Technical Articles
SAP Analytics Cloud – Security Concepts and Best Practice
If you are new to SAP Analytics Cloud and responsible for setting up the security and folder structure then this article is for you! I present my Best Practices full of handy tips
In the article I explain the basic concepts of security, such as users, roles and teams.
I explain, by way of example, why the ‘User A’ doesn’t have access to the folder. This catches many out, but once you understand the concepts you’ll understand why not.
I then go on to explain how to setup your Public Folder structure and why I don’t recommend using the default ‘Models’ folder.
I conclude with how to setup a folder structure, per Project (or Line of Business area), and why I recommend collapsing the ‘Standard’ contents folder into the Projects root folder
My article is available in the wiki allowing me to easily update it and for you to follow those updates
As always feedback is very welcome and I will do my best to reply to your comments
Matthew Shaw @MattShaw_on_BI
https://people.sap.com/matthew.shaw/#content:blogposts
Nicely written wiki and blog. It's easy to understand.
Matthew,
Excellent introduction (and detailed wiki too). I believe this is something customers are yet to discover.
Whilst the security model options in SAC isn't on par with SAP BOBJ [yet] the inclusion of teams and folders for Models is a great step forward.
One thing that using teams gives us, is the chance to add teams to Roles (as you indicate above). This then means we don't have to worry about what Roles to assign to users in the 'Security/Users' page.
In your example above you could extend the teams to differentiate between viewers and creators too.
Also, if customers install the SAC Content usage stories and models (available in Standard Content) then it is possible to build a story showing the relationship between users and teams - great for checking things are done right.
Regards,
Tim
Hi Matthew,
Very nice article.
How do you technically associate Teams to Roles? We are in 2019.08 version and did not find a way to do it. Our understanding is that Roles and union of Roles currently relate to final Users but not to Teams.
Many thanks in advance for clarifying.
Best Regards,
Hello Lluis,
Thank you for your feedback. Select - Menu-Security-Roles. Then once the role is shown click on the 'user' button with tooltip 'Assign Role'. You can then assign users and teams to the role. It assumes you have 'read' rights on teams and you already have a team.
Regards, Matthew
Awesome
Hi Matthew,
As always a very useful blog and wiki page.
I don’t know if we discussed this in the past, but I am looking for a solution for the end-user who is only interest in the Digital Boardroom object.
I agree with you that models are best placed in a project folder (from a developer and security perspective). But the end-user has no interest in the model (and even the story) object so it is not useful to show him/her these object in the project folder.
If I deny the end-user access to these objects, he/she cannot see any data in the Digital Boardroom.
There is a different in using an object and the ability to see an object in a folder. Right now, in SAP Analytics Cloud (from a security perspective), I cannot make a distinction between the two.
As a sub-optimal solution, I have moved the stories and models to an underlying folder called "Content" (with the same authorizations as the project folder). So the end-user will only see the Digital Boardroom objects in the project folder … and off course a folder with the name “Content”.
Do you have another / better solution for this problem?
Thank you for your feedback
There could be a very simple solution! In the file area you can filter what is shown:
Would this help?
Regards, Matthew
Yes, that seems a kind of solution though the end users still have access to see the models if they maintain folder list filter!
On the other hand the end users can click the model and view all measures and dimensions! Okay it's not a bad thing but even though they cannot change & save the model it seems they can attempt to Change Datasource, Create Local Dimension and Create Time Dimension!
Thank you Tuncay, this is all great feedback which I shall share with our development team. If you, or others, can elaborate a little more on this that would be great. Thank you again, Matthew
Let me try to elaborate a little bit. Your suggestion using file Filters works; but just still users should do it.
What we are looking is let's say we want some users (as F.P. van Kouwen indicated for example) to see only Digital Boardroom files or Story files. We don't want them to see the Model files at all. But right now in current releases you should give Read permission for the model which is fine but also you should give View access the folder which the model exist and View access the model file itself. Meaning once the user go to Files they will still see the folder and the model file. We don't them to see the model files at all.
We require simplicity for users! They will see only really files which are "click and use / consume" files. End users won't have anything to do with seeing and displaying the model.
So the models - If I gave a Read permission on the model that should be enough. And optionally or if it's needed for some users I may give View access the folder & model file. We need this very useful feature & flexibility.
Tuncay
Dear Matthew,
I can only jump in what Tuncay is explaining. The issue came up back in August 2019 and as of today there is no solution to that. But the request is pretty obvious.
I have created team folders which are showing outside of public. The team members have only access to their folders and can only see their stories. That's fine.
To develop the stories and models we have created a folder in the public folder. If you restrict access to these folders in public SAC is copying the content of these public folders to the main level outside of the public folder! As a result a user that is restricted to see only his folder can out of the sudden see all stories and models he should not see.
As a consequence we have created a development folder with restricted access. But each folder outside of public cannnot be deployed with the deplyment function in SAC! In one of the blocks you have written back in 2019 that this will be solved. It is not until today.
In addition you need to keep your models for all users in a public folder. As a consequence each user can view and even modify the model as Tuncay is explaining it.
That's exactly what I haven been dealing with stories & models sharing! Reading data from the model and viewing the model should be separate access & sharing settings! I don't want the end users to see models and make them confusing!
Thank you Tuncay. The 'confusing' aspect seems critical for your end users. I shall pass this feedback on. Much appreciated. The feedback can only help improve the product. Keep it coming! Thanks again, Matthew
Dear Matthew,
I have attended your webinar yesterday, which I found very helpful, thank you for this.
I wanted to ask you (and actually asked via question in webinar) about the IdP solution.
How do you deal or what would be your solution for the SAML mapping from IdP attribute for Team, when there exist more teams, to which the user should be assigned?
(more background: User needs to be assigned to Team1, Team2 and Team3. In IdP you set the string to the attribute as Team1,Team2,Team3; in SAC in Teams area under the SAML mapping you switch on your attribute related for the mapping of the Team and there you have to type in again the whole string - which, as you can imagine, in larger solution and more teams creates a mess - so you then have have to had under Team1 its attribute values filled by all possible combinations - e.g. "Team1" or "Team1,Team2" or "Team1,Team2,Team3" - that you contain all possible combinations which also other users can have...)
I know, it might not be best explained, but is really interesting to understand.
If there is any chance you spend some time on your answer, it will be great!
Thank you very much in advance!
Václav
Thank you Václav for your feedback and thank you for posting you question here. Let me get back to on this. Thanks again, Matthew
Any update on this topic?
Dear Matthew,
we created a new authorization structure based on your recommendations, and it works fine for all but one story. This particular story is based on live connection, like all others. There is no noteworthy difference to any other story, but the SAC only grants access to the data when the role includes flag for "Public Files" and "Manage". This is strange! My question is what are the rules for the necessity of this flag? How is this traceable? Currently we find these solutions only by trial and error.
Thanks and best regards
Joe
Hello Joe
I wonder if anyone one of my wiki pages might help: https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Rights#SAPAnalyticsCloud-SecurityRights-Workflow:ViewStorybasedonAnalyticalModelwithAcquireddata(ImportConnection) Can you see the 'manage' right comment that currently reads "Perhaps confusingly the 'Public Files' - 'Manage' right is needed for acquired (imported) data connections and not for live data connections. If you do NOT have this right the visualisations will not show acquired data, instead you'll see an error "Unable to retrieve data from the datasource. Error: You have no authorisation on the model.""
Your thoughts?
Matthew,
thanks for that wiki page, it is very helpfull!
However, this does not answer my problem. The Model is 100% a Live Connection DataModel, but only with the Manage-flag, the users can see the Data. I have set it to give the users the authorization, but I don't understand why it is needed at the moment.
I had made Dimension name changes in the Model, which I deleted again, but it still requires the Manage-flag.
Now I will recreate single step in the Story to find out the reason. I will keep you updated.
Hi Matthew,
it is a bit embarrassing, but I will take the shame and learn from it. I dublicated the Model and left the assigned Model in a hidden folder, where the users had no access to. Interestingly the athorization was given, when I marked the Manage Flag in the role. Not sure if this is a bug or a feature.
Sorry for wasting your time and thank you for the wiki.
Joe
Hi Matthew,
Excellent work as always!
There seems to be an issue downloading the slide deck from SlideShare - even with a LinkedIn account it gives the message "oops something went wrong, try again later". I've tried since Monday.
Is it possible to share on another platform?
Thanks,
Stephen
Hi Matthew, excellent documentation all across.
However, on this page, the link to the webinar recording is merely directing to the subscription page. https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Concepts+and+Best+Practice
On the same page, the link to Mapping Team Attributes is broken.
Would really appreciated in-depth how-to info on this since we are linking Azure AD to SAC as an IdP.
Thanks for the update !
Sam
Thank you Sam
Thank you for mentioning the broken link. I've corrected that now in the wiki, thank you.
Hopefully the other references at https://help.sap.com/viewer/2b1aa527e2d74066a1519322d7135634/1.0/en-US/de01f5a869844c9fa47eebb4df7d3271.html?q=enabling%20saml%20single%20sign-on will give you the details for Azure setup. Its always worth doing a quick search, I've just found this blog which might be suitable for you: https://blogs.sap.com/2019/08/19/integrating-sap-analytics-cloud-with-azure-ad-saml/
Thanks again, Matthew
Hi Matthew,
Super informative blog on the possible scenarios in a SAC system. If I understand the "ONLY Concurrent License" scenario correctly, the recommendations are as follows:
Since Roles define the rights within an application and TEAMS define whether an application is accessible - How will an only Concurrent Scenario work when a Role cannot be assigned directly to a team?
Example:
Would be obliged if you could elaborate on this scenario.
Thanks & Best regards,
Anirudh
Hello Anirudh
Many thanks for your feedback.
This topic is super complex and so you need to find my other blog and its related wiki article that goes into incredible detail on this. The blog is https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ and it links to a wiki article where you can download a PPT version too.
I suggest you review that and then you should make sense of my answers here:
Q1: "Assign a Default role to all users so that they consume a Concurrent license."
A1: Yes, that's a very good idea when you have a mixed of concurrent and named user licenses.
Q2 "Assign a Role to the User directly as an inheritance via TEAMS is not possible in a “Only Concurrent” scenario"
A2: Incorrect. Inheritance via a team makes no difference to the type of license a user consumes. You can have teams with members that are concurrent and also named. But watch out for gotchas!
Q3 "Then add the User to the TEAM"
A3 Well, the workflow is complex and there's gotcha's if you don't watch out. So follow my blog/wiki article and it goes through the various workflows and it points out all the gotchas. The article has a number of summaries and best practices too.
Q4 "If the User A is added to both TEAM A and TEAM B, how does the assignment Role to TEAM take place in this scenario?"
A4 As normal. There's no such thing as a concurrent team, or a named user role. Teams and roles are independent of the 'Business Intelligence' license type, but there are gotcha's as I explain in the article you need to be aware of. Check out the article. Can I suggest you post any follow-up related question about licenses with roles/teams etc. to that blog, only so others can find it and benefit from it and my reply.
Thank you Matthew
Is the following recommendation from the Security Concept Best Practices still applicable for the current SAC version?
I am aware that there were some issues with the Team Folders before (e.g. Content Network transport), but these should have been already solved for a while.
Luiz
Many thanks for your question. You're spot on, there are many improvement that have been made and whilst I've updated the related article, it needs a bit of a refresh to understand the exact position.
I don't have the time now to update the article, but I can give an update about this particular point here. Hope this is ok.
Currently (January 2022), almost all the gaps have been closed between the features/functions of a team folder compared to a regular public folder. But there is one, probably minor for most:
Other than that, I'm not aware of anything else. If you find something, then please do let me know so others can benefit.
All the best, Matthew
Hello all,
How can we assign a role to a teams?
Thank you!
Hello Olympia
Many thanks for your question. Correct, you can not assign a role to a team, since roles can not be members of a team.
You can though assign both users and teams to a role and this article explains this. The article introduced in my blog https://blogs.sap.com/2020/03/10/sap-analytics-cloud-managing-licenses-with-roles-and-teams/ provides a step-by-step process for doing both.
I hope this helps, regards, Matthew