UI Data Protection – How to protect sensitive data displayed in Analytical Queries
In this blog, we will learn how to configure masking in Analytical Queries to protect the sensitive information displayed in it. Analytical Queries are used for reporting and analysis.
S/4HANA Embedded Analytics
Analytics is one of the most typical and tangible value of S/4HANA. S/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.
SAP Query Browser app
SAP Query Browser is a powerful Fiori app for embedded analytics which is used to view, retrieve, and analyze analytical queries. It is used to search, browse, and tag the analytical queries quickly and easily. It is available as a tile in SAP Fiori Launchpad. It displays all the authorized SAP standard and custom analytical queries to which the user has access.
SAP_BR_EMPLOYEE Query Browser role must be assigned to a user to access the Query Browser app.
To launch the Query Browser application, choose Query Browser from the Query Browser catalog.
In Query Browser app, analytical queries can be searched using view names, view descriptions, view column names, annotations, tables, and user added tags.
Here, we will use SAP Query Browser to showcase masking of sensitive fields of analytical queries. We will configure masking through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011 solution based on Role Based Authorization Control (RBAC) concept.
Manage Sensitive Attributes app
The Manage Sensitive Attributes application allows you to maintain configuration for UI data protection in an SAP Fiori-based UI.
This application brings together several individual transactions, simplifying the maintenance of masking configuration and presenting a holistic picture to the end user. With this app, you can:
- Create, update, and delete sensitive attributes
- Define masking and blocking configurations
- Manage technical attribute mappings
- Create and assign context attributes
- Create and assign derived attributes and lists of values
You can use the app on your desktop, tablet, or smartphone.
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
Here, we want to configure masking for G/L Account field in C_TRIALBALANCE query result using Role-based authorization concept. Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Note: Currently, Masking in Analytical Queries can be configured based on Role-based authorization concept only.
Configuration to achieve masking G/L Account field
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
- Click on Add icon
- Enter “LA_GL_ACCOUNT” in Sensitive Attribute field
- Enter “G/L Account” in Description field
- Click on “Create” button
- Sensitive Attribute with specified details will be created.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
Note: To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here. Refer the Blog to know how to use Recording Tool.
Under Technical Mapping > Analytics, choose the Add icon.
Use the value help to select the InfoProvider, Query, and InfoObject information. You can also enter the referenced query name as a comment to describe the mapping.
In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.
To configure masking for a sensitive attribute, under Configuration > Masking Configuration, choose Edit.
- Enable masking.
- Select Role-Based authorization concept. For role-based authorization, use the value help to select a PFCG role
- Select a field-level action to determine what should be visible to unauthorized users. Users with this PFCG role will have access to the original values.
- Save the configuration.
Masking in Analytical Query
- Click on Query Browser app
- Enter “C_TRIALBALANCE” in Search field and click on “Search” button
- Select the checkbox and click on “Open for Analysis” button
- Enter highlighted search criteria in the corresponding fields and click on “OK” button
- G/L Account field value will appear as masked
In this blog post, we have learnt how Role-based masking is achieved in Analytical Queries in SAP Query Browser app for masking sensitive field information.
Hi Amit Kumar Singh
Is UI Data protection also available for S/4HANA Cloud (Public)?
UI Data protection masking is not supported for S/4HANA Public cloud. Its in long term roadmap of product but is not currently available.
Amit Kumar Singh
Hi Kris, I'm involved in collecting masking requirements for S/4H public cloud. Would you be willing to contact me directly at firstname.lastname@example.org and we can start a small conversation on the topic? Much appreciated! Best, Tobias