Community

Topics

Groups

Answers

Blogs

Events

Programs

Resources
What's New

Explore SAP

Do you have an S- or P- account?

If so, you need SAP Universal ID. In a few months, SAP Universal ID will be the
only option to login to SAP Community. Without it, you will lose your content and
badges. If you have multiple accounts, use the Consolidation Tool to merge your
content.
HomeCommunityBlogs
Ask a Question
Write a Blog Post
Login / Sign-up
Product Information
Author's profile photo Amit Kumar Singh
Amit Kumar Singh
April 21, 2022 7 minute read
Attribute Based Access Control (ABAC) – Data Blocking Configuration to protect
Sensitive Business Partners from Unauthorized Users
0
4
1,513
Introduction
In this blog post, we will learn how to configure Data Blocking through Manage
Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA
2011 solution based on Attribute Based Authorization Control(ABAC) concept.

Manage Sensitive Attributes app

The Manage Sensitive Attributes application allows you to maintain configuration
for UI data protection in a SAP Fiori-based UI.

This application brings together several individual transactions, simplifying the

maintenance of masking configuration and presenting a holistic picture to the end
user. With this app, you can:

Create, update and delete sensitive attributes

Define masking and blocking configurations

Manage technical attribute mappings

Create and assign context attributes

Create and assign derived attributes and lists of values

You can use the app on your desktop, tablet or smartphone.

Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of
sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web
Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by
masking the content (replacing original characters with generic characters, such as
asterisks) or by clearing or disabling the field.

The solution uses both role-based and attribute-based authorizations, affording

customers a high degree of control.

Requirement
Data Blocking is required for BP transaction. Some Business Partner records which
are for “Military Use” need to be protected from unauthorized access by configuring
Data Blocking on this transaction and on “Manage Business Partner Master Data”
Fiori app. There is a flag “Military Use” under “Trade Compliance” section of
“Identification” tab of BP transaction. If this flag is checked that means the
Business Partner is sensitive and only authorized users can see the details.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario
to protect sensitive data at field level and must be installed in the S/4HANA
system.

Let’s begin
Configuration to achieve Data Blocking in BP transaction
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available
under “UI data protection masking” catalog.

Maintain Sensitive Attributes

A Sensitive Attribute is a type of logical attribute that define a field which
needs to be configured for UI data protection.

Click on Add icon

Enter “LA_BP_ID” in Sensitive Attribute field

Enter “BP ID Number” in Description field
Click on “Create” button

Sensitive Attribute with specified details will be created.

Maintain Mapping to Technical Addresses

In the Manage Sensitive Attributes application, you can link technical addresses of
fields to sensitive attributes. A technical address describes the exact technical
path or technical information which is used by the solution to process the field
for UI data protection masking.
Under Technical Mapping > SAP GUI, choose the Add icon and maintain following
entries –

Under Technical Mapping > SAPUI5, choose the Add icon and maintain following entry
–

Mass Configuration
For mass configuration, select the Mass Configuration icon. The system generates
additional customizing for SAP GUI and data element entries. Once the application
will be refreshed, entries will get listed under Module Pool.

Select all the records and click on “Mass Configuration” button

On completion, navigate to Technical Mapping > SAP GUI (Module Pool) section to see
the generated entries

Maintain Context Attributes

In the Manage Sensitive Attributes application, you can create and update context
attributes, and map them to sensitive attributes.

A context attribute is a type of logical attribute which is used to define the

context within which a sensitive attribute is to be protected.

To assign a context attribute to a sensitive attribute, under Context Attributes,

choose the Add icon.
To create a new context attribute, select Create New, enter the name of the context
attribute beginning with LA_ and a description.
Open a context attribute by tapping the arrow next to it and under Technical
Mapping, you can map technical addresses to the context attribute in the same way
we did for sensitive attribute

Click on “Fallback Option: via code” tab and maintain “Class Name” as
“ZCL_DETERMINE_MILVE“

Write following logic into Class

METHOD /uism/if_ca_code_fallback~execute.
CLEAR ev_output.
READ TABLE it_name_value_pair ASSIGNING FIELD-SYMBOL(<fa_nvp>) WITH KEY
sem_attribute = 'LA_BP_ID'.
IF sy-subrc EQ 0.
 SELECT SINGLE milve FROM but000 INTO ev_output WHERE partner = <fa_nvp>-
value_int.
ENDIF.
ENDMETHOD.
Policy Configuration
A Policy is a combination of rules and actions which are defined in one or more
blocks. The actions are executed on a sensitive entity (field to be protected)
which has to be assigned to a Policy. The conditions are based on contextual
attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of
a policy. They are mapped to fields which are used to derive the context under
which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be
protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive
Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy
Details for Attribute-based Authorizations – Follow below mentioned steps:

Click on “New Entries” button

Enter “Policy Name” as “POL_BLOCK_BP”
Select “Type” as “Data Blocking”
Enter “Description” as “Block Sensitive Business Partners in BP transaction”
Click on “Save” button

Write following logic into Policy

Maintain Programs for Data Blocking

To achieve Data Blocking for SAP GUI transactions, there is an additional mandatory
step i.e. configure the program name of the SAP GUI transaction in Customizing
under SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data
Protection Configuration -> Maintain Programs for Data Blocking. Follow the below
steps –

Click on “New Entries” button

Enter Calling Program as “SAPLBUPA_DIALOG_JOEL”
Check the “Enable” checkbox
Enter Description as “Block Sensitive BP Records”
Click on “Save” button

Data Blocking Configuration

In the Manage Sensitive Attributes application, you can configure blocking for a
sensitive attribute to define in detail how it is to be protected in the system.

Blocking configuration defines which sensitive records are to be blocked from view
for unauthorized users, even when these records would normally appear in a table
view.

To configure blocking for a sensitive attribute, under Configuration > Data

Blocking Configuration, choose Edit.

Enable Data Blocking.

Use the value help to select “POL_BLOCK_BP” policy for attribute-based
authorization,
Save the configuration.

Data Blocking in BP transaction

Enter T-Code as “BP” and press “Enter” key

Enter “2000*” in “Business Partner” field and click on “Start” button

Following BP Records will not appear in grid as they are blocked –

Enter “20001” in “Business Partner” field and click on “Start” button

BP Record 20001 will not appear in grid as it is blocked.

Click on “Open BP” button

Enter “20003” in “Business Partner” field and click on “Enter” button

BP Record 20003 details will not be displayed and proper message will be displayed
that “Certain records are blocked via UI Data Protection”.

Data Blocking in Manage Business Partner Master Data fiori app

Click on Manage Business Partner Master Data application

Click on “Business Partner” field

Enter Search Condition and click on “OK” button

Click on “Go” button

Sensitive BP Records will not be displayed and proper message will be displayed
that “Some of the records have been suppressed! Fetching available records…”.

Conclusion
In this blog post, we have learnt how Data Blocking is achieved in BP transaction
and Manage Business Partner Master Data fiori app through Manage Sensitive
Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2011
solution.
Assigned Tags
UI data protection masking for SAP S/4HANA
Governance, Risk, Compliance (GRC), and Cybersecurity
attribute based access control
ui data protection
UI data protection Masking
ui data security
UISM
Similar Blog Posts
Attribute Based Access Control (ABAC) - Mask/Block Identification Number of
Sensitive Business Partners based on Users IP Address
By Amit Kumar SinghAug 17, 2021
Attribute Based Access Control (ABAC) – How to configure Data Blocking in BP
transaction using Manage Sensitive Attribute app
By Amit Kumar SinghDec 30, 2020
Attribute Based Authorization and Masking based on External Attribute such as Geo-
location, Biometric, IP Address, User Terminal Information, Swiping of Access Card
etc.
By Amit Kumar SinghMar 27, 2020
Related Questions
Role Based UI Data Masking in Fiori
By chandra sekharJun 09, 2022
UI Masking: Masking data on Edit type tcode based on conditions
By Raman SelvamMay 17, 2021
How to Create New Material Configure Variant SAP MDG - NWBC
By Former Member ShahMar 21, 2023
Be the first to leave a comment
You must be Logged on to comment or reply to a post.
Find us on
Privacy
Terms of Use
Legal Disclosure
Copyright
Trademark
Cookie Preferences
Newsletter
Support