Skip to Content
Technical Articles

SAC Data Restriction/Security with Roles or Data Access Control

This article describes how to deliver data restriction with SAC Security and Acquired Model.  It answers a question like what available methods we can use to restrict data by authorization relevant. 

Table contents: 

  1. Introduction
  2. Restricting data with Data Access Control
  3. Restricting data with Roles
  4. Conclusion

Introduction

Roles or Data Access Control (DAC) can restrict data access. It needs Team as part a setup. I also put the reference if you want to understand further on SAC Security Components such as Roles, Team, User, Folder Security. 

The scenario for this articles is a Headcount Planning and Acquired Model. It has a Country’s inputter/forecaster therefore each inputter restricted by the country relevant. The Acquired Model has a following dimensions:  Employee, cost_center, headcount_account, date, country

Restricting data with Data Access Control

Data access control needs model set up. 

Goto Model -> Model Preferences -> Access and Privacy -> Data Access Control in Dimension -> enable Country for Data Access Control. 

Enable%20Country%20for%20Data%20Access%20Control

Enable Country for Data Access Control

 

Next step is to maintain who can access the Country Data in Country Dimension. 

Goto Model -> Model Structure -> Click Country Dimension (Left Panel: Dimension List)-> it direct to Country DimeBannsion Member list. 

Column Read and Write are available in the dimension. 

Please Maintain Read or Write or both based on the requirement. It can have single/multiple Team, User ID. By maintaining read or write, Data Access is controlled.  

Restricting data with Roles

Data restriction also can be controlled by Roles. Your SAC User ID need to have an access to relevant access for SAC security related such as change roles, user, etc. 

Goto model -> model preference-> enable model privacy (highlighted with yellow) then save the model. 

If it is enabled, you be able to set up the model in the SAC Roles. 

Next, it needs setup Roles.

Goto Menu -> security -> roles -> create new roles  (if you don’t have a role yet) 

Goto Model tab -> select the model  

 

-> maintain Read and write.  

Multiple Dimension can be maintained at read and write. And the beauty is the data access can be set up by dimension property. 

The final step is you need to assign the role into either team or the user ID. 

*** I found if I am a model owner, I still can see all data countries in model. I need to get my colleague to create a model so I can test the security setup. 

Conclusion 

Data Access setup is important as it control the data confidential and it also improve the performance since Users only works with the smaller data where the data is relevant for them.  Personal opinion, the roles looks more centralized setup so security team can own it. 

And yet, you also can do hybrid (both of them) to deliver your requirement. 

How do you setup your Acquired model security? Perhaps, you can add it into the comment. 

Thanks for visiting my blog,

Cheers, 

 

references:

https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Concepts+and+Best+Practice

5 Comments
You must be Logged on to comment or reply to a post.