Technical Articles
SAP HANA Cloud – Analytic Privileges (A step-by-step guide)
Introduction
Analytic Privileges restrict the user to view sensitive data for which they are not authorized. It is used to enable data access in calculation views by filtering the data based on the values of one or more attributes.
Figure1: Process Flow
Business Scenario:
User A, responsible to see sales data only for Sales Office/Region say Gurgaon and must not have access to see sales data for other office/region. Similarly, User B and User C is responsible to see sales data only for Sales Office/Region Mumbai and Bangalore respectively and must not have access to see sales data for other office/region.
Pre-requisite:
- BTP Onboarding.
- User has access to Business Application Studio.
- Project created.
- User has access to assign roles.
Process1: Create Analytic Privileges
Step1: Login to Cloud Foundry
Open Business Application Studio (BAS)
Figure 2: Business Application Studio
Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)
Figure 3: Login to Cloud Foundry
Note: Make sure your cloud foundry endpoint is correct.
Select Cloud Foundry Organization and Space, click Apply.
Figure 4: Select target Cloud Foundry Org. and Space
Step2: Create Analytic Privilege folder under src
Navigate to project folder (path to create analytic privilege) and create Analytic Privilege folder.
Figure5: Analytic Privilege Folder
Step2: Create .hdbanalyticprivilege file under Analytic Privilege folder
Create .hdbanalyticprivilege file (SALES_VIEW_GURGAON.hdbanalyticprivilege) to restrict user based on Gurgaon Sales Office.
Figure6: .hdbanalyticprivilege File
Step3: Add Models
Click Add button under Secured Model and search the calculation view to secure
Figure7: Search Calculation Views
Step4: Add Attributes
Click Add button under Associated Attributes Restriction and select the field to restrict
Figure8: Select Field
Click Restriction button under Restriction Type and search the field value to restrict
Figure9: Select Field Value
Similarly, create Analytic Privilege for other sales regions/offices e.g. Mumbai and Bangalore
Before deploying the Analytic Privilege, we have to enable/map SQL Analytic Privileges in our selected Calculation View. Navigate to Calculation View -> Semantics -> View Properties -> General -> Apply Privileges
Figure10: Map SQL Analytic Privileges
Click rocket button and deploy Calculation View first and then deploy all Analytic Privileges.
Figure11: Deploy Analytic Privilege
Analytic Privileges deployed and created successfully.
Process2: Role Creation
Step1: Create .hdbrole
Navigate to roles folder under src (create roles folder, if missing) and create .hdbrole for Gurgaon sales region/office. Assign object privilege (selected calculation view) and Analytic Privilege
Figure12: .hdbrole
Step2: Create .hdbroleconfig
Create .hdbroleconfig file under roles folder for Gurgaon sales region/office and assign reference schema
Figure13: .hdbroleconfig
Similarly, create and deploy roles for Mumbai, Bangalore sales regions/offices
Process3: Assign roles to users
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Database Explorer
Figure14: SAP BTP Cockpit
Step2: Open SQL Console & execute commands
Execute below SQL commands to assign roles to users
Figure15: Role Assignment
Roles successfully assigned to users i.e. KK-GURGAON, KK-MUMBAI, KK-BANGALORE, KK
Process4: Validation
Step1: Login to HANA Database Explorer and validate the result for user KK
Check if user has access to view sales data for all the sales regions/offices
Figure16: All sales offices access
User has access to view sales data for all the sales regions/offices
Step2: Login to HANA Database Explorer and validate the result for user KK-GURGAON
Check if user has access to view sales data only for Gurgaon sales region/office
Figure17: Only Gurgaon sales office access
User has access to view sales data only for Gurgaon sales region/office
Step3: Login to HANA Database Explorer and validate the result for user KK-MUMBAI
Check if user has access to view sales data only for Mumbai sales region/office
Figure18: Only Mumbai sales office access
User has access to view sales data only for Mumbai sales region/office
Step4: Login to HANA Database Explorer and validate the result for user KK-BANGALORE
Check if user has access to view sales data only for Bangalore sales region/office
Figure19: Only Bangalore sales office access
User has access to view sales data only for Bangalore sales region/office
Conclusion
Analytic privilege allows the use of same calculation views by different users who might not be allowed to see the same data. Hope this article helps you to achieve your business requirement by restricting the user to view sensitive data for which they are not authorized.
List of Important Notes:
List of Important Links:
- SAP HANA Cloud, SAP HANA Database Security Guided
- SAP HANA Cloud, SAP HANA Database Developer Guide for Cloud Foundry Multitarget Applications (SAP Business App Studio)
Feedbacks, questions and comments are most welcome!!
Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn
Happy Learnings!
Krishan .
Hi Krishan,
Very nice blog.
May I have a question about step 2 in "Process3: Assign roles to users", what privilege or role does a user need to assign an analytic privilege to others users, I see you used DBADMIN, right? Does DBADMIN has privileges for all analytic privileges?
Thanks
Jeff
Hi Jeff,
Thanks for your feedback.
When you map the Analytic Privileges into .hdbrole and if any user has SYSTEM Privilege (ROLE ADMIN) access then that user can assign role associated with Analytic Privileges to other users.
I hope it answers your question.
Note: It is always recommended avoid using DBADMIN for day to day activities.
Best Regards,
Krishan Kumar
Thanks Krishan, it's very helpful for me to get started for analytics privileges with this blog.👍
You're welcome 🙂
Hi Krishan,
Thanks for the blog, its helpful.
In my current project i have implemented Analytical privileges in HANA cloud exactly the same way. Assigned analytical privileges to a user, and able to run the report from HANA Explorer, getting the results. Where as running from AFO failing with an error "Not Authorized (42017)".
It seems to be issue HAA configuration, did you come across this kind of issue? please help.
User has right access in BTP, HANA Cloud. User is able to run other reports(without analytical privileges) through AFO.
Hi Kote,
Thanks for your feedback.
Apologies, I didn't explore AFO integration with HANA Cloud, will keep you posted in case I get something on this.
Best Regards,
Krishan Kumar
Hi Krishan,
First of all very nice and descriptive blog.
Is there any thing or any blog for Dynamic Analytical Privileges in BAS.
Please help me out if possible.
Thanks
Ashutosh