Attribute Based Access Control (ABAC) – How to configure Data Blocking in CS03 transaction using Manage Sensitive Attribute app
In this blog post, we will learn how to configure Data Blocking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control(ABAC) concept.
Manage Sensitive Attributes app
The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in a SAP Fiori-based UI.
This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:
Create, update and delete sensitive attributes
Define masking and blocking configurations
Manage technical attribute mappings
Create and assign context attributes
Create and assign derived attributes and lists of values
You can use the app on your desktop, tablet or smartphone.
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.
Data Blocking is required for CS03 transaction. Some sensitive BoM records need to be protected from unauthorized access by configuring Data Blocking on this transaction. Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Configuration to achieve Data Blocking in CS03 transaction
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
- Click on Add icon
- Enter “LA_BOM_BLOCK” in Sensitive Attribute field
- Enter “Block BoM in CS03” in Description field
- Click on “Create” button
- Sensitive Attribute with specified details will be created.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
To find the technical addresses for SAP GUI screens, navigate to the field and choose F1, then the Technical Information icon. The system displays the relevant information.
Under Add icon., choose the
Use the the value help to select the table name and the field name. You can also enter the referenced transaction codes as a comment to describe the mapping.
For mass configuration, select the Mass Configuration icon. The system generates additional customizing for SAP GUI and data element entries. Once the application will be refreshed, entries will get listed under Module Pool.
- Select all the records and click on “Mass Configuration” button
A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.
Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.
Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.
Follow the given path:
SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-based Authorizations – Follow below mentioned steps:
- Click on “New Entries” button
- Enter “Policy Name” as “POL_BLOCK_BOM”
- Select “Type” as “Data Blocking”
- Enter “Description” as “Block BoM in CS03”
- Click on “Save” button
Write following logic into Policy
Maintain Programs for Data Blocking
To achieve Data Blocking for SAP GUI transactions, there is an additional mandatory step i.e. configure the program name of the SAP GUI transaction in Customizing under SPRO ->
- Click on “New Entries” button
- Enter Calling Program as “SAPLCSDI”
- Check the “Enable” checkbox
- Enter Description as “Block BoM in CS03”
- Click on “Save” button
Data Blocking Configuration
In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.
Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.
To configure blocking for a sensitive attribute, under Edit., choose
- Enable data blocking.
- Use the value help to select “POL_BLOCK_BOM” policy for attribute-based authorization,
- To customize the message displayed to unauthorized users, enter the message class /UISM/UI and use the value help to select a message number.
- Select a fallback action to determine how the system is to behave if blocking is not possible in a particular table.
- Save the configuration.
Data Blocking in CS03 transaction
- Enter T-Code as “CS03” and press “Enter” key
- Enter “M-02” in “Material” field
- Enter “Plant” as “1000”
- Enter “BOM Usage” as “1”
- Enter “Alternative BOM” as “1”
- Click on “Item” button
- BoM Details will not be displayed as this sensitive BoM record configured to be blocked, and proper message will be displayed that “Certain records are blocked via UI Data Protection”.
In this blog post, we have learnt how Data Blocking is achieved in CS03 transaction through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution.