SAP Analytics Cloud security in general
Security in SAP Analytics Cloud is used to control access to data and also access to objects. It is carried out in the following ways:
- Controlling access to objects, or who can create a model, is accomplished via roles.
- Controlling data acces, or who can view the data for what region, is accomplished primarily via data access control in dimensions, however, it can also be carried out via roles.
A role represents the main tasks that a user performs in SAP Analytics Cloud. SAP Analytics Cloud is delivered with several standard application roles, however, the roles you see will depend on the licenses included in your subscription.
Roles are used mainly to control activities in the system. In this context, roles are also object oriented, for example, user X can update dimension Y.
The Planner Reporter role:
- Includes all authorizations that are required to perform planning activities, such as revenue planning and automated discoveries.
- Grants authorizations for updating currency tables, as such, is usually assigned to the user who does the planning and budgeting.
- Grants authorizations for viewing analytic applications and working with the data analyzer.
- Grants authorizations for viewing custom widgets.
- Create: Permits creating new objects of this item type. Users need this permission to create files and folders or upload data to an object, such as models, stories, point of interest, and others.
- Read: Permits opening and viewing an item and its content.
- Update Permits editing and updating existing items, including the structure of models and dimensions.
- Delete: Permits deletion of the item.
- Execute: Permits executing the item to run a process. For example, running a simulation using a legacy Value Driver Tree, or acquiring data from a data source.
- Maintain: Permits the maintenance of data values, for example adding records to a model, without allowing changes to the actual data structure.
- Share: Permits the sharing of the selected item type.
- Manage: This permission lets users manage content; for example, deleting content for any users, and resharing, copying, and moving content.
Visit SAP Help for additional information on permissions: https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/93fec5646f144e109745ce74fd492c3f.html
Example of security permissions
Assignments are typically team-based with users assigned to teams and then roles assigned those teams. Roles are not typically assigned directly to users.
Model Preferences: Access and Privacy
There are two options to secure data:
- Model Data Privacy
- Data Access Control in Dimensions
Data Access Control in Dimensions
You can restrict access to data in stories by setting read and write permissions for individual members. You can activate this security feature for any dimension in the model.
You can enable data access restrictions using the Data Access Control (DAC) setting. When DAC is on, two more columns (Read and Write) are added to the dimension grid so that you can apply individual settings to each row. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version.
When DAC is used with hierarchical data, you may want to switch on Hide Parents. Using this setting, you can restrict which dimension members can be seen in the Modeler. If this option is enabled, users will see only the members that they have at least read access to.
Each user who is granted write access for a member automatically receives permission to read the data as well. Likewise, a user who receives the delete permission for a member of the Version dimension also receives read and write permissions for it.
Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit.
Users who do not have write permissions cannot publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.
Data access control example
In the Version dimension is set to read only, the data in the Actual column is greyed out. However, this is not the case for the Entity (regions) which have permissions granted by region.
Implementing dimension-based security
In order to implement DAC / Dimension based security you must:
- Develop a plan on who will have access to what data.
- Activate Data Access Control for securing dimensions.
- Maintain the user IDs in the dimensions.
- Test the solution.
- Member IDs and hierarchies can be used.
- The dimensional assignments can be controlled by the business teams.