Skip to Content
Technical Articles
Author's profile photo Krishan .

SAP HANA Cloud – Analytic Privileges (A step-by-step guide)

Introduction

Analytic Privileges restrict the user to view sensitive data for which they are not authorized. It is used to enable data access in calculation views by filtering the data based on the values of one or more attributes.

Process%20Flow

Figure1: Process Flow

Business Scenario:

User A, responsible to see sales data only for Sales Office/Region say Gurgaon and must not have access to see sales data for other office/region. Similarly, User B and User C is responsible to see sales data only for Sales Office/Region Mumbai and Bangalore respectively and must not have access to see sales data for other office/region.

 

Pre-requisite:

  • BTP Onboarding.
  • User has access to Business Application Studio.
  • Project created.
  • User has access to assign roles.

Process1: Create Analytic Privileges

Step1: Login to Cloud Foundry

Open Business Application Studio (BAS)

Figure%202%3A%20Business%20Application%20Studio

Figure 2: Business Application Studio

Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)

Figure%203%3A%20Login%20to%20Cloud%20Foundry

Figure 3: Login to Cloud Foundry

Note: Make sure your cloud foundry endpoint is correct.

Select Cloud Foundry Organization and Space, click Apply.

Figure%204%3A%20Select%20target%20Cloud%20Foundry%20Org.%20and%20Space

Figure 4: Select target Cloud Foundry Org. and Space

Step2: Create Analytic Privilege folder under src

Navigate to project folder (path to create analytic privilege) and create Analytic Privilege folder.

Figure5%3A%20Analytic%20Privilege%20Folder

Figure5: Analytic Privilege Folder

Step2: Create .hdbanalyticprivilege file under Analytic Privilege folder

Create .hdbanalyticprivilege file (SALES_VIEW_GURGAON.hdbanalyticprivilege) to restrict user based on Gurgaon Sales Office.

Figure6%3A%20.hdbanalyticprivilege%20File

Figure6: .hdbanalyticprivilege File

Step3: Add Models

Click Add button under Secured Model and search the calculation view to secure

Figure6%3A%20Search%20Calculation%20Views

Figure7: Search Calculation Views

Step4: Add Attributes

Click Add button under Associated Attributes Restriction and select the field to restrict

Figure7%3A%20Select%20Field

Figure8: Select Field

Click Restriction button under Restriction Type and search the field value to restrict

Figure8%3A%20Select%20Field%20Value

Figure9: Select Field Value

Similarly, create Analytic Privilege for other sales regions/offices e.g. Mumbai and Bangalore

Before deploying the Analytic Privilege, we have to enable/map SQL Analytic Privileges in our selected Calculation View. Navigate to Calculation View -> Semantics -> View Properties -> General -> Apply Privileges

Figure10: Map SQL Analytic Privileges

Click rocket button and deploy Calculation View first and then deploy all Analytic Privileges.

Figure11%3A%20Deploy%20Analytic%20Privilege

Figure11: Deploy Analytic Privilege

Analytic Privileges deployed and created successfully.

Process2: Role Creation

Step1: Create .hdbrole

Navigate to roles folder under src (create roles folder, if missing) and create .hdbrole for Gurgaon sales region/office. Assign object privilege (selected calculation view) and Analytic Privilege

Figure12%3A%20.hdbrole

Figure12: .hdbrole

Step2: Create .hdbroleconfig

Create .hdbroleconfig file under roles folder for Gurgaon sales region/office and assign reference schema

Figure13%3A%20.hdbroleconfig

Figure13: .hdbroleconfig

Similarly, create and deploy roles for Mumbai, Bangalore sales regions/offices

Process3: Assign roles to users

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Database Explorer

Figure14%3A%20SAP%20BTP%20Cockpit

Figure14: SAP BTP Cockpit

Step2: Open SQL Console & execute commands

Execute below SQL commands to assign roles to users

Figure15: Role Assignment

Roles successfully assigned to users i.e. KK-GURGAON, KK-MUMBAI, KK-BANGALORE, KK

Process4: Validation

Step1: Login to HANA Database Explorer and validate the result for user KK

Check if user has access to view sales data for all the sales regions/offices

Figure16%3A%20Access%20Validated%20%28All%20sales%20office%20access%29

Figure16: All sales offices access

User has access to view sales data for all the sales regions/offices

Step2: Login to HANA Database Explorer and validate the result for user KK-GURGAON

Check if user has access to view sales data only for Gurgaon sales region/office

Figure16%3A%20Only%20Gurgaon%20sales%20office%20access

Figure17: Only Gurgaon sales office access

User has access to view sales data only for Gurgaon sales region/office

Step3: Login to HANA Database Explorer and validate the result for user KK-MUMBAI

Check if user has access to view sales data only for Mumbai sales region/office

Figure18%3A%20Only%20Mumbai%20sales%20office%20access

Figure18: Only Mumbai sales office access

User has access to view sales data only for Mumbai sales region/office

Step4: Login to HANA Database Explorer and validate the result for user KK-BANGALORE

Check if user has access to view sales data only for Bangalore sales region/office

Figure19%3A%20Only%20Bangalore%20sales%20office%20access

Figure19: Only Bangalore sales office access

User has access to view sales data only for Bangalore sales region/office

Conclusion

Analytic privilege allows the use of same calculation views by different users who might not be allowed to see the same data. Hope this article helps you to achieve your business requirement by restricting the user to view sensitive data for which they are not authorized.

 

List of Important Notes:

List of Important Links:

 

Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn

 

Happy Learnings!

Krishan .

Assigned Tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Jeff Li
      Jeff Li

      Hi Krishan,

      Very nice blog.

      May I have a question about step 2 in "Process3: Assign roles to users",  what privilege or role does a user need to assign an analytic privilege to others users, I see you used DBADMIN, right? Does DBADMIN has privileges for all analytic privileges?

      Thanks

      Jeff

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      Hi Jeff,

      Thanks for your feedback.

      When you map the Analytic Privileges into .hdbrole and if any user has SYSTEM Privilege (ROLE ADMIN) access then that user can assign role associated with Analytic Privileges to other users.

      I hope it answers your question.

      Note: It is always recommended avoid using DBADMIN for day to day activities.

       

      Best Regards,

      Krishan Kumar

      Author's profile photo Jeff Li
      Jeff Li

      Thanks Krishan, it's very helpful for me to get started for analytics privileges with this blog.👍

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      You're welcome 🙂

      Author's profile photo Kote Akurati
      Kote Akurati

      Hi Krishan,

      Thanks for the blog, its helpful.

      In my current project i have implemented Analytical privileges in HANA cloud exactly the same way.  Assigned analytical privileges to a user, and able to run the report from HANA Explorer, getting the results. Where as running from AFO failing with an error "Not Authorized (42017)".

      It seems to be issue HAA configuration, did you come across this kind of issue? please help.

      User has right access in BTP, HANA Cloud. User is able to run other reports(without analytical privileges) through AFO.

      Author's profile photo Krishan .
      Krishan .
      Blog Post Author

      Hi Kote,

      Thanks for your feedback.

      Apologies, I didn't explore AFO integration with HANA Cloud, will keep you posted in case I get something on this.

       

      Best Regards,

      Krishan Kumar

      Author's profile photo ashutosh dixit
      ashutosh dixit

      Hi Krishan,

      First of all very nice and descriptive blog.

      Is there any thing or any blog for Dynamic Analytical Privileges in BAS.

      Please help me out if possible.

       

      Thanks

      Ashutosh