The authorization concept is one of the most important components of any planning application, as the company's future strategy is based on planning. At the same time, many people from different areas of the company and, if necessary, even suppliers participate in the planning process. It is therefore essential to guarantee that those involved only have access to the functions and data that are necessary to fulfill their task.
In this article, I introduce the authorization concept of SAP Analytics Cloud. In particular, I discuss data access rights. These define which data a user is allowed to view or modify.
There are two options to define which data access rights a user gets: Model Data Privacy and Data Access Control in Dimensions. Below, we'll explain how the two alternatives work and discuss the differences. We will then provide a modeling recommendation for your projects.
Model Data Privacy
Because data management in SAP Analytics Cloud takes place at the data model level, data access control must first be activated for each model. Only then can you define the access rights. The required setting can be found on the "Access and Privacy" tab in the "Data Access" area.
The “Model Data Privacy” option determines whether the model is displayed to users other than the owner. In addition, it is possible to configure row level permissions that are not available in other models. Thus, if you enable the “Model Data Privacy” option, the data can be viewed only by the owner of the model and by user roles that have been granted access.
Afterwards the role definition can take place. You can use logical expressions to restrict access when defining the read and write access. This allows you to flexibly design the role definition.
The following operators are available:
- Relational operators like <, <=,=, =>, >
- BETWEEN, to define a range
- CONTAINS, to define a pattern
- IS_CURRENT_USER, to check whether the attribute value matches the user ID of the logged in user. Useful when responsible persons are maintained in the master data.
Planning tools compared - SAP BW IP vs. BPC vs. SAC
Data Access Control in Dimensions
In addition to the presented option of defining data access via the role definition, you can also define data access rights directly in the dimensions of the model. You can activate the data access control for individual dimensions of the model.
If this option is activated, read and write columns are added in master data of the respective dimension, where you can assign a responsible person. This allows you to define which users or teams have access to the individual elements of the dimension. Please note that read and write permissions on nodes are always inherited by the child elements of the node.
In the example above, the user „LMORLOCK“ will have read- and write-access only for the tree-node California and its leaf-nodes.
Differences
Both options allow data access permissions to be defined at both row and column level. With the "Model Data Privacy" option, roles containing dimensions are assigned to users. With the second option, "Data Access Control in Dimensions", the assignment of authorized users is not done via a role, but in the individual dimensions.
However, there are also significant differences. For example, the "Model Data Privacy" option allows you to create roles that contain multiple models. The "Data Access Control in Dimensions" option, on the other hand, only refers to the respective model. A cross-module definition of permissions is therefore not possible. The permissions must be assigned individually for each model.
In addition, with the “Data Access Control in Dimensions” option, the master data must first be available. Only then can authorizations be granted. It is also not possible to define permissions using a pattern (such as CONTAINS).
In contrast, the “Model Data Privacy” option allows flexible permissions. When defining the authorizations, logical expressions such as larger, smaller, BETWEEN or CONTAINS can be used. This way, master data does not necessarily have to be available.
SAP Analytics Cloud authorization concept - Our conclusion
Ultimately, the decision depends on the respective requirements. However, the "Model Data Privacy" option is recommended. It enables a flexible definition of authorizations. In addition, maintenance is also simplified.
Are you interested in SAP Analytics Cloud? Are you trying to build up the necessary know-how in your department for SAP Analytics Cloud Planning? Or do you need support with a specific question? Request a non-binding consultation offer today!