Introduction
In this blog, let us deep dive technically on the scenario of masking FPM (Web Dynpro) fields in Master Data Governance (MDG) Change Request UI.
As you may already know that SAP provide two types of UI Masking as below
We will cover in detail about Attribute Based UI Masking specifically for MDG business partner UI.
Requirement
The business requirement is to mask sensitive fields (i.e. Bank & Address related fields) in MDG Business Partner UI if the business partner is marked as a natural person and the user does not have authorized role (PFCG role) to view or modify the data in sensitive fields.
Masking on Address
Masking on Bank
Prerequisites
Maintain Global Flags
Configure the Business Partner as Logical (or Context) Attribute which is used to get the value of natural person field in the Business Partner.
Moreover, create a logical attribute for Bank & Address related fields which are to be masked in the UI because of business-critical sensitive attributes.
All the logical attributes are to be created with the prefix LA_ and enable sensitive flag for logical attributes which are sensitive.
Assign all the context attributes into a transport request.
In the technical mapping, assign all the FPM Web Dynpro fields relevant for Business Partner, Bank as well as Address.
Business Partner
Bank
Address
Collect the technical details of the field from the FPM UI to configure Technical Mapping in Masking.
Configure Natural Person as Derived Attribute with prefix DA_ to get the value of natural person from the FPM UI at run time.
Create a class ZCL_MDGBP_MASKING_NAT_PERSON with interface /UISM/IF_DERIVED_ATTR_VALUE to add logic in the method EXECUTE to get the value of natural person field in Business Partner.
Create one static public attribute (GV_BP) in the class to hold business partner id which is passed to MDG API READ_CHAR_VALUE to get value of natural person field.
Source Code:
METHOD /uism/if_derived_attr_value~execute.
DATA: lv_bp TYPE bu_businesspartner.
DATA: lv_natpers TYPE bu_natural_person.
DATA: lv_mode TYPE usmd_readmode_ext VALUE if_usmd_model_ext=>gc_readmode_all_inact.
DATA: lt_sel TYPE usmd_ts_sel,
ls_sel TYPE usmd_s_sel.
DATA: lt_entity_data TYPE REF TO data,
ls_entity_data TYPE REF TO data.
DATA lt_objlist TYPE usmd_t_crequest_entity.
FIELD-SYMBOLS:
<fs_entity> TYPE any,
<fs_t_entity> TYPE ANY TABLE.
ev_output = abap_false.
DATA(lo_context) = cl_usmd_app_context=>get_context( ).
IF lo_context IS BOUND.
DATA(lv_crequest) = lo_context->mv_crequest_id.
ENDIF.
CALL METHOD cl_usmd_model_ext=>get_instance
EXPORTING
i_usmd_model = 'BP'
IMPORTING
eo_instance = DATA(lo_model_ext).
IF lv_crequest IS NOT INITIAL.
CLEAR: ls_sel,lt_sel.
ls_sel-fieldname = usmd0_cs_fld-crequest.
ls_sel-sign = 'I'.
ls_sel-option = 'EQ'.
ls_sel-low = lv_crequest.
INSERT ls_sel INTO TABLE lt_sel.
" get header data from cr
"Read object list
lo_model_ext->read_char_value(
EXPORTING
i_fieldname = usmd0_cs_fld-crequest
it_sel = lt_sel
if_use_edtn_slice = abap_false
IMPORTING
et_data = lt_objlist ).
LOOP AT lt_objlist INTO DATA(ls_objlist) ##INTO_OK.
IF ls_objlist-usmd_entity = 'BP_HEADER'.
gv_bp = ls_objlist-usmd_value.
EXIT.
ENDIF.
ENDLOOP.
ENDIF.
* Read BP number from Context attribute
READ TABLE it_name_value_pair INTO DATA(ls_nvp) WITH KEY sem_attribute = 'LA_BUSINESS_PARTNER'.
IF sy-subrc = 0 OR gv_bp IS NOT INITIAL.
IF ls_nvp-value_int IS NOT INITIAL.
lv_bp = ls_nvp-value_int.
gv_bp = ls_nvp-value_int.
ELSE.
lv_bp = gv_bp.
ENDIF.
ENDIF.
**********************************************
* ----------------------------------------------------------------*
* READ BP DATA
* ----------------------------------------------------------------*
IF lv_bp IS NOT INITIAL.
CALL FUNCTION 'CONVERSION_EXIT_ALPHA_INPUT'
EXPORTING
input = lv_bp
IMPORTING
output = lv_bp.
" selection table for bp header data
CLEAR: ls_sel,lt_sel.
ls_sel-fieldname = if_mdg_bp_constants=>gc_field-bp_header. "'BP_HEADER'
ls_sel-sign = 'I'.
ls_sel-option = 'EQ'.
ls_sel-low = lv_bp.
INSERT ls_sel INTO TABLE lt_sel.
CALL METHOD lo_model_ext->create_data_reference
EXPORTING
i_fieldname = 'BP_CENTRL'
i_struct = if_usmd_gov_api_entity=>gc_struct_key_attr
* it_attribute =
if_table = abap_false
i_tabtype = if_usmd_model=>gc_tabtype_standard
IMPORTING
er_data = ls_entity_data.
CALL METHOD lo_model_ext->create_data_reference
EXPORTING
i_fieldname = 'BP_CENTRL'
i_struct = if_usmd_gov_api_entity=>gc_struct_key_attr
* it_attribute =
* if_table = 'X'
i_tabtype = if_usmd_model=>gc_tabtype_standard
IMPORTING
er_data = lt_entity_data.
ASSIGN ls_entity_data->* TO <fs_entity>.
ASSIGN lt_entity_data->* TO <fs_t_entity>.
" get header data from cr
CALL METHOD lo_model_ext->read_char_value
EXPORTING
i_fieldname = 'BP_CENTRL'
it_sel = lt_sel
if_edition_logic = abap_false
i_readmode = lv_mode
if_use_edtn_slice = abap_false
IMPORTING
et_data = <fs_t_entity>
et_message = DATA(lt_msg).
IF <fs_t_entity> IS ASSIGNED AND <fs_t_entity> IS NOT INITIAL.
LOOP AT <fs_t_entity> INTO <fs_entity>.
ASSIGN COMPONENT 'NATPERS' OF STRUCTURE <fs_entity> TO FIELD-SYMBOL(<lfs_natpers>).
IF <lfs_natpers> IS ASSIGNED.
ev_output = <lfs_natpers>.
ENDIF.
ENDLOOP.
ENDIF.
*********************************************
ENDIF.
ENDMETHOD.
Create a policy to assign rule to implement masking on sensitive attributes.
Maintain Rule in the Policy
Build a rule for the requirement: If the BP is a natural person and does not have authorized role (PFCG Role), then the address & bank related fields are masked.
ABAC Policy Cockpit
Maintain the RFC Destination as NONE in the policy cockpit.
Sensitive attributes are attributes on which masking is applied. Configure masking configuration for Sensitive attributes to assign policy.
In the masking configuration, assign policy to validate masking for attribute-based masking.
Conclusion
In this blog post, we have learnt how Masking is achieved in Manage Business partner App in MDG through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2022 solution.
Note
Maintain Settings for Masking Configuration Overview App | SAP Help Portal
Maintain Settings for Manage Sensitive Attributes App | SAP Help Portal
Maintain Settings for Manage Context Attributes App | SAP Help Portal
Maintain Settings for Manage Derived Attributes and Ranges App | SAP Help Portal
Maintain Settings for Manage ABAC Policies App | SAP Help Portal