Product Information
Attribute Based Access Control (ABAC) – How Policies are being created and Evaluated?
Introduction
In an earlier blog post by Shantanu Sharma, Context-based authorizations in Field Masking scenarios through Policies which is introduced in the product UI Data Protection Masking for SAP S/4HANA has been explained. A basic overview of Policy and its various components were explained in that blog post.
In this blog post, I will explain how policies are created and evaluated in UI Data Protection Masking for SAP S/4HANA in order to mask/protect the fields by highlight some interesting cases where Policies can be used and the other ways of getting more intricate contextual data.
Requirement
Context-based masking is required through Attribute-based authorization to mask “Gross Weight” and “Net Weight” fields in MARA table in transactions SE16 and MM03 for materials of Material Group “300“.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials is masked).
The end result will appear as:
Prerequisite
Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.
Let’s begin
Configuration to achieve masking
Logical Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.
Configure Logical Attribute
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Logical Attributes
Configure Derived Attribute
Derived Attributes are user defined attributes which are populated at run time. The derivation of these attributes can be maintained in a class method. The name of the Class can be specified while maintaining a derived attribute in the IMG.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy-> Derived Attribute Definition
Material Group
Implementation of Derived Attribute for Material Group
For the given case, we are masking Gross Weight (MARA-BRGEW) and Net Weight (MARA-NTGEW) fields in transaction MM03 and SE16. The context for our rule (i.e. Material Group (MARA-MATKL) is available as context in table MARA in SE11/SE16/SE16N transactions but the same is not available in transaction MM03 (as in case of Module Pool programs, Context of only sub-screen fields are available), Hence, there is a need to create a Derived Attribute for Material Group for Material Master (MM02/MM03) cases.
Steps to implement Class for Derived Attribute:
- Execute transaction SE24
- Create Derived Attribute Class mentioned in the configuration (i.e. ZCL_MATGROUP)
- Implement the Interface: /UISM/IF_DERIVED_ATTR_VALUE in the Class
- Sample implementation of Method: /UISM/IF_DERIVED_ATTR_VALUE~EXECUTE
Configure Value Range
Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy-> Value Range Definition
Range for Material Group
- Enter entries in “VR_MATGROUP” Value Range
- Execute Transaction Code “/UISM/V_RANGE”
- Click on “VR_MATGROUP” Value Range
- Click on “Display<- -> Change” button
- Click on “Add New Entry” button
- Add Value as “300” and Description as “Aircrafts” under “Include Value” tab
- Click on “Save” button
Maintain Technical Address
In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.
You can get the Technical Address of a GUI field by pressing “F1” on the field.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Under “GUI Table Field Mapping”, maintain technical address for following fields.
Note: Click on “Mass Configuration” button which is required to generate technical addresses for Module Pool Programs.
Policy Configuration
A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a Sensitive Entity (field to be protected) which must be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.
Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a Sensitive Entity.
Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Policy Details for Attribute based Authorizations
Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_SENSITIVE_MAT”
- Select “Type” as “Field Level Masking”
- Select “Application Module” as “* Cross-Application”
- Enter “Description” as “Mask Sensitive Attributes of Material”
- Click on “Save” button
Design Policy – Follow the given steps:
- Select Policy “POL_SENSITIVE_MAT”
- Click on “ABAC Policy Cockpit” button, “ABAC Policy Cockpit” screen will be displayed
- Click on “Add Block” button
- Enter “Block Description” as “Mask Sensitive Attributes” and click on “Continue” button
- Expand the block added into Policy and double-click on “Pre-Condition” tab
- Double-click on “SY-TCODE” Environment Variable to add into the block
- Click on “=” operator to add into the block
- Click on “Constant” operator, enter value as “SE16”, and click on “Continue” button
- Click on “OR” operator
- Double-click on “SY-TCODE” Environment Variable to add into the block
- Click on “=” operator to add into the block
- Click on “Constant” operator, enter value as “MM03”, and click on “Continue” button
- Double-click on “Rule” tab
- Click on “Attributes” button, “Assign Attributes to Policy” screen will be displayed
- Choose “Action” as “Assign Attributes” and click on “Derived Attribute” button
- Choose “DA_MATGROUP” Derived Attribute from the list and click on “Continue” button
- “DA_MATGROUP” Derived Attribute will get added into “Derived Attribute” section
- Click on “Attributes” button, “Assign Attributes to Policy” screen will be displayed
- Choose “Action” as “Assign Attributes” and click on “Value Range” button
- Choose “VR_MATGROUP” Value Range from the list and click on “Continue” button
- “VR_MATGROUP” Value Range will get added into “Value Range” section
- Double-click on “DA_MATGROUP” Derived Attribute to add into the block
- Click on “IN” operator to add into the block
- Double-Click on “VR_MATGROUP” Value Range to add into the block
- Click on “Result” button in “Result” section, “Data Protection Options” pop-up screen will be displayed
- Select “Action” option and set drop-down value as “Mask the Field” in “Action” section of pop-up
- Check “Enable Reveal” checkbox in “Reveal on Demand” section of pop-up
- Select “Trace On” in “Trace” drop-down in “Field Access Trace” section of pop-up
- Click on “Continue” button
- Double-click on “Default Result of Policy” tab, “Result” screen will be displayed
- Set “Authorize” option in “Action” section of screen
- Select “Trace On” in “Trace” drop-down in “Field Access Trace” section of screen, and click on “POL_SENSITIVE_MAT” Policy Header tab
- Final Policy output will be displayed as:
- Click on “Save” button to save the Policy information. Once Policy is saved, “Status” will be set as “Draft”.
- Click on “Check” button to check the functional syntax of Policy
- Click on menu “RFC Destination” and then click on “Maintain RFC to Development Client” option
- Select the “RFC to Dev Client” value from the list which will be available by pressing “F4” on the field
“RFC to Dev Client” field value must be specified. This field expects the “RFC Destination of the Development Client”. This RFC will be used by UI Data protection masking to generate Policy Code in the Development system.
- Click on “Generate” button to generate the Policy. The Policy will be generated in the Development system which was specified in “RFC to Dev client” field. Once Policy is generated, “Status” will be set as “Active”
Maintain Field Level Security and Masking Configuration
Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Field Level Security and Masking Configuration
Conclusion
In this blog post, we have learnt how Attribute-based masking is achieved in transactions SE16 and MM03 for masking “Gross Weight” and “Net Weight” fields for materials of Material Group “300”.
Nice - Oldies but goldies. Comprehensive overview and still (despite some details changes to the solution) an excellent "how to" on the ABAC engine in SAP UI Data Protection Masking! Thanks, Amit!
Hi Amit,
I'm new to UI Masking..
For Attribute-Based Masking how would we ensure only specific people can see masked data? Do we need to place user ID's in the code? If all the specific people have /UISM/PFCG_ROLE then wont they see each others sensitive masked data?
Also, the material for UI masking is very light around recent learning material. Could you guide me in the right direction to get better documents/procedures?
Thanks. Johnny
Hi Johnny,
In ABAC, you can include PFCG Role or Username in the Policy logic to distinguish between authorized and unauthorized user. PFCG Role and Username is available as Environment Variable which can be used in the Policy logic.
Please refer the following documentation to get a better insight about the solution -
UI Data Protection Masking Help Portal
UI Data Protection Community
You may also connect with our support team by raising an incident under "GRC-UDS-DO" component so that we can also help you in a better way.
Regards,
Amit Kumar Singh