Skip to Content
Technical Articles

SAP Analytics Cloud – Security Concepts and Best Practice

If you are new to SAP Analytics Cloud and responsible for setting up the security and folder structure then this article is for you! I present my Best Practices full of handy tips

In the article I explain the basic concepts of security, such as users, roles and teams.

I explain, by way of example, why the ‘User A’ doesn’t have access to the folder. This catches many out, but once you understand the concepts you’ll understand why not.

I then go on to explain how to setup your Public Folder structure and why I don’t recommend using the default ‘Models’ folder.

I conclude with how to setup a folder structure, per Project (or Line of Business area), and why I recommend collapsing the ‘Standard’ contents folder into the Projects root folder

My article is available in the wiki allowing me to easily update it and for you to follow those updates

As always feedback is very welcome and I will do my best to reply to your comments

Matthew Shaw @MattShaw_on_BI

https://people.sap.com/matthew.shaw/#content:blogposts

24 Comments
You must be Logged on to comment or reply to a post.
  • Matthew,

     

    Excellent introduction (and detailed wiki too). I believe this is something customers are yet to discover.

     

    Whilst the security model options in SAC isn’t on par with SAP BOBJ [yet] the inclusion of teams and folders for Models is a great step forward.

    One thing that using teams gives us, is the chance to add teams to Roles (as you indicate above). This then means we don’t have to worry about what Roles to assign to users in the ‘Security/Users’ page.

    In your example above you could extend the teams to differentiate between viewers and creators too.

     

    Also, if customers install the SAC Content usage stories and models (available in Standard Content) then it is possible to build a story showing the relationship between users and teams – great for checking things are done right.

     

     

    Regards,

     

    Tim

  • Hi Matthew,

    Very nice article.

    How do you technically associate Teams to Roles? We are in 2019.08 version and did not find a way to do it. Our understanding is that Roles and union of Roles currently relate to final Users but not to Teams.

    Many thanks in advance for clarifying.

    Best Regards,

     

    • Hello Lluis,

      Thank you for your feedback. Select – Menu-Security-Roles.  Then once the role is shown click on the ‘user’ button with tooltip ‘Assign Role’. You can then assign users and teams to the role. It assumes you have ‘read’ rights on teams and you already have a team.

      Regards, Matthew

  • Hi Matthew,

    As always a very useful blog and wiki page.

    I don’t know if we discussed this in the past, but I am looking for a solution for the end-user who is only interest in the Digital Boardroom object.

    I agree with you that models are best placed in a project folder (from a developer and security perspective). But the end-user has no interest in the model (and even the story) object so it is not useful to show him/her these object in the project folder.

    If I deny the end-user access to these objects, he/she cannot see any data in the Digital Boardroom.
    There is a different in using an object and the ability to see an object in a folder. Right now, in SAP Analytics Cloud (from a security perspective), I cannot make a distinction between the two.

    As a sub-optimal solution, I have moved the stories and models to an underlying folder called “Content” (with the same authorizations as the project folder). So the end-user will only see the Digital Boardroom objects in the project folder … and off course a folder with the name “Content”.

    Do you have another / better solution for this problem?

    • Thank you for your feedback

      There could be a very simple solution! In the file area you can filter what is shown:

      Would this help?

      Regards, Matthew

      /
      • Yes, that seems a kind of solution though the end users still have access to see the models if they maintain folder list filter!

        On the other hand the end users can click the model and view all measures and dimensions! Okay it’s not a bad thing but even though they cannot change & save the model it seems they can attempt to Change Datasource, Create Local Dimension and Create Time Dimension!

        • Thank you Tuncay, this is all great feedback which I shall share with our development team. If you, or others, can elaborate a little more on this that would be great. Thank you again, Matthew

          • Let me try to elaborate a little bit. Your suggestion using file Filters works; but just still users should do it.

            What we are looking is let’s say we want some users (as F.P. van Kouwen indicated for example) to see only Digital Boardroom files or Story files. We don’t want them to see the Model files at all. But right now in current releases you should give Read permission for the model which is fine but also you should give View access the folder which the model exist and View access the model file itself.  Meaning once the user go to Files they will still see the folder and the model file. We don’t them to see the model files at all.

            We require simplicity for users! They will see only really files which are “click and use / consume” files. End users won’t have anything to do with seeing and displaying the model.

            So the models – If I gave a Read permission on the model that should be enough. And optionally or if it’s needed for some users I may give View access the folder & model file. We need this very useful feature & flexibility.

            Tuncay

    • That’s exactly what I haven been dealing with stories & models sharing! Reading data from the model and viewing the model should be separate access & sharing settings! I don’t want the end users to see models and make them confusing!

      • Thank you Tuncay. The ‘confusing’ aspect seems critical for your end users. I shall pass this feedback on. Much appreciated. The feedback can only help improve the product. Keep it coming! Thanks again, Matthew

  • Dear Matthew,

    I have attended your webinar yesterday, which I found very helpful, thank you for this.

    I wanted to ask you (and actually asked via question in webinar) about the IdP solution.

    How do you deal or what would be your solution for the SAML mapping from IdP attribute for Team, when there exist more teams, to which the user should be assigned?

    (more background: User needs to be assigned to Team1, Team2 and Team3. In IdP you set the string to the attribute as Team1,Team2,Team3; in SAC in Teams area under the SAML mapping you switch on your attribute related for the mapping of the Team and there you have to type in again the whole string – which, as you can imagine, in larger solution and more teams creates a mess – so you then have have to had under Team1 its attribute values filled by all possible combinations – e.g. “Team1” or “Team1,Team2” or “Team1,Team2,Team3” – that you contain all possible combinations which also other users can have…)

    I know, it might not be best explained, but is really interesting to understand.

    If there is any chance you spend some time on your answer, it will be great!

    Thank you very much in advance!
    Václav

  • Dear Matthew,

     

    we created a new authorization structure based on your recommendations, and it works fine for all but one story. This particular story is based on live connection, like all others. There is no noteworthy difference to any other story, but the SAC only grants access to the data when the role includes flag for “Public Files” and “Manage”. This is strange! My question is what are the rules for the necessity of this flag? How is this traceable? Currently we find these solutions only by trial and error.

     

    Thanks and best regards

    Joe

    • Hello Joe

      I wonder if anyone one of my wiki pages might help: https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Rights#SAPAnalyticsCloud-SecurityRights-Workflow:ViewStorybasedonAnalyticalModelwithAcquireddata(ImportConnection) Can you see the ‘manage’ right comment that currently reads “Perhaps confusingly the ‘Public Files’ – ‘Manage’ right is needed for acquired (imported) data connections and not for live data connections. If you do NOT have this right the visualisations will not show acquired data, instead you’ll see an error “Unable to retrieve data from the datasource. Error: You have no authorisation on the model.”

      Your thoughts?

      • Matthew,

        thanks for that wiki page, it is very helpfull!

        However, this does not answer my problem. The Model is 100% a Live Connection DataModel, but only with the Manage-flag, the users can see the Data. I have set it to give the users the authorization, but I don’t understand why it is needed at the moment.

        I had made Dimension name changes in the Model, which I deleted again, but it still requires the Manage-flag.

        Now I will recreate single step in the Story to find out the reason. I will keep you updated.

         

      • Hi Matthew,

        it is a bit embarrassing, but I will take the shame and learn from it. I dublicated the Model and left the assigned Model in a hidden folder, where the users had no access to. Interestingly the athorization was given, when I marked the Manage Flag in the role. Not sure if this is a bug or a feature.

         

        Sorry for wasting your time and thank you for the wiki.

         

        Joe

  • Hi Matthew,

     

    Excellent work as always!

     

    There seems to be an issue downloading the slide deck from SlideShare – even with a LinkedIn account it gives the message “oops something went wrong, try again later”. I’ve tried since Monday.

     

    Is it possible to share on another platform?

     

    Thanks,

    Stephen

  • Hi Matthew,

    Super informative blog on the possible scenarios in a SAC system. If I understand the “ONLY Concurrent License” scenario correctly, the recommendations are as follows:

    1. Assign a Default role to all users so that they consume a Concurrent license.
    2. Assign a Role to the User directly as an inheritance via TEAMS is not possible in a “Only Concurrent” scenario
    3. Then add the User to the TEAM

    Since Roles define the rights within an application and TEAMS define whether an application is accessible – How will an only Concurrent Scenario work when a Role cannot be assigned directly to a team?

    Example:

    1. User A has a concurrent BI license
    2. User A can Create/Edit in Project A Folder but only view in Project B Folder
    3. Hence, User A has a view Role as well as an Edit Role assigned via Security->Users
    4. If the User A is added to both TEAM A and TEAM B, how does the assignment Role to TEAM take place in this scenario?

    Would be obliged if you could elaborate on this scenario.

    Thanks & Best regards,

    Anirudh

    • Hello Anirudh

      Many thanks for your feedback.

      This topic is super complex and so you need to find my other blog and its related wiki article that goes into incredible detail on this. The blog is https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ and it links to a wiki article where you can download a PPT version too.

      I suggest you review that and then you should make sense of my answers here:

      Q1: “Assign a Default role to all users so that they consume a Concurrent license.”

      A1: Yes, that’s a very good idea when you have a mixed of concurrent and named user licenses.

       

      Q2 “Assign a Role to the User directly as an inheritance via TEAMS is not possible in a “Only Concurrent” scenario”

      A2: Incorrect. Inheritance via a team makes no difference to the type of license a user consumes. You can have teams with members that are concurrent and also named. But watch out for gotchas!

       

      Q3 “Then add the User to the TEAM”

      A3 Well, the workflow is complex and there’s gotcha’s if you don’t watch out. So follow my blog/wiki article and it goes through the various workflows and it points out all the gotchas. The article has a number of summaries and best practices too.

       

      Q4 “If the User A is added to both TEAM A and TEAM B, how does the assignment Role to TEAM take place in this scenario?”

      A4 As normal. There’s no such thing as a concurrent team, or a named user role. Teams and roles are independent of the ‘Business Intelligence’ license type, but there are gotcha’s as I explain in the article you need to be aware of. Check out the article. Can I suggest you post any follow-up related question about licenses with roles/teams etc. to that blog, only so others can find it and benefit from it and my reply.

      Thank you Matthew