Skip to main content
Skip table of contents

Classification

This chapter describes the specific settings that are required for classification.

Classification Settings in SAP Add-On (Pre-classification) 

HaloCORE automates the often challenging task of data classification by seamlessly integrating with SAP and automatically prompting users to input classification based on the customized scheme for the business. By suggesting classification labels to the user, HaloCORE makes the classification decision easy and efficient. Labels are fully customizable and work with the firm's business environment to meet internal and regulatory marking standards.

As a context-aware solution, HaloCORE fully integrates with SAP systems. This deep integration gives HaloCORE full contextual awareness, including detailed information about the user (roles, authorization objects, etc.), the data itself (transaction, table, etc.), and the technical environment (for example, front-end). With HaloCORE fitting seamlessly into the company-specific classification and DLP framework, SAP users can identify sensitive data as it leaves SAP systems and applications and create intuitive DLP policies to prevent data loss.

What is Pre-Classification 

In HaloENGINE classification, the rule engine reads metadata collected in the ABAP layer along with the file and makes all decisions (blocking, categorization, labeling, and protection). At the same time, the default classification engine can still be used. Classification information derived from ABAP classification is referred to as "pre-classification" and is sent as metadata type to HaloENGINE. Note: The ABAP classification derivation (and optionally enabling Classification UI) is required when you configure "pre-classification" in the HaloENGINE Classification Engine. 

Pre-classification settings.png

Pre-classification settings

Attribute Derivation Set Up  

Attribute derivation plays a key role for policy classification, selection, and download logging.

The attributes and values determined by the system can be stored in the log, thus allowing a thorough analysis of the download activities in your system.

Step 1. Create Attributes and Values

The attributes and values you want to use depend on the way you have defined the MPIP label. If your company has a file classification standard, chances are that the MPIP label respects this standard.

You must have a clear idea about how the classification schema looks before you start classifying labels and mapping context attributes.

By default, the following attributes and values are delivered:

  1. Sensitivity (hierarchical, in decreasing order)

    1. Secret

    2. Confidential

    3. Internal

    4. Public

  2. Functional Domain (simple list)

    1. General Purpose

    2. Finance

    3. Human Resources

    4. Logistics

    5. Sales

    6. Engineering

  3. Organization (hierarchical)

    1. Group

    2. Entity 1

    3. Entity 2

To configure attributes, proceed as follows:

  1. Call transaction /n/SECUDESD/ATTRB.

  2. Click Display −> Change icon to modify the standard or create a new attribute.

  3. Define Attribute: Enter the technical name of the attribute in the Attribute column and the description of the attribute in Attribute Descr

    Defining attributes.jpg

    Defining attributes

  4. Define whether an attribute contains a flat list of values - Simple List or values have a hierarchical relation - Hierarchy (Tree). The difference is important, as it influences the way matches are calculated. In the case of a Simple List, if a value is requested, but not found, this is considered a non-match. When maintaining values for an attribute of type Simple List, you can maintain the field Sequence to control the order in which they appear in the search help. In the case of a hierarchy, if the requested value is not found directly, but further up in the hierarchy, it will be considered a match, but with less relevance. When maintaining values for an attribute of type Hierarchy, it is essential that you also maintain the parent relationship. Note: Save a new value before entering it as a parent for another value.

  5. Enter sequence (Seq.) in which the records will be sorted on lists.

  6. Select Log check box to store the derived values for this attribute in the download log.

  7. Select any one of the values in the Cardinality column. Cardinality describes how many values can or must be present in the classification UI for a given attribute

    1. 0..1(max one)

    2. 0..n(any)

    3. 1..1(exactly one)

    4. 1..n(one and more)

  8. Embed Log Field allows linking the attribute to one of a predefined set of HaloCORE log fields.  

    1. Log ID

    2. User Name

    3. Time Stamp

    4. Transaction Code

    5. Web Dynpro Application

    6. IP Address

    7. Table/View Name

  9. No UI: If set, the attributes will not appear on the Classification UI for user selection.

  10. No Tag: The property and values will not be embedded in a file if set.

  11. Define Values:

    1. Click on an Attribute and then double-click Values under Dialog Structure.

    2. Click Display−>Change icon to modify the standard or create a new attribute.

    3. Enter the technical key of the attribute value in Attribute Value (For example, ENG).

    4. Enter the (language-dependent) description of the value in Value Description (For example, Engineering).

    5. Enter Seq. (Sequence) in which the records will be sorted on lists.

    6. You must define at least one value as Def. (Default).

  12. Click Save to save the settings.

    Simple list types.png

    Simple list types

    Hierarchy type.png

    Hierarchy type

Step 2. Define Attribute Mapping

In the menu tree, under the node "Attribute Mapping", you can find a wide variety of possibilities to mine attributes and values from the transactional context. The following table describes how attribute mappings take place:

Attribute Mapping menu.png

Attribute Mapping menu

Transaction Codes

While this may be useful only in very specific situations (e.g., to identify a small set of transactions that perform highly critical functions), you can map individual transaction codes.

  1. Call transaction /SECUDESD/MAP_TCD - Mapping of Transaction Codes 

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Transaction Codes

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    1_Transaction Codes.png

    Mapping of Transaction Codes

  5. Click Save to save the entries.
    Note: The value for Transaction Code supports wildcards.

Users

While this may be useful only in very specific situations (e.g., to identify certain users with very particular functions, for which no specific user group is defined), you can map individual user IDs.

  1. Call transaction /SECUDESD/MAP_USR - Mapping of Users

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries

  4. Enter the following details:

    1. User

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    2_Users.png

    Mapping of Users

  5. Click Save to save the entries.

User Groups

Depending on how user groups are structured in your environment, this can be an excellent source for deriving functional or organizational assignments of the user performing the download. (Note that, for the system to be able to access the user group assignment, the user performing the download must have authorization S_USER_GRP with activity 03 for his own user group.)

  1. Call transaction /SECUDESD/MAP_USG - Mapping of User Groups

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. User group

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    3_User Groups.png

    Mapping of User Groups

  5. Click Save to save the entries.
    Note: Supports wildcards 

Authorization Fields

You can choose to map individual authorization fields – either of assigned authorization objects or the organization fields of the roles. This can be used to derive the organizational assignment (company code, plant, personnel area, sales area…) of a user, or for any other information that may be retrieved from his/her authorizations – the affiliation with a particular engineering project could, for instance, be derived from the authorization group of object C_STUE_BER.

When reading the user’s authorization roles for reading this mapping, the system will consider only the roles to which the current transaction is assigned. To be able to access the role assignments, the user performing the download must have authorization S_USER_GRP with activity 03 for his own user group.

  1. Call transaction /SECUDESD/MAP_AFL - Mapping of Authorization Fields

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Object (if an object is not specified, comparison occurs against the organization)

    2. Field name

    3. Value

    4. Attribute

    5. Attribute Value

    6. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    4_Authorization Fields.png

    Mapping of Authorization Fields

  5. Click Save to save the entries. 

Authorization Roles      

When mapping authorization roles, all roles assigned to the user are considered. For a somewhat simpler set-up, this allows deriving organizational or functional assignments of the user directly from the assigned roles. Limitations of this approach are evident when a user has many roles from different areas.

  1. Call transaction /SECUDESD/MAP_ARL - Mapping of Authorization Roles

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Role

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    5_Authorization Roles.png

    Mapping of Authorization Roles

  5. Click Save to save the entries.

Technical Environment (Packages, Application Components)

The technical attributes of the program (or function, or method) are analyzed by looking at the ABAP call stack. Mappings are then read for the technical attributes. (See a sample list of the hierarchy of application components in "Attribute Derivation")  

  1. Call transaction /SECUDESD/MAP_PCK - Mapping of Packages

  2. Click Display −> Change icon to edit the fields. 

  3. Click New Entries.

  4. Enter the following details:

    1. Package

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

  5. Click Save to save the entries.
    Note: Supports wildcards

  6. Call transaction /SECUDESD/MAP_CMP - Application Components and follow the same steps.

    6_Technical Environment.png

    Technical Environment (Packages, Application Components)

Example

The call stack of transaction S_ALR_87012284 ("Financial Statements") contains the function group BSPL, which is assigned to package FBS. The mapping tables are then queried in the following sequence until a hit is found:

  1. Package FBS (wildcards are supported)

  2. Application Component FI-GL-GL (assigned to package FBS)

  3. Application Component FI-GL (parent of FI-GL-GL)

  4. Application Component FI (parent of FI-GL)

Web Dynpro Applications

  1. Call transaction /SECUDESD/MAP_WDA - Mapping of Web Dynpro Applications

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Web Dynpro Appl.

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    7_Web Dynpro Applications.png

    Mapping of Web Dynpro Applications

  5. Click Save to save your settings. 

Database Tables

Derivation from database tables and views (for SM30, SE16, SQVI, queries, etc.). Requires enhancement of function VIEW_AUTHORITY_CHECK (see "Attribute Derivation”). If the table is not mapped (the mapping table supports wildcards), the table's package assignment is read, and attribute derivation is attempted for that package and the related application component as described under "Technical Environment". 

  1. Call transaction /SECUDESD/MAP_TBL - Mapping of Tables 

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Table Name

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    8_Database Tables.png

    Mapping of Tables

  5. Click Save to save your settings.

Classification Values and Classes

To derive from classification characteristics, use transaction /SECUDESD/MAP_CLV. Classification Values require the implementation of BAdI (see "Attribute Derivation"). Supports all value types character, numeric, and value.

  1. Call transaction /SECUDESD/MAP_CLV- Mapping of Classification Values 

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Characteristic

    2. Characteristic Value

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

  5. Click Save to save your settings.

    9_Classification Values and Classes.png

    Mapping of Classification Values and Classes

To derive from assigned classes, follow the below steps:

  1. Call transaction /SECUDESD/MAP_CLA - Mapping of Classes

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Int class no.

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

  5. Click Save to save your settings. 

Report Selections

This is an excellent source of information for classification derivation. Only works with the selection screen of classic ABAP reports. This allows:

  • logging what data was selected for display.

  • more precise classification of the resulting downloads. 

To derive from report selections, follow the below steps:

  1. Call transaction /SECUDESD/MAP_RSEL - Mapping of Report Selections

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the selection field you wish to map (either the technical name of the field on the selection screen, or its data element name), and the corresponding classification attribute and value, as well as the reliability of the mapping. (If you wish the mapping to apply only to a specific report or program, also enter the name of the program; otherwise, leave it blank.)

    10_Report Selections.png

    Mapping of Report Selections

  5. Click Save to save your settings.

Read Reports

  1. Call transaction /SECUDESD/MAP_RPT- Mapping of Reports

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Program Name

    2. Attribute

    3. Attribute Value

    4. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    11_Read Report.png

    Mapping of Reports

  5. Click Save to save your settings.
    Note: Supports wildcards * and +. 

SET/GET parameters (/SECUDESD/MAP_SGP)

Derivation from SET/GET parameters (last used value for organizational and master data keys)

  1. Call transaction /SECUDESD/MAP_SGP - SET/GET parameters

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Transaction Code

    2. Parameter ID

    3. Parameter value

    4. Counter

    5. Attribute

    6. Attribute Value

    7. Reliability (Authoritative / Probable / Indicative). For details, refer to the section "Defining Reliability."

    12_SET_GET parameters.png

    SET/GET parameters

  5. Click Save to save your settings.
    Note:

    1. Supports wildcards * and + for transaction code and parameter value.

    2. SET/GET parameters should be used with caution, as they can be misleading (values may be updated by other transactions the same user may be executing in parallel). 

SET/GET parameters (/SECUDESD/MDT_SGP) 

This menu is under General Settings > HaloENGINE > Metadata. It is similar to /SECUDESD/MAP_SGP right above but without the classification mapping. Note: SET/GET parameters should be used with caution, as they can be misleading (values may be updated by other transactions the same user may be executing in parallel).

  1. Call transaction /SECUDESD/MDT_SGP – Metadata Derivation: SET/GET parameters

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Transaction Code

    2. Parameter ID

    12_SET_GET parameters_without mapping.png

    SET/GET parameters

  5. Click Save to save your settings.

Financial Statements

You can apply a classification mapping for exports made from the trial balances report (transaction code S_ALR_87012284) based on the inputs given (year and period). For example, the exports from the trial balances report can be blocked for a specific period. This configuration will be useful if an organization does not want its users to export financial data before the company results are publicly announced.

Selection Fields

This has the configuration to select the attribute and attribute value for the specific program. Program name, field name for year, and field name for the period must be maintained as shown below.

  1. Call transaction /SECUDESD/MAP_SELFLD - Mapping of Selection Fields.

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Program Name

    2. Year Field

    3. Period Field

    4. Attribute

    5. Attribute Value

    6. Reliability

      13_a Mapping of Selection Fields.png

      Mapping of Selection Fields

  5. Click Save to save your settings

Selection Field values

This acts as a control center to “lock” / “unlock” the data export that is requested for a specific year and period. The checkbox “Apply mapping” will apply the mapping which was made under “Mapping of Selection Fields”. Sample configuration (to allow exports for periods 1 to 3, and to block exports for all the remaining periods) is shown below.

  1. Call transaction /SECUDESD/MAP_SELVAL - Mapping of Selection Field Values.

  2. Click Display −> Change icon to edit the fields.

  3. Click New Entries.

  4. Enter the following details:

    1. Year 

    2. Period 

    3. Apply mapping

    Mapping of Selection Field values

  5. Click Save to save your settings. 

If such configuration is maintained, download of data export will be blocked if the reporting year is 2021 and if the reporting periods have any of the values from 1 to 3 selected in the selection screen.

Step 3. Configure Data Sources

For several data sources, access routines are delivered and are ready for you to use. The Attribute Derivation table defines, which ones are called, and in which sequence.  

  1. Call transaction /SECUDESD/DRVCTRL – Attribute Derivation Sequence.

  2. Click Display −> Change icon to edit the fields.

    Attribute Derivation table

  3. Select Step Type from the list (Search Parameters / Attributes). 

  4. You need to select Active to activate the steps. (For optimal system performance, you may deactivate steps for which no mappings are maintained.)

  5. Click Save to save your settings.

Two types of steps are defined:

  1. Search parameters: these are steps that retrieve data that are used by one or more subsequent steps.

  2. Attributes: these derive attributes to be logged. You can add your own data retrieval functions by adding steps to this list. Your classes must implement the interfaces /SECUDESD/IF_ATTRFND_PAR (for reading search parameters) and /SECUDESD/IF_ATTRFND_ATTR (for deriving attributes).

Step 4. Enable Classification UI 

  1. Call transaction /SECUDESD/PARAMS_HC - HaloCORE Client Parameters.  

    HaloCORE client parameter.png

    HaloCORE client parameter - Client details

  2. Click Display −> Change icon to edit the options.

  3. Optional: Select the Classification UI check box if you have enabled pre-classification in the HaloENGINE.

  4. Click Save to save your settings.

XXL Display

The Excel List Viewer or XXL is an alternative user interface for tabular data displayed in an ALV grid. When invoking XXL, the data is not saved to the user's front-end but displayed by the locally installed Microsoft Excel. In Excel, the data can then be manipulated and ultimately saved locally.

To gain additional control over the use of XXL, HaloCORE offers the possibility to:

  • log its usage.

  • log and selectively block its usage, by performing an authorization check.

  • completely block its usage.

As the saving is performed locally on the user's front-end, without involving the application server, HaloCORE cannot label and protect such files. The standard functionality of Microsoft Rights Management is however available in Excel if installed.

Prerequisite: Apply the code enhancement described in the section "Excel List Viewer".

You can choose from the following options for XXL Display:

  1. No Action—no action on the file

  2. Only Logging—logging takes place as per the rules set in HaloENGINE.

  3. Logging & Auth.Check—as above; additionally, performs a specific authorization check on authorization object J_9BSD_XXL. If this check fails, there will be no XXL display and log. Please be aware that this is not the standard DLP check. Please refer to the section "Authorizations for Excel List Viewer (XXL)".

  4. XXL Blocked—XXL display is completely disabled for all users on this client and no log entry will be written. If you attempt to view it, you will receive a message as "XXL display is not allowed on this system".

  5. Replace XXL display with a file—XXL display will be suppressed, and an Excel file (XLSX) will be downloaded to the local system.
    Note: Log entries originating from XXL have a separate event type, called "Spreadsheet display", and are identified by an Excel-like icon in the HaloCORE log. As no filename is available, the logged file name is generated from the transaction code and the table name(s) if available.  

Defining Reliability 

By default, the following attributes and values are delivered - Sensitivity, Domain, and Organization. Attributes and value lists can either be flat (simple list) or hierarchical relations. 

  1. Domain is flat (simple list) where all alternative values are of equal importance and significance. That is, General Purpose = Finance = Human Resources = Logistics = Sales = Engineering.

  2. Sensitivity is hierarchical (in decreasing order) where “Secret” is more limiting than “Confidential” and “Internal Use” is more limiting than “Public”.

  3. Organization is a typical example of a hierarchical value list. It is the sum of all Group entities (Entity 1, Entity 2, Entity 3).  

Reliability defines, for a given mapping, how reliable this derivation is. During a download, to derive classification, HaloCORE retrieves information from a variety of sources (program and table information, user-related, etc.). For example, if the transaction code is PAR2, then it's certainly HR personnel data; if the selection screen has company code 1000, then it's certainly data related to the organization "North America"; etc.).

 Reliability

  Description

Priority 

Authoritative

This has the highest ranking.

For example, the transaction code FBL3N is related to the Finance department only.

So, FBL3N should be mapped to the Finance department with "Authoritative" reliability.

3

Probable

This has a lesser ranking than "Authoritative".

2

Indicative

This has the lowest ranking of all the above.

1

Reliability

Some of the information gained tells about certain classification properties but some may be indicative (e.g., if the user has role Z_FI_SOUTH_AMERICA, then there are chances that the data may be related to the organization "South America"). If at the end of the derivation process, different sources have indicated different values for the same property, the one with the highest reliability is taken: "authoritative" wins over "probable", "probable" wins over "indicative", etc.

Example #1 

If the payroll transaction code “PC_PAYRESULT” has two different entries with two different classification attribute mapping, i.e., "Confidential" with "Authoritative" and "Internal" with "Probable".

Result: The highest-ranking thing will be chosen, i.e., in this case, " Confidential".

Example Class.png

Example 1

Example #2

If an attribute Sensitivity” has values “Secret”, “Confidential”, “Internal Use”, or “Public”.

  1. Assume that “Public” is marked as default.  

  2. Assume that the application component PA (Personnel Management) is mapped to the value “Confidential” with a reliability “probable”.

  3. Assume that the transaction PAR2 (Employee List in the Personnel Management module) is mapped to value “Secret” with reliability “authoritative”.

Result:

  1. Downloads will generally be classified as “Public”.

  2. Data originating from programs, transactions, tables, etc. belonging to the Personnel Management module, will be classified as “Confidential” (because reliability “Probable” wins over “Default”)

  3. However, data originating from the specific transaction PAR2 downloads will be classified as “Secret” (because reliability “Authoritative” wins over “Probable”). 

Illustration

The following steps illustrate the classification derivation.

Step 1: User extracts data

Mapping of Transaction Codes

Attributes

Value

Reliability

Priority

S_ALR_87012086

Domain

Finance (FIN)

Probable

2

Sensitivity

Confidential (CONF)

Authoritative

3

Example
Step 2: HaloCORE intercepts the download and displays the classification UI. The user can either confirm system-derived classification or modify the classification and then click Confirm. (Displaying UI is optional, please refer to the section "Step 4. Enable Classification UI") 

Pre-classification UI.png

Classification schema

Step 3: Classification derivation takes place by counting the user-selected values.  

  1. Collecting the metadata. 

    1. Steps are executed by reading the sequence from /SECUDESD/DRVCTRL and the collected metadata is mapped to classification values with the help of mapping tables.

    2. When there are conflicting values from various sources, the hierarchy level determines the value. 

  2. A general default value may not be very reliable, whereas the database table from which the data originates has a much higher degree of certainty as to the functional domain or sensitivity level of the data. As a result, a value with a higher degree of reliability will override a value with a lesser degree.

  3. The downloaded data is classified as "Confidential" (considering the highest ranking). Please refer to the below SAP Download Display log.

Sample Display log.png

Display logs

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close