Skip to Content
Technical Articles
Author's profile photo Justine Angeles

Characteristic-Based Authorization : SAP PaPM Cloud to SAC Reporting

Hi Everyone,

Did you miss me? (^^,)  I am back with another technical blogpost that can hopefully help the SAP PAPM Cloud Community Modelers in integrating and consuming SAP Profitability and Performance Management Cloud (SAP PAPM Cloud) data in SAP Analytics Cloud (SAC) while also considering Characteristic-Based Authorization.

To consider also those who are not familiar yet with the terminology, Characteristic-Based Authorization is an additional security level to limit a user or team’s data access on certain tables or models. Just to give you a bit of visualization you can imagine having below department table where specific Department Admins should only see information of employees that are under their department. For such it is ideal to have Department based authorization to limit access of the people or user seeing information

IT EID001 John Smith
IT EID002 Jane Smith
HR EID003 John Doe
HR EID004 Jane Doe

So how to do it then when we are speaking of datarecords coming from SAP PaPM Cloud to be reported in SAC?

Let me give you an overview using the techniques to consume SAP PAPM Cloud’s data in SAC with the help of this blogpost How SAP Analytics Cloud (SAC) pulls data from SAP Profitability and Performance Management Cloud (SAP PaPM Cloud)

(1) HANA Cloud Live Connection

With this approach data is being projected in SAC from the runtime SAP HANA Cloud database of SAP PaPM Cloud through the provided runtime database user SAP_PAPM_ADMIN. This type of connection as stated is “Live” so if you are aiming for a control on the version of information that you are to report, just be reminded that your report’s stability depends on the update frequency of your source.


This approach does not allow Characteristic-Based Authorization modeled in SAC through Model Privacy or Data Access Control since Live Connection does NOT perform replication, meaning these datarecords are not physically in SAC’s premise.

For such a case it is expected by SAC that the privilege will be set from the source and can be controlled with the use of SSO if the database is administered by your administrators and is sitting in your BTP Subaccount. Reference: Question: data access control on live data from hana

In deciding to use SAP PaPM Cloud’s underlying database for Live Connection, we need to remember that by design SAP PaPM Cloud’s SAP HANA Cloud Database is a runtime database. This means that this database is fully administered by SAP and is not visible in your SAP BTP subaccounts to protect technical artifacts from corruption which can cause your subscribed SAP PAPM Cloud application to also be corrupted.


If you really want to use Live Connection after taking note of above information, you can then proceed with creating multiple SAP PAPM Cloud Queries limiting the data through selection and consume these SAP PAPM Cloud Queries accordingly in SAC.

Another approach that is possible is for SAP PAPM Cloud’s data to be written or consumed by Standalone and Self-Administered SAP HANA Cloud, Datasphere, BW in order to limit further the access of users to the data records. In the end, SAC can connect to these solutions via SSO and project the result as a report.

(2) ODATA Service Connection

ODATA Service is the suggested approach when consuming SAP PAPM Cloud’s data records in SAC. With this approach, an API call is to be performed by SAC pulling data records from SAP PAPM Cloud’s Queries. Since you are pulling the information from SAP PaPM Cloud, you then have full control on when the data records are to be projected in your report which gives better analysis experience.

After consumption, it is then possible to limit the data access. Since there are several articles and guides already from SAC concerning this topic, allow me to just list them here for you. Model Privacy or Data Access Control / Data access control in sap analytics cloud blogpost

After following one of above suggested documents or blogposts, you can then enjoy the Characteristic-Based Authorization being offered by SAC via ODATA Service Connection.

Yep that was all it for today’s blogpost. I hope this guides you well in deciding which connection type, additional important solutions, and approach you will consider for your next SAP PAPM Cloud and SAC implementation projects.

Until Next Time! Happy Modeling in the Cloud!


Assigned Tags

      1 Comment
      You must be Logged on to comment or reply to a post.
      Author's profile photo vajrareddy Mandapati
      vajrareddy Mandapati

      Thanks For the blog posting on authorization