Attribute Based Access Control – Data Blocking based on Company Code and Sales O...

Introduction

As part of this blog, we will compare logged-in user’s attributes with attributes of data that logged-in user is trying to access.

As example, we have considered a scenario where customer data will be filtered out for logged-in user if logged-in user’s authorizations for company code and sales organization do not match with company code and sales organization of customer record that user is trying to access.

These will be achieved using Attribute Based Access Control (ABAC). Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

The end result will appear as:

Prerequisite

UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

Product “UI data protection masking for SAP S/4HANA” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement

Here, we are blocking the customers to be shown to the unauthorised users based on the company code and sales organisation.

The logged-in user is authorized to see customer data for following scenarios:

• If the logged-in user belongs to the same company code and sales organization (has required roles/authorizations) as that of the customer record (master data) then customer data will be displayed to the user.
• If the logged-in user is authorized for all company codes and sales organizations (i.e., Authorization value is maintained as ‘*’ (star) in role) Then irrespective of whether the company code of the customer is maintained or not, the data will be displayed to the user. The same is applicable for sales organization.

The logged in user is not authorized to see customer data for below scenarios:

• If the logged-in user belongs to a particular company code and the company code of the customer is different or not maintained, the data will be blocked for the user. The same is applicable for sales organization.

Configuration to achieve Data Block

Sensitive Attribute is a functional modelling of how any attribute such as Social Security Number, Bank Account Number, Amounts, Pricing information, Quantity etc. should behave with masking.

Configure Sensitive Attribute

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Metadata Configuration -> Maintain Logical Attributes

Customer ID

Maintain Technical Address

In this step, we will associate the Technical Address of the fields to be masked with the Logical Attributes.

You can get the Technical Address of a GUI field by pressing “F1” on the field.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Maintain Metadata Configuration -> Maintain Technical Address

Follow below mentioned steps:

Under “GUI Table Field Mapping”, maintain technical address for following field using the below mentioned steps.

• Click on “New Entries” button
• Enter Table Name as “M_DEBIA” for search help “DEBIA”
• Enter Field Name as “KUNNR” based on which blocking will happen
• Enter the logical attribute as “LA_CUSTOMERID”

Configure Derived Attribute

Derived Attribute is a code break-out point available to be consumed in masking policies and gives flexibility to customers to build complex scenarios.

Follow the given path:

SPRO -> SAP Net Weaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy –

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Derived Attribute” as “DA_CHECK_AUTH”
• Enter “Class Name” as “ZCL_CHECK_AUTH”
• Enter a “Description” as “Check user authorization for suppressing the customer details”
• Click on “Save” button

Now, let’s give implementation to the class “ZCL_CHECK_AUTH“.

Implement the interface “/UISM/IF_DERIVED_ATTR_VALUE” in your class –

Below is sample implementation of the method “/UISM/IF_DERIVED_ATTR_VALUE~EXECUTE”

  METHOD /uism/if_derived_attr_value~execute.
*   In this derived attribute class, we do the folllowing
*   1) Find Company Code and Sales Org of Customer being viewed
*   2) Check if current logged-in user has authorizations for
*      Customer's Company Code and Sales Org. derived step-1 above
*   3) Compare Customer's company Code and Sales Org with Company Code
*      and Sales Org for logged-in user
*   4) If both doesnt matches, then we return a flag so that policy can
*      block the current customer record

    DATA: lv_ccode_flag TYPE boolean, " Company Code Flag
          lv_sorg_flag  TYPE boolean. " Sales Organisation Flag

    CLEAR ev_output.

    " Step 1: Get Customer number from Name Value Pair
    DATA(lv_kunnr) = it_name_value_pair[ sem_attribute = 'LA_CUSTOMERID' ]-value_int.
    IF lv_kunnr IS INITIAL.
      RETURN.
    ENDIF.

    " Step 2: Find customer Sales Org and Company Code
    SELECT a~vkorg,
           b~bukrs
           FROM knvv AS a
           INNER JOIN knb1 AS b
           ON a~kunnr = b~kunnr
           INTO TABLE @DATA(lt_cust_details)
           WHERE a~kunnr = @lv_kunnr.
    IF sy-subrc NE 0.
      RETURN.
    ENDIF.

    " Step 3: Now get logged-in User's details. Check if logged-in user has auth for
    " Sales Org and Company Code derived in step 2 using Auth Object
    LOOP AT lt_cust_details ASSIGNING FIELD-SYMBOL(<fs_customer>).

      " Check logged-in user's auth of Sales Org
      " Here, we are checking Logged-in users auth for
      " Sales Org of Customer(record) that he is trying to access
      AUTHORITY-CHECK OBJECT 'V_VBKA_VKO'
                          ID 'VKORG' FIELD <fs_customer>-vkorg.
      IF sy-subrc = 0 AND lv_sorg_flag = abap_false.
        lv_sorg_flag = abap_true.
      ELSE.
        lv_sorg_flag = abap_false.
      ENDIF.

      " Check logged-in user's auth of Company Code
      " Here, we are checking Logged-in users auth for
      " Company Code of Customer(record) that he is trying to access
      AUTHORITY-CHECK OBJECT 'F_BKPF_BUK'
                          ID 'BUKRS' FIELD <fs_customer>-bukrs.
      IF sy-subrc = 0 AND lv_ccode_flag = abap_false.
        lv_ccode_flag = abap_true.
      ELSE.
        lv_ccode_flag = abap_false.
      ENDIF.
    ENDLOOP.

*/-- Step 4: Return flag as true if user doesn’t have auth for Sales org ,Sales Office or CCode derived in step 2
    IF lv_ccode_flag EQ abap_false OR
       lv_sorg_flag EQ abap_false .

      ev_output = abap_true. "True = Block record
    ENDIF.

  ENDMETHOD.

Policy Configuration

A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which has to be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Create a Policy

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute-Based Authorizations

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Policy Name” as “ZPOL_BLOCK_CUSTOMER”
• Select “Type” as “Data Blocking”
• Enter “Description” as “Policy For Blocking Customer ID In Search Help”
• Click on “Save” button

Write following logic into Policy

Maintain Data Blocking Configuration

Here, we will define how masking will behave with the logical attribute that we created in above step.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Data Protection Configuration -> Maintain Data Blocking Configuration

Follow below mentioned steps:

• Click on “New Entries” button
• Enter “Sensitive Entity” as “LA_CUSTOMERID” and press “Enter” key. “Description” and “Application Module” will get populated in corresponding fields
• Check “Enable Data Block” check-box
• Enter “Policy Name” as “ZPOL_BLOCK_CUSTOMER”
• Click on “Save” button

Conclusion

In this blog post, we have learnt how Data Blocking is achieved in DEBIA Search Help based on Company Code and Sales Organization information.