Skip to Content
Technical Articles

SAP Analytics Cloud – Security Concepts and Best Practice

If you are new to SAP Analytics Cloud and responsible for setting up the security and folder structure then this article is for you! I present my Best Practices full of handy tips

In the article I explain the basic concepts of security, such as users, roles and teams.

I explain, by way of example, why the ‘User A’ doesn’t have access to the folder. This catches many out, but once you understand the concepts you’ll understand why not.

I then go on to explain how to setup your Public Folder structure and why I don’t recommend using the default ‘Models’ folder.

I conclude with how to setup a folder structure, per Project (or Line of Business area), and why I recommend collapsing the ‘Standard’ contents folder into the Projects root folder

My article is available in the wiki allowing me to easily update it and for you to follow those updates

As always feedback is very welcome and I will do my best to reply to your comments

Matthew Shaw @MattShaw_on_BI

You must be Logged on to comment or reply to a post.
  • Matthew,


    Excellent introduction (and detailed wiki too). I believe this is something customers are yet to discover.


    Whilst the security model options in SAC isn’t on par with SAP BOBJ [yet] the inclusion of teams and folders for Models is a great step forward.

    One thing that using teams gives us, is the chance to add teams to Roles (as you indicate above). This then means we don’t have to worry about what Roles to assign to users in the ‘Security/Users’ page.

    In your example above you could extend the teams to differentiate between viewers and creators too.


    Also, if customers install the SAC Content usage stories and models (available in Standard Content) then it is possible to build a story showing the relationship between users and teams – great for checking things are done right.






  • Hi Matthew,

    Very nice article.

    How do you technically associate Teams to Roles? We are in 2019.08 version and did not find a way to do it. Our understanding is that Roles and union of Roles currently relate to final Users but not to Teams.

    Many thanks in advance for clarifying.

    Best Regards,


    • Hello Lluis,

      Thank you for your feedback. Select – Menu-Security-Roles.  Then once the role is shown click on the ‘user’ button with tooltip ‘Assign Role’. You can then assign users and teams to the role. It assumes you have ‘read’ rights on teams and you already have a team.

      Regards, Matthew

  • Hi Matthew,

    As always a very useful blog and wiki page.

    I don’t know if we discussed this in the past, but I am looking for a solution for the end-user who is only interest in the Digital Boardroom object.

    I agree with you that models are best placed in a project folder (from a developer and security perspective). But the end-user has no interest in the model (and even the story) object so it is not useful to show him/her these object in the project folder.

    If I deny the end-user access to these objects, he/she cannot see any data in the Digital Boardroom.
    There is a different in using an object and the ability to see an object in a folder. Right now, in SAP Analytics Cloud (from a security perspective), I cannot make a distinction between the two.

    As a sub-optimal solution, I have moved the stories and models to an underlying folder called “Content” (with the same authorizations as the project folder). So the end-user will only see the Digital Boardroom objects in the project folder … and off course a folder with the name “Content”.

    Do you have another / better solution for this problem?

    • Thank you for your feedback

      There could be a very simple solution! In the file area you can filter what is shown:

      Would this help?

      Regards, Matthew

      • Yes, that seems a kind of solution though the end users still have access to see the models if they maintain folder list filter!

        On the other hand the end users can click the model and view all measures and dimensions! Okay it’s not a bad thing but even though they cannot change & save the model it seems they can attempt to Change Datasource, Create Local Dimension and Create Time Dimension!

    • That’s exactly what I haven been dealing with stories & models sharing! Reading data from the model and viewing the model should be separate access & sharing settings! I don’t want the end users to see models and make them confusing!