SAP Analytics Cloud – Role Based Security for SAC Content Models

Starting with Wave 2023.15 (2023.Q3) release of SAP Analytics Cloud we introduce the Data Access Control for SAC Content delivered Models.

Role-based security is a critical component of any modern application that needs to secure user access and protect sensitive and personal data. In order to meet compliance requirements, we need to ensure configurable administration, to enable wider SAP Analytics Cloud (SAC) Performance Content distribution. SAC is already designed to use role-based security for authorizations.

Administrators should have access to personal user data whereas developers, business user, etc. should not have access to other users private data. Sometimes Administrators want to delegate tasks where access to personal data of a specific user group is needed.
Thus, we introduce Data Access Control for the SAC Content delivered Models that provides Administrators the possibility to provide content to a wider audience. Administrators will be able to create roles that allow access to certain content for specific user groups, while restricting access to sensitive or confidential data. This enables our customers to share content with a wider audience, while still having strict control over who has access to sensitive data and stay compliant with government and works council requirements.

How to set it up:

The setup process has already been documented in SAC Help – Setting Data Access Control on Dimensions Based on Custom Role.

Important Note: Once Model privacy is enabled only Administrators will see any data in the Stories and Analytic Applications that use the Model as a Data Source until you set up Data Access Control.

Important Note: Once Model privacy is enabled, you have to set up Role based access. This is only possible if the Model has been shared with you or if it is not located in the System File Directory. There are two ways to achieve this:

1. Either move SAC Content or the Model to “Public”
2. Or share SAC Content Folder including subfiles with the Administrator Users

Use-case 1: Access to Personal Performance Data

Performance Analysis Self Service

There has been a high demand to limit SAP Analytics Cloud Performance Analysis Tool and SAP Analytics Cloud Performance Statistics and Analysis for a single user to be able to roll it out as self-service tools.

You can achieve this with the following steps:

1. Enable Model Privacy for:
   1. SAC_PERFORMANCE_E2E (Performance Analysis Tool, Performance Statistics and Analysis)
   2. SAC_STATISTICS_MDS_QUERY_PERF (Performance Statistics and Analysis)
   3. SAC_USER_FRIENDLY_PERF_ACTION (Performance Statistics and Analysis)
2. Create a custom role like “Performance Self Service”
3. Add Read Access for the Models of the first step:
   1. Data Access Filter on Attribute: SAC_USER_NAME, Operator: IS CURRENT USER
   2. Data Access Filter on Attribute: APPLICATION_USER_NAME, Operator: IS CURRENT USER
   3. Data Access Filter on Attribute: SAC_USER_NAME, Operator: IS CURRENT USER
4. Assign Users/ Teams
5. Share Models, Analytic Application and Story with Users/ Teams

Result for Performance Analysis Tool:

Use-case 2: Access to specific Model data

Monitor Versions and their Sizes on certain Models

You want to limit SAP Analytics Cloud – Private Versions Statistics and Analysis for a specific Model for your Modeling or Housekeeping Team to monitor growth of a certain set of Models.

You can achieve this with the following steps:

1. Enable Model Privacy for:
   1. VERSION_STATISTICS_VIEW (Private Version Statistics and Analysis)
2. Create a custom role like “BestRun Bike Model Monitoring”
3. Add Read Access for the Models of the first step:
   1. Data Access Filter on Attribute: MODEL_NAME, Operator: “=”, VALUE: List of Models
4. Assign Users/ Teams
5. Share Models, Analytic Application and Story with Users/ Teams

Use-case 3: Access to specific Story or Analytic Application Performance Data

Monitor Performance of specific Models, Stories and Analytics Applications

The question to limit SAP Analytics Cloud Performance Analysis Tool and SAP Analytics Cloud Performance Statistics and Analysis for a group of e.g. content designer to monitor their provisioned content, has been raised.

You can achieve this with the following steps:

1. Enable Model Privacy for:
   1. SAC_PERFORMANCE_E2E (Performance Analysis Tool, Performance Statistics and Analysis)
   2. SAC_STATISTICS_MDS_QUERY_PERF (Performance Statistics and Analysis)
2. Create a custom role like “EMEA FI Reporting Performance”
3. Add Read Access for the Models of the first step:
   1. Data Access Filter on Attribute: MODEL_NAME, Operator: “=”, VALUE: List of Models
      Data Access Filter on Attribute: RESOURCE_ID, Operator: “=”, VALUE: List of Stories/ Analytic Applications
   2. Data Access Filter on Attribute: MODEL_NAME, Operator: “=”, VALUE: List of Models
      Data Access Filter on Attribute: STORY_NAME, Operator: “=”, VALUE: List of Stories/ Analytic Applications
4. Assign Users/ Teams
5. Share Models, Analytic Application and Story with Users/ Teams

There is a variety of other use cases that can be achieved using Data Access Control now for the SAC Content Models.

We are aware that some use-cases including hierarchical filter on Teams and Folder Structures would make life much easier, but this is not possible with the first version of this content.

Please stay tuned for further enhancements!