Activate User

• Click on “Activate User” button to activate recording for the user. Provide the “Username”, “Timeout Period in minutes” and check “Value to be stored?” check-box and click on “OK” button.
  
  • User: User for which store the technical address for UI fields entries.
    
  • Timeout (in Mins): User activation timeout period in minutes.
    
  • Value to be stored: Need to store the value or not.

• Recording will get activated for the user and “Status” will change to “Active”

Launch the application

Once Recording for the user is activated, execute the Analytical Query using Query Browser application for which Technical Address need to be captured. In this blog post, we are taking example of “C_TRIALBALANCE” Analytical Query.

• Click on the “Query Browser” app tile to launch the application

• Enter “C_TRIALBALANCE” in Search field and click on “Search” button

• Select the checkbox and click on “Open for Analysis” button

• Enter highlighted search criteria in the corresponding fields and click on “OK” button

• Query Result will be displayed

View Recording Data

• Select the User for which you want to view the Recording Data and click on “View Recording” button

• Provide the Selection Criteria to view the Recording Data and click on “Execute” button

• View Recording Data based on the Channel (GUI, GUI Dynpro, Web Dynpro, Web Client UI, UI5, Analytics). Based on the selection criteria, the system displays a list of entries

• Click on menu “RFC Destination” and then click on “Maintain RFC to Customizing Client” option

• Select the “RFC to Cust Client” value from the list which will be available by pressing “F4” on the field

“RFC to Cust Client” field value must be specified. This field expects the “RFC Destination of the Customizing Client”. This RFC will be used by UI Data protection masking Recording Tool Application to maintain Masking Configuration in Customizing system. The Logical Attributes maintained in this client will be visible in simulation view report.

Assign Logical Attribute

• Select the entry for which you want to configure the Logical Attribute and click on “Assign Logical Attribute” button.

• Enter Logical Attribute name and select one of the options (i.e., Technical Address or Data Element) based on which you want to configure the Logical Attribute and click on “OK” button

• Success message will be shown if Logical Attribute is successfully assigned and assigned Logical Attribute will be displayed next to the Field ID on which it has been assigned

• Also, mapping of Logical Attribute with Technical Address can also be seen in “Analytics Technical Address” section under “Maintain Analytics Technical Address”.

The post UI Data Protection – How to use Recording Tool for masking in Analytical Queries first appeared on ERP Q&A.

In this blog post, we will learn how to configure Data Blocking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control(ABAC) concept.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:

• Create, update and delete sensitive attributes
• Define masking and blocking configurations
• Manage technical attribute mappings
• Create and assign context attributes
• Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet or smartphone.

Prerequisite

UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.

The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.

Requirement

Data Blocking is required for BP transaction. Some Business Partner records which are for “Military Use” need to be protected from unauthorized access by configuring Data Blocking on this transaction and on “Manage Business Partner Master Data” Fiori app. There is a flag “Military Use” under “Trade Compliance” section of “Identification” tab of BP transaction. If this flag is checked that means the Business Partner is sensitive and only authorized users can see the details.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Data Blocking in BP transaction

Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.

Maintain Sensitive Attributes

A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.

• Click on Add icon

• Enter “LA_BP_ID” in Sensitive Attribute field
  
• Enter “BP ID Number” in Description field
  
• Click on “Create” button

• Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.

• Under Technical Mapping > SAP GUI, choose the Add icon and maintain following entries –

• Under Technical Mapping > SAPUI5, choose the Add icon and maintain following entry –

Mass Configuration

For mass configuration, select the Mass Configuration icon. The system generates additional customizing for SAP GUI and data element entries. Once the application will be refreshed, entries will get listed under Module Pool.

• Select all the records and click on “Mass Configuration” button

• On completion, navigate to Technical Mapping > SAP GUI (Module Pool) section to see the generated entries

Maintain Context Attributes

In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.

A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.

• To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
  
• To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
  
• Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute

• Click on “Fallback Option: via code” tab and maintain “Class Name” as “ZCL_DETERMINE_MILVE“

Write following logic into Class

METHOD /uism/if_ca_code_fallback~execute.
 CLEAR ev_output.
  READ TABLE it_name_value_pair ASSIGNING FIELD-SYMBOL(<fa_nvp>) WITH KEY sem_attribute = 'LA_BP_ID'.
   IF sy-subrc EQ 0.
     SELECT SINGLE milve FROM but000 INTO ev_output WHERE partner = <fa_nvp>-value_int.
   ENDIF.
ENDMETHOD.

Policy Configuration

A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-based Authorizations – Follow below mentioned steps:

• Click on “New Entries” button
  
• Enter “Policy Name” as “POL_BLOCK_BP”
  
• Select “Type” as “Data Blocking”
  
• Enter “Description” as “Block Sensitive Business Partners in BP transaction”
  
• Click on “Save” button

Write following logic into Policy

Maintain Programs for Data Blocking

To achieve Data Blocking for SAP GUI transactions, there is an additional mandatory step i.e. configure the program name of the SAP GUI transaction in Customizing under SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Programs for Data Blocking. Follow the below steps –

• Click on “New Entries” button
  
• Enter Calling Program as “SAPLBUPA_DIALOG_JOEL”
  
• Check the “Enable” checkbox
  
• Enter Description as “Block Sensitive BP Records”
  
• Click on “Save” button

Data Blocking Configuration

In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.

Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.

To configure blocking for a sensitive attribute, under Configuration > Data Blocking Configuration, choose Edit.

• Enable Data Blocking.
  
• Use the value help to select “POL_BLOCK_BP” policy for attribute-based authorization,
  
• Save the configuration.

Data Blocking in BP transaction

• Enter T-Code as “BP” and press “Enter” key

• Enter “2000*” in “Business Partner” field and click on “Start” button

Following BP Records will not appear in grid as they are blocked –

• Enter “20001” in “Business Partner” field and click on “Start” button

BP Record 20001 will not appear in grid as it is blocked.

• Click on “Open BP” button

• Enter “20003” in “Business Partner” field and click on “Enter” button

• BP Record 20003 details will not be displayed and proper message will be displayed that “Certain records are blocked via UI Data Protection”.

Data Blocking in Manage Business Partner Master Data fiori app

• Click on Manage Business Partner Master Data application

• Click on “Business Partner” field

• Enter Search Condition and click on “OK” button

• Click on “Go” button

• Sensitive BP Records will not be displayed and proper message will be displayed that “Some of the records have been suppressed! Fetching available records…”.

The post Attribute Based Access Control (ABAC) – Data Blocking Configuration to protect Sensitive Business Partners from Unauthorized Users first appeared on ERP Q&A.