Data masking in SAP BusinessObjects

January 14, 2019 by: David Lai

One of the cool features with Information Design Tool and UNX universes is the ability to point to different table views depending on your security profile. Because of this, we can easily perform data masking, which allows us to mask restricted data.

For example, I have 2 different types of users. Group FULL who can see all revenue/cost measures, and Group PUBLIC who can see revenue measures but 0 for any cost measures.

A question one might ask is, “Why can’t we just block users from accessing the cost measures?” Well I’ll explain that in that in the next article found “TBD”

Below contains step by step instructions on how to setup data masking on an SAP BusinessObjects UNX Universe.

Note: In our example, we are using the AdventureWorks 2017 datawarehouse that you can download from https://github.com/Microsoft/sql-server-samples/releases/download/adventureworks/AdventureWorksDW2017.bak

You can also download the example universe before data masking is applied HERE

Please ensure that you set up your own ODBC connection and modify the SAP BOBJ connection settings appropriately

Step 1:

On the AdventureWorks 2017 datawarehouse database, let’s create a view on the fact table FactInternetSales that sets the measures Product Standard Cost and Total Product Cost to 0. We will call it FactInternetSales_pub_vw

CREATE VIEW FactInternetSales_pub_vw AS
SELECT [ProductKey]
,[OrderDateKey]
,[DueDateKey]
,[ShipDateKey]
,[CustomerKey]
,[PromotionKey]
,[CurrencyKey]
,[SalesTerritoryKey]
,[SalesOrderNumber]
,[SalesOrderLineNumber]
,[RevisionNumber]
,[OrderQuantity]
,[UnitPrice]
,[ExtendedAmount]
,[UnitPriceDiscountPct]
,[DiscountAmount]
,0 as [ProductStandardCost]
,0 as [TotalProductCost]
,[SalesAmount]
,[TaxAmt]
,[Freight]
,[CarrierTrackingNumber]
,[CustomerPONumber]
,[OrderDate]
,[DueDate]
,[ShipDate]
FROM [dbo].[FactInternetSales]

Step 2:

Originally we have the data foundation pointing to FactInternetSales, but as a best practice we should point it to the most restrictive view by default. Thus, by default I will see 0s for Product Standard Cost and Total Product Cost, unless I am part of group FULL.

Let’s change FactInternetSales to point to FactInternetSales_pub_vw

Now by default, users will see 0s whenever they select the measures

Step 3:

Right Click on the business layer from your project, and republish the universe so that the public view is now reflected

Step 4:


Go to the security manager so that we can add the appropriate data security profiles

Then add a data security profile by right clicking on the universe and selecting Insert Data Security Profile.
Name the security profile Full Data; select the Tables tab, and click on Insert

We will then define the replacement table settings to point to FactInternetSales (the original table with unmasked data), instead of FactInternetSales_pub_vw

Click OK twice when you are finished.

Step 5:

Finally, ensure that the group FULL is part of the Full Data security profile; then save the security profile

Notes

  • Since we don’t need to repoint the data Group PUBLIC to any other tables, we don’t need to create a new data security profile.
  • If we had multiple data security profiles, we have the ability of setting priority on what takes precedence.
  • For example if I had another group X with data security profile X that had a conflicting data setting, the data security with the higher priority would take precedence.

Comments

One Response to “Data masking in SAP BusinessObjects”

Leave a Reply


+ seven = 13