Attribute Based Access Control (ABAC) – Field Masking Scenario in Change Log (CD...
source link: https://blogs.sap.com/2021/08/21/attribute-based-access-control-abac-field-masking-scenario-in-change-log-cdpos-table-in-se16-transaction/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Introduction
In this blog post, we will learn how to mask “New Value” and “Old Value” fields based on “Object Class” and “Field Name” field information of table CDPOS in SE16.
“New Value” and “Old Value” fields of table CDPOS in SE16 transaction need to be masked where “Object Class” is “MATERIAL” and “Field Name” is “NTGEW” or “BRGEW“. For other “Object Class” and “Field Name”, “New Value” and “Old Value” fields will appear as unmasked.
Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).
The end result for unauthorized users will look like below:
Prerequisite
UI data protection masking for SAP S/4HANA is a solution for selective masking of sensitive data on SAP S/4HANA user interfaces – SAP GUI, SAPUI5/SAP Fiori, Web Dynpro for ABAP, and Web Client UI. Data can be protected at field level, either by masking the content (replacing original characters with generic characters, such as asterisks) or by clearing or disabling the field.
The solution uses both role-based and attribute-based authorizations, affording customers a high degree of control.
Requirement
Here, we want to configure masking using Attribute Based Access Control (ABAC) concept for “New Value” and “Old Value” fields in CDPOS table in SE16 transaction based on “Object Class” and “Field Name” fields information. Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to protect sensitive data at field level and must be installed in the S/4HANA system.
Let’s begin
Configure Logical Attributes
Login to Fiori Launchpad and click on “Manage Sensitive Attributes” app available under “UI data protection masking” catalog.
Maintain Sensitive Attributes
A Sensitive Attribute is a type of logical attribute that define a field which needs to be configured for UI data protection.
- Click on Add icon
- Enter “LA_NEWVALUE” in Sensitive Attribute field
- Enter “New Value field -> CDPOS table” in Description field
- Click on “Create” button
- Sensitive Attributes with specified details will be created.
Note: Using the above steps, create “LA_OLDVALUE” Sensitive Attribute.
Maintain Mapping to Technical Addresses
In the Manage Sensitive Attributes application, you can link technical addresses of fields to sensitive attributes. A technical address describes the exact technical path or technical information which is used by the solution to process the field for UI data protection masking.
To find the technical addresses for SAP GUI screens, navigate to the field and choose F1, then the Technical Information icon. The system displays the relevant information.
-
Under Technical Mapping > SAP GUI, choose the Add icon.
-
Use the the value help to select the table name and the field name. You can also enter the referenced transaction codes as a comment to describe the mapping.
Note: Using the above steps, maintain Technical Address for “LA_OLDVALUE” Sensitive Attribute.
Maintain Context Attributes
In the Manage Sensitive Attributes application, you can create and update context attributes, and map them to sensitive attributes.
A context attribute is a type of logical attribute which is used to define the context within which a sensitive attribute is to be protected.
- To assign a context attribute to a sensitive attribute, under Context Attributes, choose the Add icon.
- To create a new context attribute, select Create New, enter the name of the context attribute beginning with LA_ and a description.
- Open a context attribute by tapping the arrow next to it and under Technical Mapping, you can map technical addresses to the context attribute in the same way we did for sensitive attribute
Note: Using the above steps, create “LA_FLDNAME” Context Attribute and maintain Technical Address for “LA_FLDNAME” Context Attribute.
Note: Map both (LA_OBJCLAS and LA_FLDNAME) Context Attributes with LA_OLDVALUE Sensitive Attribute using “Use Existing” option.
Masking Configuration
In the Manage Sensitive Attributes application, you can configure masking for a sensitive attribute to define in detail how it is to be protected in the system. Masking configuration defines which fields are to be masked for unauthorized users and in which contexts.
To configure masking for LA_NEWVALUE sensitive attribute, under Configuration > Masking Configuration, choose Edit.
- Enable masking.
- Select Attribute Based authorization concept.
- Click on “Add” icon next to “Policy” edit box
- Enter Policy Name as “POL_MASK_CDPOS“.
- Enter Description as “Mask Sensitive fields in CDPOS table“.
- Click on “Create” button
- Policy will get created.
- Click on “Save” button.
- Click on “Mask Sensitive fields in CDPOS table (POL_MASK_CDPOS)” link. You will be navigated to “Manage ABAC Policies” app
- Choose “Edit” under “Rule” section of Policy
- ABAC Policy Cockpit will be opened
Write following logic into Policy
Note: Using the above steps, configure masking for LA_OLDVALUE Sensitive Attribute.
Conclusion
In this blog post, we have learnt how Masking is achieved in Change Log (CDPOS table) in SE16 transaction based on contextual information.
Recommend
-
8
Attribute Based Encryption for Secure Access to Cloud Based...
-
51
Introduction In this blog post, we will learn how to mask “Tax Number” field based on “Tax Number Category” information of table DFKKBPTAXNUM in SE16 and BP transaction. “Tax Number”
-
53
Introduction In this blog post, we will learn how to mask “Tax Number” field based on “Tax Number Category” information of table DFKKBPTAXNUM in SE16 and BP transaction. “Tax Number”
-
10
Introduction As part of this blog, we will compare logged-in user’s attributes with attributes of data that logged-in user is trying to access. As example, we have considered a scenario where customer data will be filtered out...
-
5
Introduction In this blog post, we will learn how to configure Data Block/Suppression in Hierarchical Sequential List Report to block access of certain sensitive document records. Attribute based authorization...
-
9
WARNING: This repository is no longer maintained This repository will not be updated. I...
-
10
Introduction In this blog post, we will learn how to mask “Gross Weight” and “Net Weight” fields in MARA table in transactions SE16 and MM03 for materials of Sensitive Material Group “300
-
11
Introduction In this blog post, we will learn how the “Workflow” Reveal type of Enhanced Reveal method works in SAP GUI. We will explore the configuration process by masking the “Social Secu...
-
4
SLAM: Spectre based on Linear Address Masking SLAM explores the residual attack surface of Spectre on modern (and even future) CPUs equipped with Intel LAM or similar features. Instead of targeting new transient...
-
7
Attribute-Based Access Control (ABAC) and Global Security Policies in the Denodo Platform November 8, 2023 ...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK