Application Blocking – How to block SAP GUI Programs from

Starting using Application Blocking Configuration

blogs.sap.com/2024/01/03/application-blocking-how-to-block-sap-gui-programs-from-starting-using-application-

Introduction
In this blog, we will learn how to prevent SAP GUI Programs from starting. When unauthorized users
attempt to start a program, they will be shown a message that the program is blocked by UI data
protection masking.

From the perspective of an end user, application blocking behaves in the same way as traditional
authorization checks. However, it has the advantage that you can configure it more flexibly using a
policy that can contain different environment variables like IP address, User Terminal etc.

Attribute based authorizations are dynamic determination mechanism which determines whether a
user is authorized to access specific data sets which can be based on the context attributes of the
user and data (for example, price of certain sensitive materials are masked).

We will configure SAP GUI Program blocking through UI Data Protection Masking for SAP S/4HANA
2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite
UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and
sensitive data values at field level by masking, clearing, or disabling fields for those users who are not
authorized to view or edit this data.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI,
SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement
Here, we want to configure SAP GUI Program blocking for SAPLMR1M Program to prevent
unauthorized users from starting the program based on User Terminal information using Attribute-
based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to prevent
unauthorized users from starting the transaction and must be installed in the S/4HANA system.

Let’s begin

1/7
Configuration to achieve SAP GUI Program Blocking
Before beginning with this Application Blocking Configuration, one policy of the type of application
blocking must be created.

Configure Value Range

Value Ranges are a set of pre-populated values which can be used to derive the context under which
an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute
Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List
of Values Definition – Follow below mentioned steps:

Blacklisted User Terminal

Click on “New Entries” button
Enter “List of Values” as “VR_USER_TERMINAL”
Enter “Description” as “List of Blacklisted User Terminals”
Click on “Save” button

Enter following entries in “VR_USER_TERMINAL” Value Range

Follow below mentioned steps:

Execute Transaction Code “/UISM/V_RANGE”

Click on “VR_USER_TERMINAL” Value Range
Click on “Display<- -> Change” button
Click on “Add New Entry” button

Add following entries under “Include Value” tab and click on “Save” button

2/7
Policy Configuration

3/7
A Policy is a combination of rules and actions which are defined in one or more blocks. The actions
are executed on a sensitive entity (field to be protected) which must be assigned to a Policy. The
conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are
mapped to fields which are used to derive the context under which an action is to be executed on a
sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from
unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute
Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based
Authorizations – Follow below mentioned steps:

Click on “New Entries” button

Enter “Policy Name” as “SAPGUI_PROGM_BLOCK”
Select “Type” as “Application Blocking”
Enter “Description” as “Policy to Block SAP GUI Programs”
Click on “Save” button

Write following logic into Policy

4/7
Maintain Application Blocking Configuration
Here, we will configure groups of applications for Application Blocking.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute
Configuration -> Masking and Blocking Configuration -> Maintain Application Blocking Configuration

Follow below mentioned steps:

Click on “New Entries” button

Enter “Application Group” as “BLOCK_SAPGUI_PROGRAM”
Check “Enable” checkbox
Enter “Policy Name” as “SAPGUI_PROGM_BLOCK”
Enter “Referenced Application” as “Block SAP GUI Program”
Click on “Save” button

Now, select the above created entry and double-click on “SAP GUI Application Mapping”

Click on “New Entries” button

Select “Type” as “Program”
Enter “Transaction Code or Program Name” as “SAPLMR1M”
Enter “Referenced Application” as “Block MIR4/MR8M TCode using Program name”

5/7
 Click on “Save” button

Blocking SAPLMR1M Program

Follow below mentioned steps:

Execute “MIR4” TCode

The user will be shown a message “Program SAPLMR1M blocked by UI data protection
masking” when the user tries to start the Program from unauthorized User Terminal.

Execute “MR8M” TCode

6/7
 The user will be shown a message “Program SAPLMR1M blocked by UI data protection
masking” when the user tries to start the Program from unauthorized User Terminal.

Conclusion
In this blog post, we have learnt how to prevent SAP GUI programs from starting when the user tries
to start a program from unauthorized User Terminal using Application Blocking Configuration.

7/7