Implementing attribute based masking using UI Data Protection Masking for S/4 hana in 1809 On-Premise [Case Study of masking sensitive fields in Material BOM (T/code CS01/CS02/CS03 and COR1/COR2/COR3) based on Product Hierarchy of Main Material]

Business Requirement

Business Requirement1: Masking of BOM components for some selected values of Product Hierarchy

The business requirement is to mask some sensitive fields in Material BOM, only for some given values of Product Hierarchy for main Materials. As an example:

Consider Material B20000002 having Product Hierarchy as E7:

When the Material BOM for this Material is displayed (using T/code CS03😞

Press ENTER. The following screen will be displayed:

Note that in the above screenshot, the columns Component, Component Description and Quantity are masked for un-authorized users.

The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:

Press ENTER. Note that this Process Order uses the same main Material B20000002 having Product Hierarchy E7.

Browse to the Master Data tab, and double-click on the Bill of Material 00000484 (as highlighted in the screen below):

The same screen (as before) will be displayed with the masked values for the fields:

Business Requirement 2: No Masking of BOM components for other values of Product Hierarchy

On the other hand, if the Product Hierarchy is something different from E7, then these fields should not be masked. Consider the example below:

Consider Material BULK_01 having Product Hierarchy as E6 (i.e. different from E7):

When the Material BOM for this Material is displayed (using T/code CS03😞

Press ENTER. The following screen will be displayed:

Note that in the above screenshot, the columns Component, Component Description and Quantity are NOT masked (not even for un-authorized users).

The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:

Press ENTER. Note that this Process Order uses the same main Material BULK_01 having Product Hierarchy E6.

Browse to the Master Data tab, and double-click on the Bill of Material 00000412 (as highlighted in the screen below):

The same screen (as before) will be displayed with the non-masked values for the highlighted fields:

Security Requirements/Authorization Details

For the masking of Material BOM sensitive fields (based on Product Hierarchy), a custom PFCG role (in this example, ZTEST_UISM_PFCG_ROLE_BOM) needs to be configured by Security team. All users assigned to this role will be able to view/edit the sensitive fields. All remaining users (who are not assigned to this role) will not be able to view the contents of these sensitive fields.

For our testing purposes, we have assigned the above role to only 2 Users. This means, only these 2 users should be able to view the contents of the sensitive fields in Material BOM (for Product Hierarchy E7), while all remaining users will see a masked value of the sensitive fields.

Technical Solution

To implement the above Business Requirement, we will be leveraging the Attribute based Masking capability of the addon UI Data Protection Masking for S/4HANA. It is important to note here that:

Our masking requirement here is based on a Derived Attribute (i.e. Product Hierarchy) which is derived from the Material Master for the given Material.Product Hierarchy does not feature directly in the T/codes (CS01/02/03 or COR1/2/3) where the masking requirement is there. Instead, the Material number resides in these T/codes.

Perform the following steps in SPRO:

Step 1: Maintain Global Flag for Solution

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Global Flag for Solution

Step 2: Maintain Flag: Data Protection Options

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Flag: Data Protection Options

Step 3: Maintain Global Flag: Reveal on Demand

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Global Flag: Reveal on Demand

Step 4: Maintain Logical Attributes

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Maintain Metadata Configuration –> Maintain Logical Attributes

Step 5: Maintain Value Range Definition for Product Hierarchies

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration –> Maintain Attributes and Ranges for Policy

Step 6: Maintain Value Range List for Product Hierarchies

Execute the standard SAP T/code /UISM/V_RANGE. Select the name of the Value Range (created in Step 5) and press the Display button.

Maintain the list of values of Product Hierarchies, for which the sensitive fields in Material BOM should be masked (as shown in the screen below). This is like maintaining a SELECT-OPTION:

Step 7: Maintain Derived Attribute for Product Hierarchy

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration –> Maintain Attributes and Ranges for Policy

Step 8: Create call-back ABAP Class for Derived Attribute for Product Hierarchy

In Step 7, notice that we assigned a call-back ABAP Class ZCLTEST_PRODH_CS03 for the Derived Attribute DA_PRODUCTHIERARCHY. This Class must include the standard SAP Interface /UISM/IF_DERIVED_ATTR_VALUE. Inside this Class, we will write the code to derive the value for Main Material (which will reside in different higher level memory stacks based on the T/code). Thereafter, determine the value of the Product Hierarchy for this main Material, from the Material Master. The following is a sample code for the above Class:

CLASS zcltest_prodh_cs03 DEFINITION
  PUBLIC
  FINAL
  CREATE PUBLIC .

  PUBLIC SECTION.

    INTERFACES /uism/if_derived_attr_value .
  PROTECTED SECTION.
  PRIVATE SECTION.
ENDCLASS.

CLASS zcltest_prodh_cs03 IMPLEMENTATION.

* <SIGNATURE>—————————————————————————————+
* | Instance Public Method ZCLTEST_PRODH_CS03->/UISM/IF_DERIVED_ATTR_VALUE~EXECUTE
* +————————————————————————————————-+
* | [—>] IT_NAME_VALUE_PAIR TYPE /UISM/T_NAME_VALUE_PAIR
* | [<—] EV_OUTPUT TYPE STRING
* +————————————————————————————–</SIGNATURE>
  METHOD /uism/if_derived_attr_value~execute.

    DATA: lv_matnr TYPE matnr,
              lv_prodh TYPE prodh_d.

* Get Material Number
IF line_exists( it_name_value_pair[ sem_attribute = ‘LA_MATERIAL’ ] ).
lv_matnr = it_name_value_pair[ sem_attribute = ‘LA_MATERIAL’ ]-value_int.
ELSEIF line_exists( it_name_value_pair[ field1 = ‘COOISPI’
field2 = ‘PPIO_ENTRY’
field3 = ‘IOOPCOMP’
field_name = ‘BAUGR’ ] ).
lv_matnr = it_name_value_pair[ field1 = ‘COOISPI’
field2 = ‘PPIO_ENTRY’
field3 = ‘IOOPCOMP’
field_name = ‘BAUGR’ ]-value_int.
ELSE.
* For BOM – CS02
ASSIGN (‘(SAPLCSDI)RC29K-MATNR’) TO FIELD-SYMBOL(<lv_matnr>).
IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.
lv_matnr = <lv_matnr>.
ELSE.
* For BOM in Materials tab in Recipe Group – C203
ASSIGN (‘(SAPLCMDI)RCM01-MATNR’) TO <lv_matnr>.
IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.
lv_matnr = <lv_matnr>.
ELSE.
* For Operations in Recipee Group
* Select any 1 Material assigned to the Recipee Group
ASSIGN (‘(SAPLCPDI)PLKOD-PLNNR’) TO FIELD-SYMBOL(<lv_plnnr>).
IF <lv_plnnr> IS NOT ASSIGNED.
ASSIGN (‘(SAPLCPDO)PLKOD-PLNNR’) TO <lv_plnnr>.
IF <lv_plnnr> IS NOT ASSIGNED.
* For COOISPI – Operations
ASSIGN it_name_value_pair[ field1 = ‘COOISPI’
field2 = ‘PPIO_ENTRY’
field3 = ‘IOOPER’
field_name = ‘PLNNR’ ]-value_int TO <lv_plnnr>.
ENDIF.
ENDIF.
ASSIGN (‘(SAPLCPDI)PLKOD-PLNAL’) TO FIELD-SYMBOL(<lv_plnal>).
IF <lv_plnal> IS NOT ASSIGNED.
ASSIGN (‘(SAPLCPDO)PLKOD-PLNAL’) TO <lv_plnal>.
IF <lv_plnal> IS NOT ASSIGNED.
* For COOISPI – Operations
ASSIGN it_name_value_pair[ field1 = ‘COOISPI’
field2 = ‘PPIO_ENTRY’
field3 = ‘IOOPER’
field_name = ‘PLNAL’ ]-value_int TO <lv_plnal>.
ENDIF.
ENDIF.
IF <lv_plnnr> IS ASSIGNED AND
<lv_plnal> IS ASSIGNED.
SELECT matnr UP TO 1 ROWS
INTO lv_matnr
FROM mapl
WHERE plnnr = <lv_plnnr>
AND plnal = <lv_plnal>.
ENDSELECT.
ENDIF.
ENDIF.
ENDIF.
ENDIF.

IF NOT lv_matnr IS INITIAL.
* Convert Material to internal format
CALL FUNCTION ‘CONVERSION_EXIT_MATN1_INPUT’
EXPORTING
input = lv_matnr
IMPORTING
output = lv_matnr
EXCEPTIONS
length_error = 1
OTHERS = 2.
IF sy-subrc = 0.
* Get Product Hierarchy of Material
SELECT SINGLE prdha INTO @LV_prodh FROM mara
WHERE matnr = @LV_matnr.
IF sy-subrc = 0.
ev_output = lv_prodh.
ENDIF.
ENDIF.

ENDIF.

ENDMETHOD.
ENDCLASS.

Step 9: Maintain Policy Details for Attribute based Authorizations

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration –> Maintain Policy Details for Attribute based Authorizations

After creating the above entry for Policy, select the Policy Name and press ABAP Policy Cockpit button to formulate the Policy (as highlighted in the screen below):

The following screen will be displayed, where we can define the Preconditions and the Rule for Masking:

Step 10: Maintain Field Level Security and Masking Configuration

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration –> Maintain Field Level Security and Masking Configuration

Step 11: Maintain Technical Address

SAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Maintain Metadata Configuration –> Maintain Technical Address

Mass Configuration also carried out to Generate Customizing for the following Screens:

Also, all Programs generated by pressing the following button:

[Note: This step (of generating the programs) must be performed manually in each and every system and client after the Transport requests are moved]

​ Implementing attribute based masking using UI Data Protection Masking for S/4 hana in 1809 On-Premise [Case Study of masking sensitive fields in Material BOM (T/code CS01/CS02/CS03 and COR1/COR2/COR3) based on Product Hierarchy of Main Material]Business RequirementBusiness Requirement1: Masking of BOM components for some selected values of Product HierarchyThe business requirement is to mask some sensitive fields in Material BOM, only for some given values of Product Hierarchy for main Materials. As an example:Consider Material B20000002 having Product Hierarchy as E7:When the Material BOM for this Material is displayed (using T/code CS03😞Press ENTER. The following screen will be displayed:Note that in the above screenshot, the columns Component, Component Description and Quantity are masked for un-authorized users.The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:Press ENTER. Note that this Process Order uses the same main Material B20000002 having Product Hierarchy E7.Browse to the Master Data tab, and double-click on the Bill of Material 00000484 (as highlighted in the screen below):The same screen (as before) will be displayed with the masked values for the fields: Business Requirement 2: No Masking of BOM components for other values of Product HierarchyOn the other hand, if the Product Hierarchy is something different from E7, then these fields should not be masked. Consider the example below:Consider Material BULK_01 having Product Hierarchy as E6 (i.e. different from E7):When the Material BOM for this Material is displayed (using T/code CS03😞Press ENTER. The following screen will be displayed:Note that in the above screenshot, the columns Component, Component Description and Quantity are NOT masked (not even for un-authorized users).The same result should be obtained when the Material BOM screen is reached from Display Process Order (T/code COR3) for the same main Material. Consider the example below:Press ENTER. Note that this Process Order uses the same main Material BULK_01 having Product Hierarchy E6.Browse to the Master Data tab, and double-click on the Bill of Material 00000412 (as highlighted in the screen below):The same screen (as before) will be displayed with the non-masked values for the highlighted fields: Security Requirements/Authorization DetailsFor the masking of Material BOM sensitive fields (based on Product Hierarchy), a custom PFCG role (in this example, ZTEST_UISM_PFCG_ROLE_BOM) needs to be configured by Security team. All users assigned to this role will be able to view/edit the sensitive fields. All remaining users (who are not assigned to this role) will not be able to view the contents of these sensitive fields.For our testing purposes, we have assigned the above role to only 2 Users. This means, only these 2 users should be able to view the contents of the sensitive fields in Material BOM (for Product Hierarchy E7), while all remaining users will see a masked value of the sensitive fields. Technical SolutionTo implement the above Business Requirement, we will be leveraging the Attribute based Masking capability of the addon UI Data Protection Masking for S/4HANA. It is important to note here that:Our masking requirement here is based on a Derived Attribute (i.e. Product Hierarchy) which is derived from the Material Master for the given Material.Product Hierarchy does not feature directly in the T/codes (CS01/02/03 or COR1/2/3) where the masking requirement is there. Instead, the Material number resides in these T/codes.Perform the following steps in SPRO:Step 1: Maintain Global Flag for SolutionSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Global Flag for SolutionStep 2: Maintain Flag: Data Protection OptionsSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Flag: Data Protection OptionsStep 3: Maintain Global Flag: Reveal on DemandSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Enable UI Data Protection Masking à Maintain Global Flag: Reveal on DemandStep 4: Maintain Logical AttributesSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Maintain Metadata Configuration –> Maintain Logical AttributesStep 5: Maintain Value Range Definition for Product HierarchiesSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration –> Maintain Attributes and Ranges for PolicyStep 6: Maintain Value Range List for Product HierarchiesExecute the standard SAP T/code /UISM/V_RANGE. Select the name of the Value Range (created in Step 5) and press the Display button.Maintain the list of values of Product Hierarchies, for which the sensitive fields in Material BOM should be masked (as shown in the screen below). This is like maintaining a SELECT-OPTION:Step 7: Maintain Derived Attribute for Product HierarchySAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Maintain Metadata Configuration –> Maintain Attributes and Ranges for PolicyStep 8: Create call-back ABAP Class for Derived Attribute for Product HierarchyIn Step 7, notice that we assigned a call-back ABAP Class ZCLTEST_PRODH_CS03 for the Derived Attribute DA_PRODUCTHIERARCHY. This Class must include the standard SAP Interface /UISM/IF_DERIVED_ATTR_VALUE. Inside this Class, we will write the code to derive the value for Main Material (which will reside in different higher level memory stacks based on the T/code). Thereafter, determine the value of the Product Hierarchy for this main Material, from the Material Master. The following is a sample code for the above Class:CLASS zcltest_prodh_cs03 DEFINITION  PUBLIC  FINAL  CREATE PUBLIC .  PUBLIC SECTION.    INTERFACES /uism/if_derived_attr_value .  PROTECTED SECTION.  PRIVATE SECTION.ENDCLASS. CLASS zcltest_prodh_cs03 IMPLEMENTATION.* <SIGNATURE>—————————————————————————————+* | Instance Public Method ZCLTEST_PRODH_CS03->/UISM/IF_DERIVED_ATTR_VALUE~EXECUTE* +————————————————————————————————-+* | [—>] IT_NAME_VALUE_PAIR TYPE /UISM/T_NAME_VALUE_PAIR* | [<—] EV_OUTPUT TYPE STRING* +————————————————————————————–</SIGNATURE>  METHOD /uism/if_derived_attr_value~execute.    DATA: lv_matnr TYPE matnr,              lv_prodh TYPE prodh_d.* Get Material NumberIF line_exists( it_name_value_pair[ sem_attribute = ‘LA_MATERIAL’ ] ).lv_matnr = it_name_value_pair[ sem_attribute = ‘LA_MATERIAL’ ]-value_int.ELSEIF line_exists( it_name_value_pair[ field1 = ‘COOISPI’field2 = ‘PPIO_ENTRY’field3 = ‘IOOPCOMP’field_name = ‘BAUGR’ ] ).lv_matnr = it_name_value_pair[ field1 = ‘COOISPI’field2 = ‘PPIO_ENTRY’field3 = ‘IOOPCOMP’field_name = ‘BAUGR’ ]-value_int.ELSE.* For BOM – CS02ASSIGN (‘(SAPLCSDI)RC29K-MATNR’) TO FIELD-SYMBOL(<lv_matnr>).IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.lv_matnr = <lv_matnr>.ELSE.* For BOM in Materials tab in Recipe Group – C203ASSIGN (‘(SAPLCMDI)RCM01-MATNR’) TO <lv_matnr>.IF <lv_matnr> IS ASSIGNED AND <lv_matnr> IS NOT INITIAL.lv_matnr = <lv_matnr>.ELSE.* For Operations in Recipee Group* Select any 1 Material assigned to the Recipee GroupASSIGN (‘(SAPLCPDI)PLKOD-PLNNR’) TO FIELD-SYMBOL(<lv_plnnr>).IF <lv_plnnr> IS NOT ASSIGNED.ASSIGN (‘(SAPLCPDO)PLKOD-PLNNR’) TO <lv_plnnr>.IF <lv_plnnr> IS NOT ASSIGNED.* For COOISPI – OperationsASSIGN it_name_value_pair[ field1 = ‘COOISPI’field2 = ‘PPIO_ENTRY’field3 = ‘IOOPER’field_name = ‘PLNNR’ ]-value_int TO <lv_plnnr>.ENDIF.ENDIF.ASSIGN (‘(SAPLCPDI)PLKOD-PLNAL’) TO FIELD-SYMBOL(<lv_plnal>).IF <lv_plnal> IS NOT ASSIGNED.ASSIGN (‘(SAPLCPDO)PLKOD-PLNAL’) TO <lv_plnal>.IF <lv_plnal> IS NOT ASSIGNED.* For COOISPI – OperationsASSIGN it_name_value_pair[ field1 = ‘COOISPI’field2 = ‘PPIO_ENTRY’field3 = ‘IOOPER’field_name = ‘PLNAL’ ]-value_int TO <lv_plnal>.ENDIF.ENDIF.IF <lv_plnnr> IS ASSIGNED AND<lv_plnal> IS ASSIGNED.SELECT matnr UP TO 1 ROWSINTO lv_matnrFROM maplWHERE plnnr = <lv_plnnr>AND plnal = <lv_plnal>.ENDSELECT.ENDIF.ENDIF.ENDIF.ENDIF.IF NOT lv_matnr IS INITIAL.* Convert Material to internal formatCALL FUNCTION ‘CONVERSION_EXIT_MATN1_INPUT’EXPORTINGinput = lv_matnrIMPORTINGoutput = lv_matnrEXCEPTIONSlength_error = 1OTHERS = 2.IF sy-subrc = 0.* Get Product Hierarchy of MaterialSELECT SINGLE prdha INTO @LV_prodh FROM maraWHERE matnr = @LV_matnr.IF sy-subrc = 0.ev_output = lv_prodh.ENDIF.ENDIF.ENDIF.ENDMETHOD.ENDCLASS. Step 9: Maintain Policy Details for Attribute based AuthorizationsSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration –> Maintain Policy Details for Attribute based AuthorizationsAfter creating the above entry for Policy, select the Policy Name and press ABAP Policy Cockpit button to formulate the Policy (as highlighted in the screen below):The following screen will be displayed, where we can define the Preconditions and the Rule for Masking:Step 10: Maintain Field Level Security and Masking ConfigurationSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA à Data Protection Configuration –> Maintain Field Level Security and Masking ConfigurationStep 11: Maintain Technical AddressSAP IMG –> SAP NetWeaver –> UI Data Protection Masking for SAP S/4HANA –> Maintain Metadata Configuration –> Maintain Technical AddressMass Configuration also carried out to Generate Customizing for the following Screens:Also, all Programs generated by pressing the following button:[Note: This step (of generating the programs) must be performed manually in each and every system and client after the Transport requests are moved]    Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog