Data Access Control

Objective

After completing this lesson, you will be able to get an insight into data access control to apply row-level security to your objects. Define the authorization and access control elements. Connect the Data Access Control to the Sales Fact view to restrict the data records displayed.

Contents

  • Create a Permission Entity
  • Create a Data Access Control Entity
  • Join Data Access Control with Fact View
  • [Optional] Upload JSON Template File
  • Preview a Limited Number of Records


Data access controls allow you to apply row-level security to your objects. Once a data access control is applied to an object any user viewing its data, either directly or via an object using it as a source will see only those records they are authorized to view, based on the specified criteria.

There are different options for specifying criteria to determine which user is allowed to access specific data. You can define the following types of criteria:

Single Values - Each user can only see the records that match any of the single values they are authorized for in the permissions entity.

Operator and Values - Each user can only see the records that fulfill the operator-value pairs they are authorized for in the permissions entity, including support for complex AND and OR combinations.

Hierarchy - Each user can only see the records that match the hierarchy values they are authorized for in the permissions entity, along with any of their descendants.

In this lesson, you will create an authorization table with your user ID as a table data record. Based on this permission entity, you will define a Data Access Control with ‘Single Values’ as the criteria type for a column. You link the data access control entity to a fact view and preview the limited number of records with your user ID.

Review the Help Portal for more information at Securing Data with Data Access Controls.

Create a Permission Entity

A permission entity (view or table) lists SAP Datasphere user IDs (in the form required by your identity provider) and assigns them to one or more criteria. If users have no entries in the permissions entity, then they will not have access to any records in the protected view.

In this example, you will define one criteria for your own user so that you only see transactions of a specific sales region.

  1. Select Data Builder in the side navigation area, choose your space if necessary.

  2. Select the New Table tile in the Data Builder.

You are being presented with the details to create a new table.

  1. Enter the following details:

    • Business Name: Permission Entity Sales Organization
    • Technical Name: PE_SalesOrg
    • Semantic Usage: Relational Dataset

  1. In the Columns section, select the “+” sign to create the first column.

    You need to enter a Business Name, a Technical Name, and specify the Data Type.

  2. For the first column, enter the following details:

    • Business Name: Record ID
    • Technical Name: Record_ID
    • Data Type: Integer

    You can change the data type by selecting the item in the Data Type column.

  3. Select the key column checkbox for the Record ID column.

  1. After you enter the details for the first column, insert two additional columns. All columns of the table are listed as follows:

    Key: Business Name Technical Name Data Type
    X Record ID Record_ID Integer
    User ID User_ID String(50)
    Sales Organization Sales_Organisation String(30)

  2. Verify your specifications.

In the next steps save and deploy your table.

  1. Select Deploy in the header menu.

  2. Confirm the business name Permission Entity Sales Organization in the popup and save it.

  3. Wait until a popup window appears with a notification about the successful deployment. The status of the tables changes to ‘Deployed’.

  1. After the table is deployed, open the Data Editor to add records.

  2. Select Add and insert the following record into the table.

    You can verify your email address by going to ‘Profile’ in the upper-right corner. Select ‘Settings’ and then ‘User Account’.

    Record ID User ID Sales Organization
    1 @sapexperienceacademy.com EMEA

  3. Select Save in the table editor menu to save the added entry.

  4. Close the table editor and return to the Data Builder entry page.



Create a Data Access Control Entity

We want to protect the data of our sales transactions based on the sales organization. Reporting users should only see sales for the sales organization that they have permissions to. Permissions will be defined for the sales organizations AMERICA, APJ, and EMEA.

  1. Select the New Data Access Control tile in the Data Builder.

  1. Enter the following details in the General section and select the permission entity which you created in a previous step:

    • Business Name: DAC Sales Organization
    • Technical Name: DAC_Sales_Organization
    • Owner:
    • Structure: Single Values
    • Permission Entity: PE_SalesOrg
    • Identifier Column: User ID (User_ID)

  2. Create and enter the following details in the Criteria section:

    • Business Name: Sales Organization
    • Technical Name: Sales_Organization

  3. Verify your specifications.

  1. Deploy your new Data Access Control entity.

  2. Confirm the business name DAC Sales Organization in the popup and save it.

  3. Wait until a popup window appears with a notification about the successful deployment.

  4. Close the Data Access Control entity and return to the Data Builder entry page.



Join Data Access Control with Fact View

  1. In the Data Builder, open your previously created Sales Fact view.

    Alternatively, if you did not complete the Create a Sales Fact Data Model lesson, you can instead use a predefined Sales Fact template. This JSON file must be imported and deployed to your user space , as described in the optional next steps (a-k ).


[Optional] Upload JSON Template File

a) Download the 4OV_Sales_Fact_View.JSON file and save it locally.

b) Select the Import icon in the Data Builder toolbar and choose Import Objects from CSN/JSON File.

c) Select the 4OV_Sales_Fact_View.JSON file, which you have downloaded before.

d) Select the 4OV_Sales Fact View checkbox in the Select Objects to Import popup and press the Import CSN File button.

e) Press the No button in the Confirm pop-up window, to prevent existing objects from being overwritten.

f) A message notification informs you on the progress and successful import.

g) The imported 4OV_Sales Fact View entity is listed with status ‘Not Deployed’ in the object overview.

h) Select the 4OV_Sales Fact View checkbox in the object list and press the Deploy icon in the Data Builder toolbar.

i) A message appears about the progress and successful deployment.

k) Open your 4OV_Sales Fact View in the Data Builder.


Join Data Access Control with Fact View - Continuation

The Graphical View Editor appears with your previously created Sales Fact view or imported 4OV_Sales Fact View.

  1. [Optional] Select the Hide source tree icon to enlarge the nodes on the canvas. If necessary, select Details to hide the properties side panel on the right and to further expand the canvas.

  1. Select the output node Sales Fact in the canvas, and choose the Data Viewer operator in the popup menu.

  2. In the data preview, scroll to the right to see the SALESORG values. The first records show America as sales organization. Other records belong to the APJ or EMEA sales organizations.

Link the Data Access Control entity to the Fact.

  1. Select the output node Sales Fact in the canvas to display the view properties in the in the side panel. If the side panel is hidden, select Details on the top right.

  2. In the properties side panel, scroll down to the Data Access Control section.

  3. Select the Add ‘+’ button. The Select Data Access Control window opens.

  4. In the window dialog, select DAC_Sales_Organization (Technical Name) and press the Select button.

Review the Mappings section (an automatic mapping is done for matching column names).

  1. Map the SALESORG column of Sales Fact with the Sales Organization of DAC Sales Organization. Drag SALESORG and drop it onto Sales Organization to join both entities.

Return to the Data Access Control section.

  1. Select Sales Fact link to return to the main panel overview.

Save your extended fact view as Sales Fact incl DAC.

  1. Select the Save icon in the toolbar and choose Save As.

  2. Enter the new name Sales Fact incl DAC in the dialog popup and save it.

  3. Deploy your extended fact view.

  4. Wait until a popup window appears with a notification about the successful deployment.



Preview a Limited Number of Records

  1. [Optional] Select Details to hide the properties side panel and enlarge the nodes on the canvas.

  2. Select the output node Sales Fact incl DAC in the canvas, and choose the Data Viewer operator in the popup menu.

  3. In the data preview, scroll to the right to the SALESORG column. The first records show EMEA as sales organization.

Filter on records which contain values equal to AMER. This search should not display any value.

  1. Select the SALESORG column and choose the Filter option.

  2. Enter AMER as the value in the Include section and select OK.

  3. The search should not display any values.

Note

: You only see a limited number of records due to the assigned data access control. You can modify the data record in the permission table

  1. Finally, close the view editor and return to the Data Builder entry page.



Congratulations!

You have now successfully protected the transactional records of the fact view with a Data Access Control based on Permission Entity table with Sales Organization as single value criteria.




Contents

  • Create a Permission Entity
  • Create a Data Access Control Entity
  • Join Data Access Control with Fact View
  • [Optional] Upload JSON Template File
  • Preview a Limited Number of Records


Data access controls allow you to apply row-level security to your objects. Once a data access control is applied to an object any user viewing its data, either directly or via an object using it as a source will see only those records they are authorized to view, based on the specified criteria.

There are different options for specifying criteria to determine which user is allowed to access specific data. You can define the following types of criteria:

Single Values - Each user can only see the records that match any of the single values they are authorized for in the permissions entity.

Operator and Values - Each user can only see the records that fulfill the operator-value pairs they are authorized for in the permissions entity, including support for complex AND and OR combinations.

Hierarchy - Each user can only see the records that match the hierarchy values they are authorized for in the permissions entity, along with any of their descendants.

In this lesson, you will create an authorization table with your user ID as a table data record. Based on this permission entity, you will define a Data Access Control with ‘Single Values’ as the criteria type for a column. You link the data access control entity to a fact view and preview the limited number of records with your user ID.

Review the Help Portal for more information at Securing Data with Data Access Controls.

Create a Permission Entity

A permission entity (view or table) lists SAP Datasphere user IDs (in the form required by your identity provider) and assigns them to one or more criteria. If users have no entries in the permissions entity, then they will not have access to any records in the protected view.

In this example, you will define one criteria for your own user so that you only see transactions of a specific sales region.

  1. Select Data Builder in the side navigation area, choose your space if necessary.

  2. Select the New Table tile in the Data Builder.

You are being presented with the details to create a new table.

  1. Enter the following details:

    • Business Name: Permission Entity Sales Organization
    • Technical Name: PE_SalesOrg
    • Semantic Usage: Relational Dataset

  1. In the Columns section, select the “+” sign to create the first column.

    You need to enter a Business Name, a Technical Name, and specify the Data Type.

  2. For the first column, enter the following details:

    • Business Name: Record ID
    • Technical Name: Record_ID
    • Data Type: Integer

    You can change the data type by selecting the item in the Data Type column.

  3. Select the key column checkbox for the Record ID column.

  1. After you enter the details for the first column, insert two additional columns. All columns of the table are listed as follows:

    Key: Business Name Technical Name Data Type
    X Record ID Record_ID Integer
    User ID User_ID String(50)
    Sales Organization Sales_Organisation String(30)

  2. Verify your specifications.

In the next steps save and deploy your table.

  1. Select Deploy in the header menu.

  2. Confirm the business name Permission Entity Sales Organization in the popup and save it.

  3. Wait until a popup window appears with a notification about the successful deployment. The status of the tables changes to ‘Deployed’.

  1. After the table is deployed, open the Data Editor to add records.

  2. Select Add and insert the following record into the table.

    You can verify your email address by going to ‘Profile’ in the upper-right corner. Select ‘Settings’ and then ‘User Account’.

    Record ID User ID Sales Organization
    1 @sapexperienceacademy.com EMEA

  3. Select Save in the table editor menu to save the added entry.

  4. Close the table editor and return to the Data Builder entry page.



Create a Data Access Control Entity

We want to protect the data of our sales transactions based on the sales organization. Reporting users should only see sales for the sales organization that they have permissions to. Permissions will be defined for the sales organizations AMERICA, APJ, and EMEA.

  1. Select the New Data Access Control tile in the Data Builder.

  1. Enter the following details in the General section and select the permission entity which you created in a previous step:

    • Business Name: DAC Sales Organization
    • Technical Name: DAC_Sales_Organization
    • Owner:
    • Structure: Single Values
    • Permission Entity: PE_SalesOrg
    • Identifier Column: User ID (User_ID)

  2. Create and enter the following details in the Criteria section:

    • Business Name: Sales Organization
    • Technical Name: Sales_Organization

  3. Verify your specifications.

  1. Deploy your new Data Access Control entity.

  2. Confirm the business name DAC Sales Organization in the popup and save it.

  3. Wait until a popup window appears with a notification about the successful deployment.

  4. Close the Data Access Control entity and return to the Data Builder entry page.



Join Data Access Control with Fact View

  1. In the Data Builder, open your previously created Sales Fact view.

    Alternatively, if you did not complete the Create a Sales Fact Data Model lesson, you can instead use a predefined Sales Fact template. This JSON file must be imported and deployed to your user space , as described in the optional next steps (a-k ).


[Optional] Upload JSON Template File

a) Download the 4OV_Sales_Fact_View.JSON file and save it locally.

b) Select the Import icon in the Data Builder toolbar and choose Import Objects from CSN/JSON File.

c) Select the 4OV_Sales_Fact_View.JSON file, which you have downloaded before.

d) Select the 4OV_Sales Fact View checkbox in the Select Objects to Import popup and press the Import CSN File button.

e) Press the No button in the Confirm pop-up window, to prevent existing objects from being overwritten.

f) A message notification informs you on the progress and successful import.

g) The imported 4OV_Sales Fact View entity is listed with status ‘Not Deployed’ in the object overview.

h) Select the 4OV_Sales Fact View checkbox in the object list and press the Deploy icon in the Data Builder toolbar.

i) A message appears about the progress and successful deployment.

k) Open your 4OV_Sales Fact View in the Data Builder.


Join Data Access Control with Fact View - Continuation

The Graphical View Editor appears with your previously created Sales Fact view or imported 4OV_Sales Fact View.

  1. [Optional] Select the Hide source tree icon to enlarge the nodes on the canvas. If necessary, select Details to hide the properties side panel on the right and to further expand the canvas.

  1. Select the output node Sales Fact in the canvas, and choose the Data Viewer operator in the popup menu.

  2. In the data preview, scroll to the right to see the SALESORG values. The first records show America as sales organization. Other records belong to the APJ or EMEA sales organizations.

Link the Data Access Control entity to the Fact.

  1. Select the output node Sales Fact in the canvas to display the view properties in the in the side panel. If the side panel is hidden, select Details on the top right.

  2. In the properties side panel, scroll down to the Data Access Control section.

  3. Select the Add ‘+’ button. The Select Data Access Control window opens.

  4. In the window dialog, select DAC_Sales_Organization (Technical Name) and press the Select button.

Review the Mappings section (an automatic mapping is done for matching column names).

  1. Map the SALESORG column of Sales Fact with the Sales Organization of DAC Sales Organization. Drag SALESORG and drop it onto Sales Organization to join both entities.

Return to the Data Access Control section.

  1. Select Sales Fact link to return to the main panel overview.

Save your extended fact view as Sales Fact incl DAC.

  1. Select the Save icon in the toolbar and choose Save As.

  2. Enter the new name Sales Fact incl DAC in the dialog popup and save it.

  3. Deploy your extended fact view.

  4. Wait until a popup window appears with a notification about the successful deployment.



Preview a Limited Number of Records

  1. [Optional] Select Details to hide the properties side panel and enlarge the nodes on the canvas.

  2. Select the output node Sales Fact incl DAC in the canvas, and choose the Data Viewer operator in the popup menu.

  3. In the data preview, scroll to the right to the SALESORG column. The first records show EMEA as sales organization.

Filter on records which contain values equal to AMER. This search should not display any value.

  1. Select the SALESORG column and choose the Filter option.

  2. Enter AMER as the value in the Include section and select OK.

  3. The search should not display any values.

Note

: You only see a limited number of records due to the assigned data access control. You can modify the data record in the permission table

  1. Finally, close the view editor and return to the Data Builder entry page.



Congratulations!

You have now successfully protected the transactional records of the fact view with a Data Access Control based on Permission Entity table with Sales Organization as single value criteria.



Learning

SAP FacebookSAP YoutubeSAP LinkedIn