Defining Data Access

Security in SAP Analytics Cloud is used to control access to data and also access to objects. It is carried out in the following ways:

1. Controlling access to objects, or who can create a model, is accomplished via roles.
2. Controlling data access, or who can view what data and how they can interact with it, is accomplished primarily via data access control in dimensions; however, it can also be carried out via roles.

A role represents the main tasks that a user performs in SAP Analytics Cloud. SAP Analytics Cloud is delivered with several standard application roles; however, the roles you see will depend on the licenses included in your subscription.

Roles are used mainly to control activities in the system. In this context, roles are also object oriented, for example, user X can update dimension Y.

• Create: Permits creating new objects of this item type. Users need this permission to create files and folders or upload data to an object, such as models, stories, point of interest, and others.
• Read: Permits opening and viewing an item and its content.
• Update Permits editing and updating existing items, including the structure of models and dimensions.
• Delete: Permits deletion of the item.
• Execute: Permits executing the item to run a process, for example, running a simulation using a legacy Value Driver Tree, or acquiring data from a data source.
• Maintain: Permits the maintenance of data values, for example adding records to a model, without allowing changes to the actual data structure.
• Share: Permits the sharing of the selected item type.
• Manage: This permission lets users manage content; for example, deleting content for any users, and resharing, copying, and moving content.

Visit SAP Help for additional information on permissions.

Assignments are typically team-based with users assigned to teams and then roles assigned those teams. Roles are not typically assigned directly to users.

After the Data Access Control switch has been activated in the model for specific dimension, you can restrict access to data in stories by setting read and write permissions for individual members.

For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version. Users who have read-only permission for public versions can still copy data to a private version that they can edit.

When Data Access Control is used with hierarchical data, you can switch on Hide Parents to restrict which dimension members can be seen in the Modeler. If this option is enabled, users will see only the members that they have at least read access to.

If you grant write access to a user, that user automatically receives permission to read the data. Likewise, if you grant a user delete permission for a member of the Version dimension, they also receive read and write permissions for it.

In the following example, you can see that when the Version dimension is set to read-only, the data in the Actual column is grayed out. However, this is not the case for the Entity which have permissions granted by region.

Visit SAP Help for additional information on Data Access Control for dimensions.