Control Data Export Service Access to SAC Models

With the Data Export Service (DES) we provide an open API to retrieve data from SAC models. But obviously not all models and not all data in a model should be retrievable without a detailed access control. Let us have a look at the options we can use to restrict the access to SAC models. We have to distinguish the two different oAuth scenarios that are available with DES: 2-legged or 3-legged approach.

Let us have a brief look at what the difference between the two options are and what they are used for. For more details please have a look at our documentation: https://help.sap.com/docs/SAP_ANALYTICS_CLOUD/14cac91febef464dbb1efce20e3f1613/0c1fb5e6ef1f46acb83771070084f124.html?locale=en-US

2-legged scenario

This approach is used for system-to-system data transfer without the involvement of a user. The client connects directly to the server without a specific user being involved. Thus is the server (in our case the SAC system) no named user is used but a technical connection user that cannot be modified and also cannot be assigned to any roles. User based access restrictions thus cannot be applied.

3-legged scenario

Here we have a named system user involved in the data export. That means when data is ready the SAC system is accessed with a named (SAC-) user. Thus, any user-based data access restriction in SAC can be enforced.

Model Setting ‘Restricted Export’

This setting controls whether a given model can be exported at all. If this toggle is enabled for a given model then no data export via DES is possible – not matter whether you are using a 2-legged or a 3-legged scenario.

Toggle for restricted export

If the toggle is NOT enabled (default setting) then a 2-legged export of ALL data in the model is possible. For the 3-legged scenario the behavior depends on the user and the data privacy settings for the model.

Model Settings for Data Access

Settings for data access

We have two options to control the access to the data in a model. It can be done by the toggle ‘Model Data Privacy’ – any user who wants to access the data has to have the corresponding roles assigned.

When using ‘Data Access in Dimension’ you can specify for each dimension member whether a given user should be able to write or read data booked against this dimension member.

Both options require a system user. As we have already explained above in the 3-legged case such a user exists and can be checked. Thus the user can only export such data through DES he/she is entitled to use. In the 2-legged case we do not have a named system user. Thus, the security settings cannot be evaluated and are not taken into consideration.

Logging of data exports via DES

When the export is done using a named user (3-legged case) the system tracks the exports in the activity log.

From the description you can obtain the information whether fact data or master data for certain dimensions have been exported.

Activity log