Securing Data Using Data Access Control


After completing this lesson, you will be able to:

  • Set up Data Access Control
  • Validate Data Access Control

Data Security using Dimensions

You can use Data Access Control in Dimensions to restrict access to individual values in a model to specific users. For example, if you restrict Entity to North America for a user, then they will only be able to see data for North America in their story.

This short video will introduce you to the topic of Data Access Control in model dimensions.

Enable Data Access Control from the Model Preferences

To enable dimension security, switch on Data Access Control (DAC) for each dimension in the Model Preferences. In the example below, you can see that DAC has been enabled for the Entity dimension.

SAP Analytics Cloud model preferences open to the Access and Privacy section. Data Access Control for the Entity dimension has been enabled.

Enable Data Access Control from the Dimension Table

It is also possible to switch on Data Access Control in the Rights/Access section of the Dimension Table panel, as shown in the example below.

In the Preview panel for the Dimension Table, you can see Data Access Control enabled (highlighted in yellow) for the Entity dimension.

Setting Up Data Access Control in a Dimension

Once DAC is enabled for a dimension, Read and Write columns are available to define which user or team should have Read or Write access to that dimension member.

If the dimension has hierarchical members, the data access settings will be inherited by the lower members of the hierarchy. For example, if you grant Read and Write access to United States, then users will be able to see data for individual states as well.

SAP Analytics Cloud model open to the Entity dimension where DAC has been enabled
  • Even with Data Access Control applied to a dimension, master data is still be visible to users, as restrictions created using Data Access Control apply only to transaction data.
  • If a user is assigned the BI Admin role, or is the model owner, then that user always has full access to the model, regardless of the DAC settings applied to that model.

Version Security in Planning-Enabled Models

You can also use Data Access Control for Version dimensions to restrict access in planning-enabled models.

Adding version security to a model lets you restrict read, write, and delete access to public versions to prevent other users or teams from changing them. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version.

For example:

  • Users who have Read privileges for public versions can still copy data to a private version that they can edit, however, as these users don't have write privileges they can't publish into a public version.
  • With Delete permissions for a public version, a user can read, publish to, and delete a public version.
  • Only users with the Update privilege (defined in Security Roles) can set DAC for a version dimension.
  • The default permission is None. You must explicitly grant Read, Write, Delete access to users or teams, including yourself.

How to Restrict Read and Write Access to a Version Dimension

  1. In the Modeler, open or create a model.
  2. Select the Version dimension.
  3. In the Dimension Settings panel, switch on Data Access Control.
  4. Select OK.

    The three additional columns Read, Write, and Delete appear.

  5. Select a cell under Read and then select the users and teams who you want to have Read access.
  6. Repeat for Write and Delete access.

You can see details of your choices in the Preview panel.

Additional Information

For more information on Data Access Controls in a dimension, including usage restrictions, go to Set Up Data Access Control | SAP Help Portal.

Set Up Data Access Controls in an SAP Analytics Cloud Model Dimension

Business Scenario

Since The Mock Company uses an import data model for their operational income for planning, you have been asked to set up data access controls for the Entity dimension so that teams are granted either Read or Write access to the data, depending on their team requirements.

In this practice exercise, you will:

  • Enable Data Access Controls for the Entity dimension.
  • Edit the Entity Dimension Table to provide Read and Write permissions to teams.

Validate Data Access Controls

Business Scenario

You have applied Data Access Control and now you need to validate data access security in the model dimension.

In this practice exercise, you will:

  • Validate Data Access Controls for the Entity dimension for a Finance analyst in the overseas organization.
  • Validate Data Access Controls for the Entity dimension for a Finance business user in the overseas organization.

Log in to track your progress & complete quizzes