Product Information
Attribute Based Access Control (ABAC) – Mask/Block Identification Number of Sensitive Business Partners based on Users IP Address
Introduction
As part of this blog, we will compare logged-in user’s IP Address attribute with attributes of data that logged-in user is trying to access.
As example, we have considered a scenario where sensitive Business Partners Identification Number data will be masked and some sensitive Business Partner records will be blocked for logged-in user if user logs in from Mobile VPN.
These will be achieved using Attribute Based Access Control (ABAC). Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).
The end result when user logs in from Office VPN will appear as:
The end result when user logs in from Mobile VPN, Identification Number will appear as masked and some sensitive Business Partner records (3000000006, 3000000008, CMS0000031) will be blocked from display:
Note: In the above scenario, we have blocked the records from display. You may choose to mask or apply different field level actions, like clearing the contents of the field, depending upon the requirement.
Prerequisite
UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.
Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.
Requirement
Here, we want to configure masking and blocking for Sensitive Business Partners Identification Number in BUT0ID table in SE16 transaction based on logged-in users IP Address information. Also, some sensitive business partner records will be blocked for unauthorized users.
Let’s begin
Configuration to achieve Masking and Data Blocking in SE16 transaction
Configure Logical Attributes
To configure required Sensitive and Context Attributes, Please follow the following blog post where we have explained how to use “Manage Sensitive Attributes” app to configure logical attributes.
How to use Manage Sensitive Attributes app to configure Logical Attributes
Maintain Additional Attributes – Configure Value Range
In the Manage Sensitive Attributes application, you can create and update value ranges to provide context for protecting a sensitive attribute.
A Value Range is a static collection of values that can be used as the context within which a sensitive attribute is to be protected.
To create a new value range for,Sensitive Business Partners
- Navigate to “Additional Attributes” tab
- Click on “Value Ranges” option
- Click on “Add” icon
- Select “Create New“
- Select Range Type as “List of Values“
- Enter the name of the value range beginning with VR_ for a list of values as “VR_SENSITIVE_BPLIST“
- Description as “Range of Sensitive BP”
- Click on “Create” button.
- Value Range with specified details will be created.
- Click on VR_SENSITIVE_BPLIST link to add values in this Value Range. You will be navigated to Manage Derived Attributes/Value Ranges app
- Click on Include Value option under Maintain List of Values tab
- Click on “Add” icon under Include Value section
- Enter “Value” as “CMS0000031”
- Enter “Comment” as “Bill Gates”
- Click on “Create” button
Enter following entries in “VR_SENSITIVE_BPLIST” Value Range
- Using the above steps, create a Value Range “VR_OFFICE_VPN“
Enter following entry in “VR_OFFICE_VPN” Value Range
- Using the above steps, create a Value Range “VR_MOBILE_VPN“
Enter following entry in “VR_MOBILE_VPN” Value Range
Masking Configuration
In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.
To configure masking for LA_BP_SSN sensitive attribute, under Edit. , choose
- Enable masking.
- Select Attribute Based authorization concept.
- Click on “Add” icon next to “Policy” edit box
- Enter Policy Name as “POL_MASK_BPID“.
- Enter Description as “Mask Sensitive BP IDs“.
- Click on “Create” button.
- Policy will get created.
- Click on “Save” button.
- Click on “Mask Sensitive BP IDs (POL_MASK_BPID)” link. You will be navigated to “Manage ABAC Policies” app
- Choose “Edit” under “Rule” section of Policy
- ABAC Policy Cockpit will be opened
Write following logic into Policy
Data Blocking Configuration
In the Manage Sensitive Attributes application, you can configure blocking for a sensitive attribute to define in detail how it is to be protected in the system.
Blocking configuration defines which sensitive records are to be blocked from view for unauthorized users, even when these records would normally appear in a table view.
To configure blocking for LA_BP_ID sensitive attribute, under Edit. , choose
- Enable data blocking.
- Click on “Add” icon next to “Policy” edit box
- Enter Policy Name as “POL_BLOCK_BPID“.
- Enter Description as “Block Sensitive BP Records“.
- Click on “Create” button.
- Policy will get created.
- Click on “Save” button.
- Click on “Block Sensitive BP Records (POL_BLOCK_BPID)” link. You will be navigated to “Manage ABAC Policies” app
- Choose “Edit” under “Rule” section of Policy
- ABAC Policy Cockpit will be opened
Write following logic into Policy
Conclusion
In this blog post, we have learnt how Masking and Data Blocking is achieved in SE16 transaction based on logged-in users IP Address information.