SAP HANA Cloud – Analytic Privileges (A step-by-step guide)
Analytic Privileges restrict the user to view sensitive data for which they are not authorized. It is used to enable data access in calculation views by filtering the data based on the values of one or more attributes.
User A, responsible to see sales data only for Sales Office/Region say Gurgaon and must not have access to see sales data for other office/region. Similarly, User B and User C is responsible to see sales data only for Sales Office/Region Mumbai and Bangalore respectively and must not have access to see sales data for other office/region.
- BTP Onboarding.
- User has access to Business Application Studio.
- Project created.
- User has access to assign roles.
Process1: Create Analytic Privileges
Step1: Login to Cloud Foundry
Open Business Application Studio (BAS)
Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)
Note: Make sure your cloud foundry endpoint is correct.
Select Cloud Foundry Organization and Space, click Apply.
Step2: Create Analytic Privilege folder under src
Navigate to project folder (path to create analytic privilege) and create Analytic Privilege folder.
Step2: Create .hdbanalyticprivilege file under Analytic Privilege folder
Create .hdbanalyticprivilege file (SALES_VIEW_GURGAON.hdbanalyticprivilege) to restrict user based on Gurgaon Sales Office.
Step3: Add Models
Click Add button under Secured Model and search the calculation view to secure
Step4: Add Attributes
Click Add button under Associated Attributes Restriction and select the field to restrict
Click Restriction button under Restriction Type and search the field value to restrict
Similarly, create Analytic Privilege for other sales regions/offices e.g. Mumbai and Bangalore
Before deploying the Analytic Privilege, we have to enable/map SQL Analytic Privileges in our selected Calculation View. Navigate to Calculation View -> Semantics -> View Properties -> General -> Apply Privileges
Click rocket button and deploy Calculation View first and then deploy all Analytic Privileges.
Analytic Privileges deployed and created successfully.
Process2: Role Creation
Step1: Create .hdbrole
Navigate to roles folder under src (create roles folder, if missing) and create .hdbrole for Gurgaon sales region/office. Assign object privilege (selected calculation view) and Analytic Privilege
Step2: Create .hdbroleconfig
Create .hdbroleconfig file under roles folder for Gurgaon sales region/office and assign reference schema
Similarly, create and deploy roles for Mumbai, Bangalore sales regions/offices
Process3: Assign roles to users
Step1: Login to SAP HANA Cockpit
Open SAP BTP Cockpit and Launch SAP HANA Database Explorer
Step2: Open SQL Console & execute commands
Execute below SQL commands to assign roles to users
Roles successfully assigned to users i.e. KK-GURGAON, KK-MUMBAI, KK-BANGALORE, KK
Step1: Login to HANA Database Explorer and validate the result for user KK
Check if user has access to view sales data for all the sales regions/offices
User has access to view sales data for all the sales regions/offices
Step2: Login to HANA Database Explorer and validate the result for user KK-GURGAON
Check if user has access to view sales data only for Gurgaon sales region/office
User has access to view sales data only for Gurgaon sales region/office
Step3: Login to HANA Database Explorer and validate the result for user KK-MUMBAI
Check if user has access to view sales data only for Mumbai sales region/office
User has access to view sales data only for Mumbai sales region/office
Step4: Login to HANA Database Explorer and validate the result for user KK-BANGALORE
Check if user has access to view sales data only for Bangalore sales region/office
User has access to view sales data only for Bangalore sales region/office
Analytic privilege allows the use of same calculation views by different users who might not be allowed to see the same data. Hope this article helps you to achieve your business requirement by restricting the user to view sensitive data for which they are not authorized.
List of Important Notes:
- 2467056 – No calculation view shows up in drop-down list in SAP Analytics Cloud using Live Data Connection to SAP HANA
List of Important Links:
- SAP HANA Cloud, SAP HANA Database Security Guided
- SAP HANA Cloud, SAP HANA Database Developer Guide for Cloud Foundry Multitarget Applications (SAP Business App Studio)
Feedbacks, questions and comments are most welcome!!
Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn
Very nice blog.
May I have a question about step 2 in "Process3: Assign roles to users", what privilege or role does a user need to assign an analytic privilege to others users, I see you used DBADMIN, right? Does DBADMIN has privileges for all analytic privileges?
Thanks for your feedback.
When you map the Analytic Privileges into .hdbrole and if any user has SYSTEM Privilege (ROLE ADMIN) access then that user can assign role associated with Analytic Privileges to other users.
I hope it answers your question.
Note: It is always recommended avoid using DBADMIN for day to day activities.
Thanks Krishan, it's very helpful for me to get started for analytics privileges with this blog.👍
You're welcome 🙂
Thanks for the blog, its helpful.
In my current project i have implemented Analytical privileges in HANA cloud exactly the same way. Assigned analytical privileges to a user, and able to run the report from HANA Explorer, getting the results. Where as running from AFO failing with an error "Not Authorized (42017)".
It seems to be issue HAA configuration, did you come across this kind of issue? please help.
User has right access in BTP, HANA Cloud. User is able to run other reports(without analytical privileges) through AFO.
Thanks for your feedback.
Apologies, I didn't explore AFO integration with HANA Cloud, will keep you posted in case I get something on this.