Financial Management Blogs by SAP
Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase efficiency, reduce risk, and optimize working capital.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Application Blocking - How to block SAP GUI TCode from Starting using Application Blocking Configuration

AmitKrSingh
Advisor
Advisor
‎12-25-2023 10:19 AM

Introduction


In this blog, we will learn how to prevent SAP GUI transactions from starting. When unauthorized users attempt to start a transaction, they will be shown a message that the transaction is blocked by UI data protection masking.

From the perspective of an end user, application blocking behaves in the same way as traditional authorization checks. However, it has the advantage that you can configure it more flexibly using a policy that can contain different environment variables like IP address, User Terminal etc.

Attribute based authorizations are dynamic determination mechanism which determines whether a user is authorized to access specific data sets which can be based on the context attributes of the user and data (for example, price of certain sensitive materials are masked).

We will configure SAP GUI Transaction blocking through UI Data Protection Masking for SAP S/4HANA 2011 solution based on Attribute Based Authorization Control (ABAC) concept.

Prerequisite


UI Data Protection Masking for SAP S/4HANA is a solution that allows you to protect restricted and sensitive data values at field level by masking, clearing, or disabling fields for those users who are not authorized to view or edit this data.

The product is a cross-application product which can be used to mask/protect any field in SAP GUI, SAPUI5/SAP Fiori, CRM Web Client UI, and Web Dynpro ABAP.

Requirement


Here, we want to configure SAP GUI Transaction blocking for VA01 TCode to prevent unauthorized users from starting the transaction based on PFCG Role using Attribute-based authorization concept.

Product “UI data protection masking for SAP S/4HANA 2011” is used in this scenario to prevent unauthorized users from starting the transaction and must be installed in the S/4HANA system.

Let’s begin


Configuration to achieve SAP GUI Transaction Blocking


Before beginning with this Application Blocking Configuration, one policy of the type application blocking must be created.

Configure Value Range


Value Ranges are a set of pre-populated values which can be used to derive the context under which an action should be executed.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Maintain Metadata Configuration -> Maintain Attributes and Ranges for Policy -> List of Values Definition – Follow below mentioned steps:

PFCG Role List



  • Click on “New Entries” button

  • Enter “List of Values” as “VR_PFCG_ROLE

  • Enter “Description” as “List of PFCG Roles

  • Click on “Save” button



Enter following entries in “VR_PFCG_ROLE” Value Range

Follow below mentioned steps:

  • Execute Transaction Code “/UISM/V_RANGE

  • Click on “VR_PFCG_ROLE” Value Range

  • Click on “Display<- -> Change” button

  • Click on “Add New Entry” button


Add following entries under “Include Value” tab and click on “Save” button







Policy Configuration


A Policy is a combination of rules and actions which are defined in one or more blocks. The actions are executed on a sensitive entity (field to be protected) which must be assigned to a Policy. The conditions are based on contextual attributes which help derive the context.

Context Attributes are logical attributes which are used in designing the rules of a policy. They are mapped to fields which are used to derive the context under which an action is to be executed on a sensitive entity.

Sensitive Entities are logical attributes which are sensitive and need to be protected from unauthorized access.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Policy Details for Attribute based Authorizations – Follow below mentioned steps:

  • Click on “New Entries” button

  • Enter “Policy Name” as “SAPGUI_TCODE_BLOCK

  • Select “Type” as “Application Blocking

  • Enter “Description” as “Policy to Block SAP GUI TCodes

  • Click on “Save” button




Write following logic into Policy




Maintain Application Blocking Configuration


Here, we will configure groups of applications for Application Blocking.

Follow the given path:

SPRO -> SAP NetWeaver -> UI Data Protection Masking for SAP S/4HANA -> Sensitive Attribute Configuration -> Masking and Blocking Configuration -> Maintain Application Blocking Configuration

Follow below mentioned steps:

  • Click on “New Entries” button

  • Enter “Application Group” as “BLOCK_SAPGUI_TCODE

  • Check “Enable” checkbox

  • Enter “Policy Name” as “SAPGUI_TCODE_BLOCK

  • Enter “Referenced Application” as “Block SAP GUI TCode

  • Click on “Save” button



Now, select the above created entry and double-click on “SAP GUI Application Mapping




  • Click on “New Entries” button

  • Select “Type” as “Transaction Code

  • Enter “Transaction Code or Program Name” as “VA01

  • Enter “Referenced Application” as “Block VA01 TCode

  • Click on “Save” button




Blocking VA01 TCode


Follow below mentioned steps:

  • Execute “VA01” TCode





  • The user will be shown a message “Transaction VA01 blocked by UI data protection masking” as the user is not authorized to start the TCode.




Conclusion


In this blog post, we have learnt how to prevent SAP GUI transactions from starting when unauthorized users attempt to start a transaction using Application Blocking Configuration.
Labels:
4 Comments
shais
Participant
‎12-25-2023 2:26 PM
Thanks for sharing.

  1. I understand that this was done just as an example, but this example doesn't make much sense from business perspective: If you already have authorization profiles, you may use standard authorizations and don't need to configure Application Blocking.
    What are the real life use cases for such a configuration? (Which dynamic variables do make sense?)

  2. Are there any logs of blocked applications?

AmitKrSingh
Advisor
Advisor
‎12-26-2023 5:40 AM
Hi Shai,

You are right that we can use standard authorizations to achieve this but with Application Blocking configuration we are providing different environment variables like, IP Address, User Terminal information etc. which also can be included to check the authorization. In upcoming blogs, I will explain the scenarios using these dynamic variables.

We have "Field Access Trace" log where user can see the logs of all the blocked applications.

Regards,

Amit Kumar Singh
Frank1
Participant
‎12-26-2023 2:24 PM
Thank you for sharing and looking forward your follow-on blogs. By the way, if want to hide or mask some fields values which contain sensitives personal data, also can achieve by ABAC? Or different solutions?
AmitKrSingh
Advisor
Advisor
‎12-29-2023 3:46 PM
0 Kudos
Hi Frank,

Ui data protection masking solution offers both, Role based Authorization (RBAC) and Attribute based Authorization concept (ABAC) using which you can protect sensitive information across SAP technologies. Depending upon the scenario, you may choose the concept. You may go through the blogs to know how to configure masking through RBAC and ABAC.

Regards,

Amit Kumar Singh
Popular Blog Posts