Attribute Based Access Control (ABAC) – Field Masking scenario in Analytical Queries using Query Monitor (RSRT TCode) in ABAP BICS Query Display mode
2023-12-18 13:47:20 Author: blogs.sap.com(查看原文) 阅读量:10 收藏

Introduction

In this blog, we will learn how to mask IBAN field information based on Company Code field information of SAF-T PL Bank Statement Item Analytical Query. Analytical Queries are used for reporting and analysis.

IBAN field information of SAF-T PL Bank Statement Item Analytical Query need to be masked where “Company Code” is “0001”, “PEG1”, and “PCZ1”. For other “Company Code”, “IBAN” field will appear as unmasked.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

S/4HANA Embedded Analytics

Analytics is one of the most typical and tangible values of S/4HANAS/4HANA Embedded Analytics is the function for real-time operational analytics in S/4HANA. It consists of ABAP CDS Views as data source and Fiori Analytical application as the frontend. As the frontend, other than S/4HANA Embedded Analytics, SAP Analytics Cloud is available which is used together with S/4HANA embedded analytics.

Query Monitor (RSRT TCode)

The Query Monitor tests, checks, and is used to test or regenerate queries and query views, and to check or change query properties. A detailed analysis of queries can be done with the transaction RSRT (Query Monitor) in a very convenient way. With the help of the Query Monitor you can run and analyze queries without a BW front end.

To launch the Query Monitor, execute transaction RSRT.

Here, we will use Query Monitor to showcase masking of sensitive fields of analytical queries. We will configure masking through UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUISAPUI5/SAP FioriCRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we want to configure masking for IBAN field information based on Company Code field information in SAF-T PL Bank Statement Item Analytical Query result using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

Let’s begin

Configuration to achieve Masking

Logical Attribute is a functional modelling of how any attribute such as Social Security NumberBank Account NumberAmountsPricing informationQuantity etc. should behave with masking.

Configure Context Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

Company Code

  • Click on “New Entries” button
  • Enter “Logical Attribute” as “LA_EA_COMP_CODE
  • Enter “Description” as “EA Company Code”
  • Click on “Save” button

Configure Sensitive Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Logical Attributes

Follow below mentioned steps:

Under “Maintain Logical Attributes”, maintain following logical attribute.

IBAN

  • Click on “New Entries” button
  • Enter “Logical Attribute” as “LA_EA_IBAN
  • Enter “Description” as “EA IBAN Information”
  • Select “Is Sensitive” checkbox
  • Click on “Save” button

Maintain Analytics Technical Address

To suppress the records in Analytical Queries, Technical Information (InfoProvider-Query-InfoObject) is required. To retrieve the Technical Address for Analytical Query fields, you need to use Recording Tool feature to get the Technical Address as Technical Information on press of F1 key is not available here.

Refer to this blog to know how to use the Recording tool.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Analytics Technical Address

Follow below mentioned steps:

Under “Analytics Technical Address”, maintain technical address for following field.

Company Code

  • Click on “New Entries” button
  • Enter “InfoProvider” as “2CCSAFTBNKSTITMC
  • Enter “Query” as “2CCSAFTBNKSTITMQ
  • Enter “InfoObject” as “2CF9SZ7VRFLVGPX8LFP23YH2722
  • Enter “Logical Attribute” as “LA_EA_COMP_CODE
  • Enter “Description” as “EA Company Code
  • Click on “Save” button

IBAN

  • Click on “New Entries” button
  • Enter “InfoProvider” as “2CCSAFTBNKSTITMC
  • Enter “Query” as “2CCSAFTBNKSTITMQ
  • Enter “InfoObject” as “2CCSAFTBNKSTITMC-IBAN
  • Enter “Logical Attribute” as “LA_EA_IBAN
  • Enter “Description” as “EA IBAN Information”
  • Click on “Save” button

Configure Value Range

Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:

Sensitive Company List
  • Click on “New Entries” button
  • Enter “List of Values” as “VR_PROTECTED_COMPANY_CODE
  • Enter “Description” as “Protected Company Codes
  • Click on “Save” button

Enter following entries in “VR_PROTECTED_COMPANY_CODE” Value Range

Follow below mentioned steps:

  • Execute Transaction Code “/UISM/V_RANGE
  • Click on “VR_PROTECTED_COMPANY_CODE” Value Range
  • Click on “Display<- -> Change” button
  • Click on “Add New Entry” button
  • Add following entries under “Include Value” tab and click on “Save” button

Policy Configuration

Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

  • Click on “New Entries” button
  • Enter “Policy Name” as “POL_MASK_IBAN
  • Select “Type” as “Field Level Masking
  • Enter “Description” as “Mask IBAN based on Company Code in EA Query
  • Click on “Save” button

Write following logic into Policy

Maintain Field Level Security and Masking Configuration

Here, we will define how masking will behave with the logical attribute that we created in the above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Field Level Security and Masking Configuration

Follow below mentioned steps:

  • Click on “New Entries” button
  • Enter “Sensitive Entity” as “LA_EA_IBAN” and press “Enter” key. “Description” will get populated in corresponding fields
  • Check “Enable Configuration” checkbox
  • Select “Attribute Based Authorization” option
  • Enter “Policy Name” as “POL_MASK_IBAN
  • Click on “Save” button

Masking in ABAP BICS Query Display Mode

Follow below mentioned steps:

  • Execute “RSRT” TCode
  • Enter “Query” as “2CCSAFTBNKSTITMC/2CCSAFTBNKSTITMQ
  • Select “Query Display” mode as “ABAP BICS
  • Click on “Execute” button

  • Enter highlighted search criteria in the corresponding fields and click on “OK” button

  • IBAN field value will appear as masked where Company Code is “0001″, “PEG1″, and “PCZ1″.

Conclusion

In this blog post, we have learnt how Attribute-based masking is achieved in Analytical Queries in Query Monitor (RSRT TCode) in ABAP BICS Query Display mode for masking sensitive field information.


文章来源: https://blogs.sap.com/2023/12/18/attribute-based-access-control-abac-field-masking-scenario-in-analytical-queries-using-query-monitor-rsrt-tcode-in-abap-bics-query-display-mode/
如有侵权请联系:admin#unsafe.sh