SAP Analytics Cloud – Roles & Access Management
SAP Analytics Cloud – Roles & Access Management
In the post below, I am taking opportunity to share the understanding gained working as SAC Roles and Access Control Consultant. The post gives an overview of the key components and new dimension terminologies used in SAP Analytics Cloud and relevant for access set up. Along with it I have also shown the tie up of how the access controls work together as a combination of SAC Roles and Folder permissions. So lets have a quick start!!!
SAP Cloud Analytics (SAC) is one of the latest enterprise cloud solution provided by SAP for planning and predictive analysis. One of the key aspect of SAC authorization management is the control of folder access for individual user or team (group of users) through permissions defined under SAC roles and under SAC folders. The folders allow access to contents like dashboards and stories.
SAC can be build on single tenant or multi-tenant environment depending on the license procured by an organization. It is recommended to have a multi-tenant environment else change management becomes a challenge. From access management perspective there is no transport management required in system for role changes and is more of operations based control. This means the role changes in a single tenant environment are reflected across at the time of change.
SAC access management involves new terminologies as compared to other worlds like S4H or ECC.Please find below the reference of access related terms and their meaning in SAC. The
- SAC Role: Roles define a specific set of permissions for user types within SAP Analytics Cloud. Access developers can define these roles based on the product features each user type can access. For example: ‘System Administrator’ or ‘Content Creator’. Each of these user roles would have their own permission levels for what they can access, delete, modify etc.
- Team: Teams can be used to group users together. Teams can be based on regions or functional area based on client’s organizational structure. A user can belong to more than one team. Role management can also be performed through Teams (i.e. roles are assigned to teams, users are assigned to teams and inherit the roles assigned to the teams of which they are a member).
- Team Folder: When a Team is created in SAC, there is option (selected by default) to create a system-generated team folder, in which any member of that Team can create, edit, delete folders/objects. In this scenario, there is a risk of multiple versions of the truth and non-standard reports being created. We can control the creation of team folders by unchecking or disabling the default folder creation at the time of creating a new Team.
- Public Folder: The Public is root folder and contains all sub-folders under it. Access to “environments” and Team Areas is managed through folder permissions. Users can be restricted to will not be directly assigned to folders. Folder access will be administered strictly through teams.
- User Folder: A “private” folder for every user of SAC. Here the user can create as many stories and sub folders as they want within their private folder, but cannot share or save to Team Folder. If a User is deleted from SAC, respective User Folder is also deleted.
Security Role Concepts: Roles within SAP Analytics Cloud define permissions for user types and these can be based on the product features that each user type can access. SAP delivers following standard roles with the product:
BI Content Viewer: This is standard SAP role meant for read only privileges.
BI Content Creator: This is standard SAP role meant for content creation is SAC.
BI Admin: This is standard SAP role which hosts all permissions available in the system and is a super user role.
System Owner: Only one technical user in the system can be mapped to the System Owner role at a time.
One can have custom roles based on the access segregation requirements. For example we can have User Admin and Role Admin roles as derivates of BI Admin by restricting permissions against User and Role.
- Any of the role from system i.e. standard or custom can be classified as Default role. When ever a user is created in system, system assign the defined default role on its own to the user account.
- No explicit or manual assignment of default role is required.
- User ID and Email address are the mandatory fields to be maintained to allow user creation in SAC.
- All characters of the email addresses need to be in small letters.
Folder Permission Concepts: The second principle, considered here, while concluding the access design approach for SAC is that users can access SAC folders through assignments based on Teams or as an individual. The Team based folders access strategy involves less administrative efforts but again is more inclined based on the requirements of the customer. The snapshot of possible folder access controls from system is as below:
In the pictorial representation below, we have tried to show a possible example for the combination of permissions floating in to users and allowing access to the content within a SAC folder.
Here in the example below, the roles are assigned to teams and not to users directly. Based on the user mapping to a team, user gets access to roles and underlying folder permissions.
As stated earlier, both SAC Roles and Folder Permissions commission together to establish controlled access environment.
SAC Access Workflow:
SAC also allows access provision workflow under it’s Self Service feature. One can define the roles and owner/manager workflow for access update. Once the workflow is complete the access of an individual is updated in the system.
Data Level Controls:
The stories or dashboards through information as an output based on the data controls at the SAC Level or the corresponding backend S4 or BW system.
One of the possible scenario is that the SAC Application controls allow access to content like dashboard and stories whereas the data controls are maintained at the backend system which can be S4 or BW system.
This brings my first blog to the point of conclusion which can be summarized as Users, Teams Roles and Folder Permissions tie up together for a well controlled SAC Environment. While designing the SAC Security the single tenant or multi tenant environment makes impact on the change control of these components like as we mentioned that there is no transport mechanism possible for roles in a single tenant infrastructure.
In the next blog we shall take quick reference of the Mass User Creation in SAC. Hope the reading was helpful to understand the key security/access components of SAC. Thanks for your time and share your valuable comments or queries. More than happy to answer!!!
Please refer help.sap.com for reference content in this regards.
Hello Sankalp Gupta,
Thank you for your KT.
is there any relation between user roles assigned in the backed BW system and roles assigned in SAC
in other way,can i restrict user access on SAC by assigning the user roles in the backed Netweaver system?
SAC and BW roles are independent, therefore the assigned roles in BW will not have an effect on the Role in SAC. However the access a user has to BW data is of course still valid in SAC.
The "Connection" will then of course be the usr starting from SAC and query the BW.
it would be interesting for me also to know…
Good one, very informative
Is it possible to maintain the security at page level? Like some users can see a page in a story while some should not. Is this feasible?.
Hi Sayed, this is not possible. Sharing settings are on Story level.
Thank you for the very informative blog, have you written your mass user access Blog we are very interested in that.
Is it possible to restrict based on field level. In BW, using Analysis Authorization, we can can restrict some key figures in the report level. How to achieve this in SAP SAC.