Skip to Content
Technical Articles
Author's profile photo Kirtee Andanigoudar

SAP Data Warehouse Cloud: Creating the Data Access Control (DAC)

By now we are aware of Data Access Control (DAC) in SAP DWC which allows the row level security for data access. However, in this blog I would like to bring a new approach on the same.


The Data Access Control is primarily setup to restrict the access to Business data in a report for any user based on their assigned authorizations

Usually, every organization has one defined Org value in their SAP landscape which can be a Company code, cost center or a plant. For our example let’s take Company code as the Org value. This Company code will be considered to setup DAC in DWC restricting the access to each user with their assigned company code.


Now we need to have a list of users along with their access for specific company codes to create the DAC in DWC, for this we need the following:

  1. Table for User/Assigned roles: AGR_USERS
  2. Table for Roles/Org field: AGR_1252
  3. A final View with the combined data of the above tables

Technical Details:

Creation of the View for User Data:

Step 1:

  1. Before jumping into DWC, we need to finalize the fields for joining and understand if the required data is being generated with the table join.
  2. The easiest way to check this is in transaction SQVI in the backend SAP system
  3. As you can see, in the final output, we are getting the required data of
    1. Username
    2. Org Value
    3. Role
    4. Org levelPlease note that the Step 1  mentioned above is my own way of designing the DAC which helped me to visualize the data I wanted in the DAC.

Step 2:

  1. Now moving to DWC to create the View with the same data as in the previous step
  2. Go to DWC -> Data Builder -> Select the Space -> Create Graphical View
  3. In the sources, select the Connections -> System -> ABAP Table by table name -> AGR_USERS, drag and drop the table.Please note if the table is being used in a View for the first time, then you will get a pop up of “Import and Deploy”, confirm the same.
  4. Then select the table AGR_1252, drag and drop it on the table 1 to establish the join
  5. In the details of the View, you can see the Key associations, for our requirement the “Role Name” is important
  6. Please select the required columns as seen in the screenshot below:
  7. Save and deploy the View

          You will be notified, once the View is deployed successfully

Step 3:   Click on Preview data to check the data:

Step 4:   To filter the data only on specific Org level, we have to setup a filter in the View.

For our example, we have considered CC (company code) for which we will set the filter for the Org level “$BUKRS”

The validation check message as highlighted in the above screen shot should be green for filter validation. Please save and deploy the View.

Once deployed, we can check in the Data preview:

Creation of the Data Access Control:

Step 1: Go to DWC -> Data Access Control -> New Data Access Control, specific a technical name

Step 2: Select the table or the view for creating the DAC

Once the View is added, select the fields which are needed in DAC:

Username, Org Level, Org value (CC)

Please note the “Identifier Column” should be “User Name” as default.

Step 3: Save and deploy the DAC, now the Data Access Control is ready to be integrated in any DWC view.


The DAC is now available to be integrated in a View containing Business data/ Critical data to restrict the access based on the authorizations assigned to the users.

Some of the important points to be noted is that DAC is specific to each Space in DWC for now and cannot be shared. However, the View that is created for the DAC can be shared in between different Spaces if the connections have same name. We might expect new features for the unified DAC to be shared in different Spaces in  the future from SAP which will updated in the blog as and when it is available.

We will update the integration of DAC into the Model/View in the upcoming blogs.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Lakshmi R
      Lakshmi R

      Great explanation about DAC in SAP DWC. Easily everyone can understad this scenario. Keep it up:).

      Author's profile photo Tobias Meyer
      Tobias Meyer


      I have some questions.


      • Why do not use the standard SAP Import of Authorizations into DWC?
      • How can you use the "TEST_02" user instead of the real email address the user is logged into?
      • The * is not working at the moment in Data Warehouse Cloud, you have to add all elements or am I missing here something?

      Best regards,



      Author's profile photo Kirtee Andanigoudar
      Kirtee Andanigoudar
      Blog Post Author

      Hi Tobias,

      Please find the answers mentioned below:

      • The SAP Import of Authorizations into DWC only allows to import User with assigned roles not users with org level authorizations
      • I had to use the test user for taking the snapshot from the system
      • DWC does not recognize * but we can write a SQL script to mimic the * access.




      Author's profile photo Tobias Meyer
      Tobias Meyer

      Hi Kirtee,

      thanks for the answer. Just to make it clear in the future for other reads, that the email address is needed and not the username.

      But when you use the * in SQL/SQLScript you can not use the DAC. You could only use it in the where clause or am I wrong?




      Author's profile photo Kirtee Andanigoudar
      Kirtee Andanigoudar
      Blog Post Author

      Hi Tobias,

      Sorry I misunderstood your question. The username also works along with email address in DWC and SAC as well, in fact we can authenticate via User ID in SAML setup allowing the Usernames to reflect in DWC/SAC tenants.

      Please refer the blog

      Of course we can use DAC even when we use SQL script to create a view for DAC. It works as expected.

      I am happy to connect in call to answer further questions to avoid the confusion.



      Author's profile photo Tobias Meyer
      Tobias Meyer

      Hi Kirtee,

      thanks for clearing it up. We also have SAML, but we use the email to identify. Therefore, my question.

      I will check how we can use the * authorizations. Here is a similar approach to your solution.

      Best regards,