Skip to Content
Product Information

Attribute based authorizations using Policy – Part 1

In an earlier blog post by Mohd Insaf Khan, he describes how context based masking scenarios can be implemented for SAP GUI through a BAdI.


In this blog post, you will learn how to handle context based authorizations in Field Masking scenarios through Policies which are introduced in the product UI Data Protection Masking for S/4 HANA. A basic overview of Policy and its various components is provided in this Blog.


Q) Why Policy ? 

Ans) Policies are a user-friendly way of implementing authorization rules. To implement a basic Policy the user is not required to have technical knowledge of BAdIs. So for a user unfamiliar with BAdIs, he/she can use Policies to execute field masking.


Q) What is a Policy ?

Ans) A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.


Q) What is a Block ? 

Ans) A block is the basic building ‘block’ of a Policy. A policy can have one or more blocks which define the conditions which need to evaluated and the actions which need to be performed according to the conditions.

Each block comprises of 3 parts :

  1. Pre-condition
  2. Rule (Mandatory) –
  3. Default Result (Mandatory)


1. Pre – Condition

The pre-condition allows you to define a condition which will decide if the statement(s) maintained in the Rule will be evaluated or not.  If the pre-condition holds true, only then will the Rule be evaluated. When a pre-condition is left blank it is assumed to be true. If the pre-condition fails (returns False), the current Block will be bypassed and the next block will be evaluated.



If a user wishes to execute a Policy only when the Transaction Code is SE16 OR SE16N, the following pre-condition should be maintained :             


SY-TCODE = ‘SE16’ OR SY-TCODE = ‘SE16N’.      (1) 


This implies that the subsequent Rule defined by the user in the Policy should only be implemented if the transaction code is SE16 or SE16N. Here SY-TCODE acts as the contextual attribute.


2. Rule

The Rule is a combination of conditions and the actions. Here, you can define the condition(s) and action (mask, hide, clear etc.) which will be evaluated and executed on the sensitive entity assigned to the policy. If all the conditions defined in a rule fail (returns False), no action will be executed, and the Default Result will be executed. All the subsequent blocks (if any) will be bypassed once a rule condition evaluated.


  1. If a user wishes to mask the annual salary of an employee only if his Personnel number(PERNR) is ‘69’, the following Rule should be maintained in the respective Block.  


PERNR = ‘69’                                                                                         (2)




The result specifies the action which is executed on the assigned sensitive entity. If PERNR is not 69 then the default result will be executed on the sensitive entity. Here, PERNR acts as the contextual attribute.


3. Default Result of Rule

The default result of the rule allows you to select an action which is to be executed if the Rule condition fails. This field is mandatory and should be present for every block. The Default Result provides a logical end to a block.



 DEFAULT RESULT  = ‘CLEAR’                                                                      (3)


If the Rule of a block fails, the sensitive entity / entities linked to the Policy will be cleared by default.


Statements (1), (2) and (3) when combined make a block which implicitly execute the following  conditional logic:


If Transaction Code is SE16 or SE16N                                                                   *Pre-Condition

               If Personnel Number is 69                                                                         *Rule

Mask (the sensitive entity)                         

               Else, Clear (the sensitive entity)                                                               *Default Result 

Else Move to Next Block.


Q) How do I create a Policy ? 

Ans) The Policy Builder provides a environment to develop Policies. The Policy Builder provides a list of pre-defined contextual attributes, actions and miscellaneous features which the user can use to protect a sensitive entity. The user can also create user defined contextual attributes which can be used through the Policy Builder.  Before defining a Policy, the user must ensure that a sensitive entity is assigned to the Policy.


In the upcoming blogs in this series, I would highlight some interesting cases where Policies can be used and what are the other ways of getting more intricate contextual data.

1 Comment
You must be Logged on to comment or reply to a post.