Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Attribute Based Access Control (ABAC) - Block/Mask Customer records being accessed based on Customers Master Data (in F4 Search Helps)

AmitKrSingh
Advisor
Advisor
‎07-21-2021 2:21 PM
0 Kudos

Introduction


As part of this blog, we will compare logged-in user’s attributes with attributes of data that logged-in user is trying to access.

As example, we have considered a scenario where customer data will be filtered out for logged-in user if logged-in user’s authorizations for company code and sales organization do not match with company code and sales organization of customer record that user is trying to access.

These will be achieved using Attribute Based Access Control (ABAC). Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

The end result will appear as:



Prerequisite


UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement


Here, we are blocking the customers to be shown to the unauthorised users based on the company code and sales organisation.

The logged-in user is authorized to see customer data for following scenarios:

  • If the logged-in user belongs to the same company code and sales organization (has required roles/authorizations) as that of the customer record (master data) then customer data will be displayed to the user.

  • If the logged-in user is authorized for all company codes and sales organizations (i.e., Authorization value is maintained as ‘*’ (star) in role) Then irrespective of whether the company code of the customer is maintained or not, the data will be displayed to the user. The same is applicable for sales organization.


The logged in user is not authorized to see customer data for below scenarios:

  • If the logged-in user belongs to a particular company code and the company code of the customer is different or not maintained, the data will be blocked for the user. The same is applicable for sales organization.


Configuration to achieve Data Block


Sensitive Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Sensitive Attribute


Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Metadata Configuration -> Maintain Logical Attributes

Customer ID




Maintain Technical Address


In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

You can get the Technical Address of a GUI field by pressing “F1” on the field.



Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address
Follow below mentioned steps:

Under “GUI Table Field Mapping”, maintain technical address for following field using the below mentioned steps.

  • Click on “New Entries” button

  • Enter Table Name as “M_DEBIA” for search help “DEBIA

  • Enter Field Name as “KUNNR” based on which blocking will happen

  • Enter the logical attribute as “LA_CUSTOMERID




Configure Derived Attribute


Derived Attribute is a code break-out point available to be consumed in masking policies and gives flexibility to customers to build complex scenarios.
Follow the given path:

SPRO -> SAP Net Weaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy –
Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Derived Attribute” as “DA_CHECK_AUTH

  • Enter “Class Name” as “ZCL_CHECK_AUTH

  • Enter a “Description” as “Check user authorization for suppressing the customer details

  • Click on “Save” button



Now, let’s give implementation to the class "ZCL_CHECK_AUTH".

Implement the interface “/UISM/IF_DERIVED_ATTR_VALUE” in your class -


Below is sample implementation of the method “/UISM/IF_DERIVED_ATTR_VALUE~EXECUTE
  METHOD /uism/if_derived_attr_value~execute.

*   In this derived attribute class, we do the folllowing

*   1) Find Company Code and Sales Org of Customer being viewed

*   2) Check if current logged-in user has authorizations for

*      Customer's Company Code and Sales Org. derived step-1 above

*   3) Compare Customer's company Code and Sales Org with Company Code

*      and Sales Org for logged-in user

*   4) If both doesnt matches, then we return a flag so that policy can

*      block the current customer record



    DATA: lv_ccode_flag TYPE boolean, " Company Code Flag

          lv_sorg_flag  TYPE boolean. " Sales Organisation Flag



    CLEAR ev_output.



    " Step 1: Get Customer number from Name Value Pair

    DATA(lv_kunnr) = it_name_value_pair[ sem_attribute = 'LA_CUSTOMERID' ]-value_int.

    IF lv_kunnr IS INITIAL.

      RETURN.

    ENDIF.



    " Step 2: Find customer Sales Org and Company Code

    SELECT a~vkorg,

           b~bukrs

           FROM knvv AS a

           INNER JOIN knb1 AS b

           ON a~kunnr = b~kunnr

           INTO TABLE @DATA(lt_cust_details)

           WHERE a~kunnr = @lv_kunnr.

    IF sy-subrc NE 0.

      RETURN.

    ENDIF.



    " Step 3: Now get logged-in User's details. Check if logged-in user has auth for

    " Sales Org and Company Code derived in step 2 using Auth Object

    LOOP AT lt_cust_details ASSIGNING FIELD-SYMBOL(<fs_customer>).



      " Check logged-in user's auth of Sales Org

      " Here, we are checking Logged-in users auth for

      " Sales Org of Customer(record) that he is trying to access

      AUTHORITY-CHECK OBJECT 'V_VBKA_VKO'

                          ID 'VKORG' FIELD <fs_customer>-vkorg.

      IF sy-subrc = 0 AND lv_sorg_flag = abap_false.

        lv_sorg_flag = abap_true.

      ELSE.

        lv_sorg_flag = abap_false.

      ENDIF.



      " Check logged-in user's auth of Company Code

      " Here, we are checking Logged-in users auth for

      " Company Code of Customer(record) that he is trying to access

      AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'

                          ID 'BUKRS' FIELD <fs_customer>-bukrs.

      IF sy-subrc = 0 AND lv_ccode_flag = abap_false.

        lv_ccode_flag = abap_true.

      ELSE.

        lv_ccode_flag = abap_false.

      ENDIF.

    ENDLOOP.



*/-- Step 4: Return flag as true if user doesn’t have auth for Sales org ,Sales Office or CCode derived in step 2

    IF lv_ccode_flag EQ abap_false OR

       lv_sorg_flag EQ abap_false .



      ev_output = abap_true. "True = Block record

    ENDIF.



  ENDMETHOD.

Policy Configuration


A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Create a Policy
Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-Based Authorizations
Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Policy Name” as “ZPOL_BLOCK_CUSTOMER

  • Select “Type” as “Data Blocking

  • Enter “Description” as “Policy For Blocking Customer ID In Search Help

  • Click on “Save” button




Write following logic into Policy




Maintain Data Blocking Configuration


Here, we will define how masking will behave with the logical attribute that we created in above step.
Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Data Blocking Configuration
Follow below mentioned steps:


  • Click on “New Entries” button

  • Enter “Sensitive Entity” as “LA_CUSTOMERID” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields

  • Check “Enable Data Block” check-box

  • Enter “Policy Name” as “ZPOL_BLOCK_CUSTOMER

  • Click on “Save” button




Conclusion


In this blog post, we have learnt how Data Blocking is achieved in DEBIA Search Help based on Company Code and Sales Organization information.

Note:


In this blog, we have considered F4 Search Help where as using the same principle Masking and Data Blocking can be achieved in other UIs such as SE16/Fiori/Gateway etc. by assigning relevant Data Elements to the Logical Attributes created in above blog.
Labels:
2 Comments
Labels in this area
Popular Blog Posts