Skip to Content
Author's profile photo Tammy Powlas

Trusted Data Discovery using SAP Lumira – Security Webcast

This was an SAP webcast today.  Below are my notes.  The usual SAP Legal Disclaimer applies; things in the future are subject to change.


Figure 1: Source: SAP

You should think of security on data sets, when stories are published to Cloud, BI Platform, Server

What security do you have on this?

What can be done when designing on desktop before sharing?


Figure 2: Source: SAP

Figure 2 shows you need to think about security

There are two different kind of dataset groups – one is download approach including the universe and HANA

When using the Connect online approach Lumira respects user rights

Figure 2 shows you can enforce a refresh for the universe

Lumira Desktop Governance

Companies have concerns about sharing to the cloud


Figure 3: Source: SAP

IT can enforce desktop governance

It can handle the data source type

Preferences have configurable URLs – the admin can restrict

The speaker said you need the BI Platform with Lumira add-on installed (not Server; server is needed for sharing)


Figure 4: Source: SAP

Need to create text file

Looks at CMC and fetches properties for user

Using BOE for this and authentication type depends on what is set for CMC


Figure 5: Source: SAP

Figure 5 shows the properties file; you create a file by naming, and maintain the parameters


Figure 6: Source: SAP

Figure 6 shows where the preferences defined.  You can allow the URL to be edited or not


Figure 7: Source: SAP

Figure 7 shows before and after screen shots.  The lower right shows “Editing URL has been disabled”


Figure 8: Source: SAP

Figure shows using the BI platform to define access to features

You can define security for a specific users or user groups


Figure 9: Source: SAP

Figure 9 shows before and after with the data source rights.  There is no access to the HANA or BW.


Figure 10: Source: SAP

Before and after sharing rights is shown in Figure 10


Figure 11: Source: SAP

Figure 11 shows priority of access rights.

Document Security


Figure 12: Source: SAP

Infographics – what is use case?

Normally they are static

If have fresh on open set it will refresh


Figure 13: Source: SAP

Figure 13 shows you can share a story with team or others

If share story you share access to dataset as well

You can also stop sharing of dataset

SAP plans to work on security in Cloud – for the admin to give Cloud security access right – restricting sharing private, not public


Figure 14: Source: SAP

Figure 14 shows Lumira Server access.  The HANA admin needs to assign roles to user – data consumer or analyst.


Figure 15: Source: SAP

Figure 15 shows you share only with those who have access

You decide which roles to share in edit or view mode


Figure 16: Source: SAP

You can use BI platform security on the folders in CMC


Figure 17: Source: SAP

Figure 17 shows access to the universe, fetched from BI Platform

There are different options.

Universes have the option to do a data refresh to ensure have latest data

It can be an on demand refresh or scheduled refresh

For BW offline use case – might be able to have server side refresh for data like universes and user sees only data they have access to (future)

The session included a demonstration; when the recording is available I encourage you to watch it.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks Tammy, great summary (as always) of a highly relevant topic.

      Kind regards,


      Author's profile photo Former Member
      Former Member

      Hi Tammy,

      Great blog! Do find it rather strange to use a separate file to enforce governance. Isn't this hard to maintain and error prone? I would rather see a similar check box as in Design Studio where you can select the start up mode (BI platform, standalone, HANA, etc.)

      What are your thoughts on this Sharon Om ?

      With kind regards,

      Martijn van Foeken | Intenzz

      Author's profile photo Tammy Powlas
      Tammy Powlas
      Blog Post Author

      Hi Martijn - great question!

      I'll be the first to say I am not a security expert.  It would be interesting to hear what other security experts say on this.

      Thank you for reading and commenting.

      Author's profile photo Greg Wcislo
      Greg Wcislo

      A longer term better way to manage would probably be using active directory policies to activate/deactivate the governance.   It certainly wouldn't be an end user initiated action, because what user wants to limit what they can do voluntarily? 🙂 . 

      It wouldn't say necessarily error prone, it's either on or off, but do do it in any scale with this requires a centralized software push mechanism which may not be present in some companies, and of course it needs to be set as read only by the administrator.  You would test it once centrally, make sure it works and push it out to clients

      From a pure security standpoint (taking the view of a hacker), only the server can be trusted, and the client cannot.   This is true for any application in the software world.  This is because on the client side you could change the contents of your memory and change the actual execution path of the code.

      The target here is not to protect from the hackers intent on using workflows they're not supposed to.   Your business user is not easily or accidentally going to bypass the limitations set on the desktop by the centralized administrator, but it does really require a centralized software push infrastructure.

      Author's profile photo Sharon Om
      Sharon Om

      Room for improvement for sure. I will forward it to my colleagues who own this look into it.

      Author's profile photo Former Member
      Former Member

      Hi Tammy ! Thanks for sharing.

      It is indeed a very interesting topic for everyone thinking about Lumira as part of a corporate Analytics stack. Is there anything in the roadmap about managing centrally from Lumira Server as we do with BO / BW ?



      Author's profile photo Tammy Powlas
      Tammy Powlas
      Blog Post Author

      Hi SJR 🙂

      I don't see that called out in the official roadmap here (SMP logon) - maybe you might want to ask this as a discussion so SAP answers?

      Thank you for reading and commenting