SAP Data Warehouse Cloud: Creating the Data Access Control (DAC)
By now we are aware of Data Access Control (DAC) in SAP DWC which allows the row level security for data access. However, in this blog I would like to bring a new approach on the same.
The Data Access Control is primarily setup to restrict the access to Business data in a report for any user based on their assigned authorizations
Usually, every organization has one defined Org value in their SAP landscape which can be a Company code, cost center or a plant. For our example let’s take Company code as the Org value. This Company code will be considered to setup DAC in DWC restricting the access to each user with their assigned company code.
Now we need to have a list of users along with their access for specific company codes to create the DAC in DWC, for this we need the following:
- Table for User/Assigned roles: AGR_USERS
- Table for Roles/Org field: AGR_1252
- A final View with the combined data of the above tables
Creation of the View for User Data:
- Before jumping into DWC, we need to finalize the fields for joining and understand if the required data is being generated with the table join.
- The easiest way to check this is in transaction SQVI in the backend SAP system
- As you can see, in the final output, we are getting the required data of
- Org Value
- Org levelPlease note that the Step 1 mentioned above is my own way of designing the DAC which helped me to visualize the data I wanted in the DAC.
- Now moving to DWC to create the View with the same data as in the previous step
- Go to DWC -> Data Builder -> Select the Space -> Create Graphical View
- In the sources, select the Connections -> System -> ABAP Table by table name -> AGR_USERS, drag and drop the table.Please note if the table is being used in a View for the first time, then you will get a pop up of “Import and Deploy”, confirm the same.
- Then select the table AGR_1252, drag and drop it on the table 1 to establish the join
- In the details of the View, you can see the Key associations, for our requirement the “Role Name” is important
- Please select the required columns as seen in the screenshot below:
- Save and deploy the View
You will be notified, once the View is deployed successfully
Step 3: Click on Preview data to check the data:
Step 4: To filter the data only on specific Org level, we have to setup a filter in the View.
For our example, we have considered CC (company code) for which we will set the filter for the Org level “$BUKRS”
The validation check message as highlighted in the above screen shot should be green for filter validation. Please save and deploy the View.
Once deployed, we can check in the Data preview:
Creation of the Data Access Control:
Step 1: Go to DWC -> Data Access Control -> New Data Access Control, specific a technical name
Step 2: Select the table or the view for creating the DAC
Once the View is added, select the fields which are needed in DAC:
Username, Org Level, Org value (CC)
Please note the “Identifier Column” should be “User Name” as default.
Step 3: Save and deploy the DAC, now the Data Access Control is ready to be integrated in any DWC view.
The DAC is now available to be integrated in a View containing Business data/ Critical data to restrict the access based on the authorizations assigned to the users.
Some of the important points to be noted is that DAC is specific to each Space in DWC for now and cannot be shared. However, the View that is created for the DAC can be shared in between different Spaces if the connections have same name. We might expect new features for the unified DAC to be shared in different Spaces in the future from SAP which will updated in the blog as and when it is available.
We will update the integration of DAC into the Model/View in the upcoming blogs.
Great explanation about DAC in SAP DWC. Easily everyone can understad this scenario. Keep it up:).
I have some questions.
Please find the answers mentioned below:
thanks for the answer. Just to make it clear in the future for other reads, that the email address is needed and not the username.
But when you use the * in SQL/SQLScript you can not use the DAC. You could only use it in the where clause or am I wrong?
Sorry I misunderstood your question. The username also works along with email address in DWC and SAC as well, in fact we can authenticate via User ID in SAML setup allowing the Usernames to reflect in DWC/SAC tenants.
Please refer the blog https://blogs.sap.com/2022/03/10/sap-data-warehouse-cloud-saml-configuration-for-user-access-provisioning-with-azure-as-identity-provider/
Of course we can use DAC even when we use SQL script to create a view for DAC. It works as expected.
I am happy to connect in call to answer further questions to avoid the confusion.
thanks for clearing it up. We also have SAML, but we use the email to identify. Therefore, my question.
I will check how we can use the * authorizations. Here is a similar approach to your solution.