SAP BW Authorization Integration

SAP BW Authorization Integration

Hashing of sensitive data

Our framework also introduces logic to apply configuration-driven data masking:

sensitive_data_rules:
# hashes all values in given columns
- table_name: USERS5
  columns: [DN_LDAP, DN_NOTES, DN_AD]
  masking_rule: hash
  category: user_information
# masks all values in given column with "X" given condition KTOKK='YEMP'
- table_name: LFA1
  columns: [SEXKZ]
  masking_rule: mask
  filter: "KTOKK='YEMP'"
  category: hr_information

Application of SAP-permission on Databricks tables

Data access permission rules can be exported from SAP BW (example table sap_permissions in this case) to be applied to similar datalake tables.

  • MAIL_ADDR column defines the unique user identifier (e-mail)
  • FIELDNM column specifies the target table column name
  • DAUTHVLOW restricts
MAIL_ADDR
FIELDNM
DAUTHVLOW
jiri.koutny@datasentics.com
COMP_CODE
X241
jan.novak@datasentics.com
TCAIPROV
%
jiri.koutny@datasentics.com
/BIC/DBG
%

Then VIEWs with access control logic are automatically created:

# row level security based on SAP permissions table
CREATE VIEW v_my_table_restricted AS
SELECT * FROM my_table
WHERE (
	`BUKRS_VF` IN (
		SELECT
			DAUTHVLOW
		FROM
			sap_permissions
		WHERE
			MAIL_ADDR = $CURR_USER
      AND FIELDNM = "COMP_CODE"
	)
)

Return SAP BW data integration