SAP BW Authorization Integration
Hashing of sensitive data
Our framework also introduces logic to apply configuration-driven data masking:
sensitive_data_rules:
# hashes all values in given columns
- table_name: USERS5
columns: [DN_LDAP, DN_NOTES, DN_AD]
masking_rule: hash
category: user_information
# masks all values in given column with "X" given condition KTOKK='YEMP'
- table_name: LFA1
columns: [SEXKZ]
masking_rule: mask
filter: "KTOKK='YEMP'"
category: hr_informationApplication of SAP-permission on Databricks tables
Data access permission rules can be exported from SAP BW (example table sap_permissions in this case) to be applied to similar datalake tables.
MAIL_ADDRcolumn defines the unique user identifier (e-mail)FIELDNMcolumn specifies the target table column nameDAUTHVLOWrestricts
MAIL_ADDR | FIELDNM | DAUTHVLOW |
jiri.koutny@datasentics.com | COMP_CODE | X241 |
jan.novak@datasentics.com | TCAIPROV | % |
jiri.koutny@datasentics.com | /BIC/DBG | % |
Then VIEWs with access control logic are automatically created:
# row level security based on SAP permissions table
CREATE VIEW v_my_table_restricted AS
SELECT * FROM my_table
WHERE (
`BUKRS_VF` IN (
SELECT
DAUTHVLOW
FROM
sap_permissions
WHERE
MAIL_ADDR = $CURR_USER
AND FIELDNM = "COMP_CODE"
)
)