UI Masking on MDG Business Partner Bank & Address ...

mohamedalijinna_nainamoha · ‎12-06-2023

Introduction

In this blog, let us deep dive technically on the scenario of masking FPM (Web Dynpro) fields in Master Data Governance (MDG) Change Request UI.

As you may already know that SAP provide two types of UI Masking as below

Role Based (RBAC)

Attribute Based (ABAC)

We will cover in detail about Attribute Based UI Masking specifically for MDG business partner UI.

Requirement

The business requirement is to mask sensitive fields (i.e. Bank & Address related fields) in MDG Business Partner UI if the business partner is marked as a natural person and the user does not have authorized role (PFCG role) to view or modify the data in sensitive fields.

Masking on Address

Masking on Bank

Prerequisites

Valid license is required for UI Masking. Please make sure the UI masking related components UIDP-100 & UIDPUI5-100 are installed.

The below notes must be implemented.

- 2695667 - Manual changes for WDA
- 3402483 - UIDP 100: Adoption of complete NameValue Pair accessing in Webdynpro Applications

Maintain Global Flags

Maintain global flags for UI data protection masking in Customizing under ABAP Platform->UI Data Protection Masking for SAP S/4 HANA-> Basic Settings -> Enable UI Data Protection Masking -> Maintain Global Flags

Maintain the package and namespace for policy creation in Customizing for ABAP Platform under UI Data Protection Masking for SAP S/4 HANA -> Basic Settings -> Enable UI Data Protection Masking -> Maintain Package and Namespace for Policy Creation

Masking Configuration & Development

Maintain Context Attributes for Masking

Configure the Business Partner as Logical (or Context) Attribute which is used to get the value of natural person field in the Business Partner.

Moreover, create a logical attribute for Bank & Address related fields which are to be masked in the UI because of business-critical sensitive attributes.

All the logical attributes are to be created with the prefix LA_ and enable sensitive flag for logical attributes which are sensitive.

Assign all the context attributes into a transport request.

In the technical mapping, assign all the FPM Web Dynpro fields relevant for Business Partner, Bank as well as Address.

Business Partner

Bank

Address

Collect the technical details of the field from the FPM UI to configure Technical Mapping in Masking.

Maintain Derived attribute for Natural Person

Configure Natural Person as Derived Attribute with prefix DA_ to get the value of natural person from the FPM UI at run time.

Create a class ZCL_MDGBP_MASKING_NAT_PERSON with interface /UISM/IF_DERIVED_ATTR_VALUE to add logic in the method EXECUTE to get the value of natural person field in Business Partner.

Create one static public attribute (GV_BP) in the class to hold business partner id which is passed to MDG API READ_CHAR_VALUE to get value of natural person field.

Source Code:

  METHOD /uism/if_derived_attr_value~execute.



    DATA: lv_bp       TYPE bu_businesspartner.

    DATA: lv_natpers  TYPE bu_natural_person.

    DATA: lv_mode     TYPE usmd_readmode_ext VALUE if_usmd_model_ext=>gc_readmode_all_inact.

    DATA: lt_sel TYPE usmd_ts_sel,

          ls_sel TYPE usmd_s_sel.

    DATA: lt_entity_data TYPE REF TO data,

          ls_entity_data TYPE REF TO data.

    DATA lt_objlist   TYPE        usmd_t_crequest_entity.





    FIELD-SYMBOLS:

      <fs_entity>   TYPE any,

      <fs_t_entity> TYPE ANY TABLE.





    ev_output = abap_false.



    DATA(lo_context) = cl_usmd_app_context=>get_context( ).



    IF lo_context IS BOUND.

      DATA(lv_crequest) = lo_context->mv_crequest_id.

    ENDIF.



    CALL METHOD cl_usmd_model_ext=>get_instance

      EXPORTING

        i_usmd_model = 'BP'

      IMPORTING

        eo_instance  = DATA(lo_model_ext).



    IF lv_crequest IS NOT INITIAL.

      CLEAR: ls_sel,lt_sel.

      ls_sel-fieldname  = usmd0_cs_fld-crequest.

      ls_sel-sign       = 'I'.

      ls_sel-option     = 'EQ'.

      ls_sel-low        = lv_crequest.

      INSERT ls_sel INTO TABLE lt_sel.



      " get header data from cr

      "Read object list

      lo_model_ext->read_char_value(

        EXPORTING

          i_fieldname       = usmd0_cs_fld-crequest

          it_sel            = lt_sel

          if_use_edtn_slice = abap_false

        IMPORTING

          et_data           = lt_objlist ).



      LOOP AT lt_objlist INTO DATA(ls_objlist)  ##INTO_OK.

        IF ls_objlist-usmd_entity = 'BP_HEADER'.

          gv_bp = ls_objlist-usmd_value.

          EXIT.

        ENDIF.



      ENDLOOP.

    ENDIF.

* Read BP number from Context attribute

    READ TABLE it_name_value_pair INTO DATA(ls_nvp) WITH KEY sem_attribute = 'LA_BUSINESS_PARTNER'.



    IF sy-subrc = 0 OR gv_bp IS NOT INITIAL.



      IF ls_nvp-value_int IS NOT INITIAL.

        lv_bp = ls_nvp-value_int.

        gv_bp = ls_nvp-value_int.

      ELSE.

        lv_bp = gv_bp.

      ENDIF.

    ENDIF.



**********************************************

* ----------------------------------------------------------------*

* READ BP DATA

* ----------------------------------------------------------------*

    IF lv_bp IS NOT INITIAL.

      CALL FUNCTION 'CONVERSION_EXIT_ALPHA_INPUT'

        EXPORTING

          input  = lv_bp

        IMPORTING

          output = lv_bp.



      " selection table for bp header data

      CLEAR: ls_sel,lt_sel.

      ls_sel-fieldname  = if_mdg_bp_constants=>gc_field-bp_header. "'BP_HEADER'

      ls_sel-sign       = 'I'.

      ls_sel-option     = 'EQ'.

      ls_sel-low        = lv_bp.

      INSERT ls_sel INTO TABLE lt_sel.



      CALL METHOD lo_model_ext->create_data_reference

        EXPORTING

          i_fieldname = 'BP_CENTRL'

          i_struct    = if_usmd_gov_api_entity=>gc_struct_key_attr

*         it_attribute =

          if_table    = abap_false

          i_tabtype   = if_usmd_model=>gc_tabtype_standard

        IMPORTING

          er_data     = ls_entity_data.



      CALL METHOD lo_model_ext->create_data_reference

        EXPORTING

          i_fieldname = 'BP_CENTRL'

          i_struct    = if_usmd_gov_api_entity=>gc_struct_key_attr

*         it_attribute =

*         if_table    = 'X'

          i_tabtype   = if_usmd_model=>gc_tabtype_standard

        IMPORTING

          er_data     = lt_entity_data.



      ASSIGN ls_entity_data->* TO <fs_entity>.

      ASSIGN lt_entity_data->* TO <fs_t_entity>.



      " get header data from cr

      CALL METHOD lo_model_ext->read_char_value

        EXPORTING

          i_fieldname       = 'BP_CENTRL'

          it_sel            = lt_sel

          if_edition_logic  = abap_false

          i_readmode        = lv_mode

          if_use_edtn_slice = abap_false

        IMPORTING

          et_data           = <fs_t_entity>

          et_message        = DATA(lt_msg).



      IF <fs_t_entity> IS ASSIGNED AND <fs_t_entity> IS NOT INITIAL.

        LOOP AT <fs_t_entity> INTO <fs_entity>.



          ASSIGN COMPONENT 'NATPERS' OF STRUCTURE <fs_entity> TO FIELD-SYMBOL(<lfs_natpers>).

          IF <lfs_natpers> IS ASSIGNED.

            ev_output = <lfs_natpers>.

          ENDIF.

        ENDLOOP.

      ENDIF.

*********************************************

    ENDIF.



  ENDMETHOD.

Maintain attribute-based Policy.

Create a policy to assign rule to implement masking on sensitive attributes.

Maintain Rule in the Policy

Build a rule for the requirement: If the BP is a natural person and does not have authorized role (PFCG Role), then the address & bank related fields are masked.

ABAC Policy Cockpit

Maintain the RFC Destination as NONE in the policy cockpit.

Maintain Sensitive Attribute for Bank & Address related fields for BP

Sensitive attributes are attributes on which masking is applied. Configure masking configuration for Sensitive attributes to assign policy.

In the masking configuration, assign policy to validate masking for attribute-based masking.

Conclusion

In this blog post, we have learnt how Masking is achieved in Manage Business partner App in MDG through Manage Sensitive Attributes app provided by UI Data Protection Masking for SAP S/4HANA 2022 solution.

Note