UI Masking on MDG Business Partner Bank & Address Fields
2023-12-6 18:50:15 Author: blogs.sap.com(查看原文) 阅读量:7 收藏

Introduction

In this blog, let us deep dive technically on the scenario of masking FPM (Web Dynpro) fields in Master Data Governance (MDG) Change Request UI.

As you may already know that SAP provide two types of UI Masking as below

  • Role Based (RBAC)
  • Attribute Based (ABAC)

We will cover in detail about Attribute Based UI Masking specifically for MDG business partner UI.

Requirement

The business requirement is to mask sensitive fields (i.e. Bank & Address related fields) in MDG Business Partner UI if the business partner is marked as a natural person and the user does not have authorized role (PFCG role) to view or modify the data in sensitive fields.

Masking%20on%20Address

Masking on Address

Masking%20on%20Bank

Masking on Bank

Prerequisites

  • Valid license is required for UI Masking. Please make sure the UI masking related components UIDP-100 & UIDPUI5-100 are installed.
  • The below notes must be implemented.

Maintain Global Flags

  • Maintain global flags for UI data protection masking in Customizing under ABAP Platform->UI Data Protection Masking for SAP S/4 HANA-> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags
  • Maintain the package and namespace for policy creation in Customizing for ABAP Platform under UI Data Protection Masking for SAP S/4 HANA ->   Basic Settings -> Enable UI Data Protection Masking -> Maintain Package and Namespace for Policy Creation

Masking Configuration & Development

  • Maintain Context Attributes for Masking

Configure the Business Partner as Logical (or Context) Attribute which is used to get the value of natural person field in the Business Partner.

Moreover, create a logical attribute for Bank & Address related fields which are to be masked in the UI because of business-critical sensitive attributes.

All the logical attributes are to be created with the prefix LA_ and enable sensitive flag for logical attributes which are sensitive.

Assign all the context attributes into a transport request.

In the technical mapping, assign all the FPM Web Dynpro fields relevant for Business Partner, Bank as well as Address.

Business%20Partner

Business Partner

Address

Bank

Address

Address

Collect the technical details of the field from the FPM UI to configure Technical Mapping in Masking.

  • Maintain Derived attribute for Natural Person

Configure Natural Person as Derived Attribute with prefix DA_ to get the value of natural person from the FPM UI at run time.

Create a class ZCL_MDGBP_MASKING_NAT_PERSON with interface /UISM/IF_DERIVED_ATTR_VALUE to add logic in the method EXECUTE to get the value of natural person field in Business Partner.

Create one static public attribute (GV_BP) in the class to hold business partner id which is passed to MDG API READ_CHAR_VALUE to get value of natural person field.

Source Code:

  METHOD /uism/if_derived_attr_value~execute.

    DATA: lv_bp       TYPE bu_businesspartner.
    DATA: lv_natpers  TYPE bu_natural_person.
    DATA: lv_mode     TYPE usmd_readmode_ext VALUE if_usmd_model_ext=>gc_readmode_all_inact.
    DATA: lt_sel TYPE usmd_ts_sel,
          ls_sel TYPE usmd_s_sel.
    DATA: lt_entity_data TYPE REF TO data,
          ls_entity_data TYPE REF TO data.
    DATA lt_objlist   TYPE        usmd_t_crequest_entity.


    FIELD-SYMBOLS:
      <fs_entity>   TYPE any,
      <fs_t_entity> TYPE ANY TABLE.


    ev_output = abap_false.

    DATA(lo_context) = cl_usmd_app_context=>get_context( ).

    IF lo_context IS BOUND.
      DATA(lv_crequest) = lo_context->mv_crequest_id.
    ENDIF.

    CALL METHOD cl_usmd_model_ext=>get_instance
      EXPORTING
        i_usmd_model = 'BP'
      IMPORTING
        eo_instance  = DATA(lo_model_ext).

    IF lv_crequest IS NOT INITIAL.
      CLEAR: ls_sel,lt_sel.
      ls_sel-fieldname  = usmd0_cs_fld-crequest.
      ls_sel-sign       = 'I'.
      ls_sel-option     = 'EQ'.
      ls_sel-low        = lv_crequest.
      INSERT ls_sel INTO TABLE lt_sel.

      " get header data from cr
      "Read object list
      lo_model_ext->read_char_value(
        EXPORTING
          i_fieldname       = usmd0_cs_fld-crequest
          it_sel            = lt_sel
          if_use_edtn_slice = abap_false
        IMPORTING
          et_data           = lt_objlist ).

      LOOP AT lt_objlist INTO DATA(ls_objlist)  ##INTO_OK.
        IF ls_objlist-usmd_entity = 'BP_HEADER'.
          gv_bp = ls_objlist-usmd_value.
          EXIT.
        ENDIF.

      ENDLOOP.
    ENDIF.
* Read BP number from Context attribute
    READ TABLE it_name_value_pair INTO DATA(ls_nvp) WITH KEY sem_attribute = 'LA_BUSINESS_PARTNER'.

    IF sy-subrc = 0 OR gv_bp IS NOT INITIAL.

      IF ls_nvp-value_int IS NOT INITIAL.
        lv_bp = ls_nvp-value_int.
        gv_bp = ls_nvp-value_int.
      ELSE.
        lv_bp = gv_bp.
      ENDIF.
    ENDIF.

**********************************************
* ----------------------------------------------------------------*
* READ BP DATA
* ----------------------------------------------------------------*
    IF lv_bp IS NOT INITIAL.
      CALL FUNCTION 'CONVERSION_EXIT_ALPHA_INPUT'
        EXPORTING
          input  = lv_bp
        IMPORTING
          output = lv_bp.

      " selection table for bp header data
      CLEAR: ls_sel,lt_sel.
      ls_sel-fieldname  = if_mdg_bp_constants=>gc_field-bp_header. "'BP_HEADER'
      ls_sel-sign       = 'I'.
      ls_sel-option     = 'EQ'.
      ls_sel-low        = lv_bp.
      INSERT ls_sel INTO TABLE lt_sel.

      CALL METHOD lo_model_ext->create_data_reference
        EXPORTING
          i_fieldname = 'BP_CENTRL'
          i_struct    = if_usmd_gov_api_entity=>gc_struct_key_attr
*         it_attribute =
          if_table    = abap_false
          i_tabtype   = if_usmd_model=>gc_tabtype_standard
        IMPORTING
          er_data     = ls_entity_data.

      CALL METHOD lo_model_ext->create_data_reference
        EXPORTING
          i_fieldname = 'BP_CENTRL'
          i_struct    = if_usmd_gov_api_entity=>gc_struct_key_attr
*         it_attribute =
*         if_table    = 'X'
          i_tabtype   = if_usmd_model=>gc_tabtype_standard
        IMPORTING
          er_data     = lt_entity_data.

      ASSIGN ls_entity_data->* TO <fs_entity>.
      ASSIGN lt_entity_data->* TO <fs_t_entity>.

      " get header data from cr
      CALL METHOD lo_model_ext->read_char_value
        EXPORTING
          i_fieldname       = 'BP_CENTRL'
          it_sel            = lt_sel
          if_edition_logic  = abap_false
          i_readmode        = lv_mode
          if_use_edtn_slice = abap_false
        IMPORTING
          et_data           = <fs_t_entity>
          et_message        = DATA(lt_msg).

      IF <fs_t_entity> IS ASSIGNED AND <fs_t_entity> IS NOT INITIAL.
        LOOP AT <fs_t_entity> INTO <fs_entity>.

          ASSIGN COMPONENT 'NATPERS' OF STRUCTURE <fs_entity> TO FIELD-SYMBOL(<lfs_natpers>).
          IF <lfs_natpers> IS ASSIGNED.
            ev_output = <lfs_natpers>.
          ENDIF.
        ENDLOOP.
      ENDIF.
*********************************************
    ENDIF.

  ENDMETHOD.
  • Maintain attribute-based Policy.

Create a policy to assign rule to implement masking on sensitive attributes.

Maintain Rule in the Policy

Build a rule for the requirement: If the BP is a natural person and does not have authorized role (PFCG Role), then the address & bank related fields are masked.

ABAC Policy Cockpit

Maintain the RFC Destination as NONE in the policy cockpit.

  • Maintain Sensitive Attribute for Bank & Address related fields for BP

Sensitive attributes are attributes on which masking is applied. Configure masking configuration for Sensitive attributes to assign policy.

In the masking configuration, assign policy to validate masking for attribute-based masking.

Conclusion

In this blog post, we have learnt how Masking is achieved in Manage Business partner App in MDG through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2022 solution.

Note

  • Please refer the below link to configure the steps to activate or enable Masking related Application.

Maintain Settings for Masking Configuration Overview App | SAP Help Portal

Maintain Settings for Manage Sensitive Attributes App | SAP Help Portal

Maintain Settings for Manage Context Attributes App | SAP Help Portal

Maintain Settings for Manage Derived Attributes and Ranges App | SAP Help Portal

Maintain Settings for Manage ABAC Policies App | SAP Help Portal

  • In case of any support/queries, raise an incident with SAP under component GRC-UDS-DO

文章来源: https://blogs.sap.com/2023/12/06/ui-masking-on-mdg-business-partner-bank-address-fields/
如有侵权请联系:admin#unsafe.sh