Defining Data Access


After completing this lesson, you will be able to Apply data access control.

Securing Data

General SAP Analytics Cloud Security

Security in SAP Analytics Cloud is used to control access to data and also access to objects. It is carried out in the following ways:

  1. Controlling access to objects, or who can create a model, is accomplished via roles.
  2. Controlling data access, or who can view what data and how they can interact with it, is accomplished primarily via data access control in dimensions; however, it can also be carried out via roles.


A role represents the main tasks that a user performs in SAP Analytics Cloud. SAP Analytics Cloud is delivered with several standard application roles; however, the roles you see will depend on the licenses included in your subscription.

Roles are used mainly to control activities in the system. In this context, roles are also object oriented, for example, user X can update dimension Y.

Basic Permissions

  • Create: Permits creating new objects. Users need this permission to create files and folders or upload data to an object, such as models, stories, point of interest, and others.
  • Read: Permits opening and viewing an item and its content.
  • Update Permits editing and updating existing items, including the structure of models and dimensions.
  • Delete: Permits deletion of an item.
  • Execute: Permits executing the item to run a process, for example, running a simulation using a Value Driver Tree, or acquiring data from a data source.
  • Maintain: Permits the maintenance of data values, for example adding records to a model, without allowing changes to the actual data structure.
  • Share: Permits the sharing of the selected item type.
  • Manage: This permission lets users manage content; for example, deleting content for any users, and resharing, copying, and moving content.

Visit SAP Help for additional information on permissions.

Example of Security Permissions

Assignments are typically team-based with users assigned to teams and then roles assigned those teams. Roles are not typically assigned directly to users.

NameCreate/ Read/ Update/ DeleteExecuteMaintainNotes
DimensionX XSet the Maintain permission to permit adding members to a dimension without being able to change the actual definition. Set Update to allow changing the dimension itself.
Planning ModelXXXSet the Maintain permission to permit adding records of data without being able to change the actual structure. Set Update to allow changing the model structure itself. Set Execute to enable planning features.

Model Access and Privacy

In the following example, you can see the two options to secure data from the model preferences:

  1. Model Data Privacy: Model Data Privacy determines whether the model is visible to users other than the owner. If you switch on Model Data Privacy, only the owner of the model and user roles that have specifically been granted access can see the data. Disable this switch if you want the model and data to be public. Member IDs and properties can be used when defining which roles can access which models.
  2. Data Access Control in Dimensions: If you activate the Data Access Control switch for any dimension, you can then specify the data access in the dimension's setting.
Model preferences with data access control toggle by dimension

Data Access Control in Dimensions

After the Data Access Control switch has been activated in the model for specific dimension, you can restrict access to data in stories by setting read and write permissions for individual members.

Special Considerations

For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version. Users who have read-only permission for public versions can still copy data to a private version that they can edit.

When Data Access Control is used with hierarchical data, you can switch on Hide Parents to restrict which dimension members can be seen in the Modeler. If this option is enabled, users will see only the members that they have at least read access to.

If you grant write access to a user, that user automatically receives permission to read the data. Likewise, if you grant a user delete permission for a member of the Version dimension, they also receive read and write permissions for it.

Data access control in a dimension and result in a story.


In the preceding example, the user can change values for Pacific and Southwest but they cannot publish.

Additional Information

Visit SAP Help for additional information on Data Access Control for dimensions.

Apply Data Access Controls

Business Example

You are working on a story and need to control access to the transaction data in an import model.

In this practice exercise, you will:

  • Create a model
  • Turn on data access control for the organization and version dimensions
  • Populate the new property fields
  • Share a story created from the model
  • Test the security settings

Log in to track your progress & complete quizzes