Technical Articles
SAC Data Restriction/Security with Roles or Data Access Control
This article describes how to deliver data restriction with SAC Security and Acquired Model. It answers a question like what available methods we can use to restrict data by authorization relevant.
Table contents:
- Introduction
- Restricting data with Data Access Control
- Restricting data with Roles
- Conclusion
Introduction
Roles or Data Access Control (DAC) can restrict data access. It needs Team as part a setup. I also put the reference if you want to understand further on SAC Security Components such as Roles, Team, User, Folder Security.
The scenario for this articles is a Headcount Planning and Acquired Model. It has a Country’s inputter/forecaster therefore each inputter restricted by the country relevant. The Acquired Model has a following dimensions: Employee, cost_center, headcount_account, date, country
Restricting data with Data Access Control
Data access control needs model set up.
Goto Model -> Model Preferences -> Access and Privacy -> Data Access Control in Dimension -> enable Country for Data Access Control.
Enable Country for Data Access Control
Next step is to maintain who can access the Country Data in Country Dimension.
Goto Model -> Model Structure -> Click Country Dimension (Left Panel: Dimension List)-> it direct to Country DimeBannsion Member list.
Column Read and Write are available in the dimension.
Please Maintain Read or Write or both based on the requirement. It can have single/multiple Team, User ID. By maintaining read or write, Data Access is controlled.
Restricting data with Roles
Data restriction also can be controlled by Roles. Your SAC User ID need to have an access to relevant access for SAC security related such as change roles, user, etc.
Goto model -> model preference-> enable model privacy (highlighted with yellow) then save the model.
If it is enabled, you be able to set up the model in the SAC Roles.
Next, it needs setup Roles.
Goto Menu -> security -> roles -> create new roles (if you don’t have a role yet)
Goto Model tab -> select the model
-> maintain Read and write.
Multiple Dimension can be maintained at read and write. And the beauty is the data access can be set up by dimension property.
The final step is you need to assign the role into either team or the user ID.
*** I found if I am a model owner, I still can see all data countries in model. I need to get my colleague to create a model so I can test the security setup.
Conclusion
Data Access setup is important as it control the data confidential and it also improve the performance since Users only works with the smaller data where the data is relevant for them. Personal opinion, the roles looks more centralized setup so security team can own it.
And yet, you also can do hybrid (both of them) to deliver your requirement.
How do you setup your Acquired model security? Perhaps, you can add it into the comment.
Thanks for visiting my blog,
Cheers,
references:
https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Concepts+and+Best+Practice
This blog definitely has all of the information and facts I needed concerning SAP SCM if you want to learn SAP SCM Online Training so you can join ShapeMySkills Pvt. Ltd.
Thanks
Thanks for visiting the blog
It's really useful! I read it all and it's really good information. Thanks for this wonderful article!
Your most welcome and thanks for visiting this blog.
cheers,
Really good article. I want to use the Data Access control for the first time and want some head up! This blog helped me to start
Hi Daniel Nurindra,
regarding this thought:
I suggest you have one or more Demo Users registered to your SAC. These users should be registered on separate demo mail adresses as well, to make sure they aren't connected directly to certain people and be available for all developers or training sessions.
Hi Daniel Nurindra, to be honest I´m not happy with both concepts DAC and Roles because both have pros and cons.
DAC
+) simple configuration
+) Allows to provide access incl. usage of hierarchies (means I can define access on a certain level and all leaf nodes and leaf members are included)
-) Using DAC for a dimension is set for all models using this dimension, which means you get dependencies between models which you maybe don´t want.
-) DAC uses logical AND conditions between the dimensions, which means you can´t define complex conditions
Roles
+) allow to define complex conditions
+) support of ISCURRENTUSER allows dynamic configuration
+) individual definition per model without dependencies
-) no support of defining conditions on hierarchy nodes, only leaf members are supported which causes efforts to maintain
-) no support of teams
I´m personally tend always to use roles because I´m less limited, but configuration needs more efforts and there are some limitations (e.g. using hierarchies).
Any other pro´s and con´s you have experienced?
Regards,
Thomas
We need to put security on attributes and this can be done only when we control it by roles. For instance, we put a filter in the role by country. The problem is that the unbooked data are not filtered accordingly to the roles, we see all the countries. Instead if we apply a story filter, in the members list we see only the country set in the role.
If we control the security by Data Access Control the unbooked data are filtered correctly because we enable the option Hide Parents, but with this option we can't put security on attributes.
Do you know if there is any solution for this problem?
We also need same kind of solution. Do we have any update on this or anyone ahs any idea?
Good afternoon,
How do you keep track of DAC access before cycles - is their a way the user can view with a glance what access she / he has and make a call if additional access is required or need to be removed - we manage this via a story but the users / heads want to see this at a glance.
Thanks, Mel