Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP HANA Cloud - Analytic Privileges (A step-by-step guide)

Krishan
Advisor
Advisor
‎09-23-2022 8:37 PM

Introduction


Analytic Privileges restrict the user to view sensitive data for which they are not authorized. It is used to enable data access in calculation views by filtering the data based on the values of one or more attributes.


Figure1: Process Flow



Business Scenario:


User A, responsible to see sales data only for Sales Office/Region say Gurgaon and must not have access to see sales data for other office/region. Similarly, User B and User C is responsible to see sales data only for Sales Office/Region Mumbai and Bangalore respectively and must not have access to see sales data for other office/region.

 

Pre-requisite:

  • BTP Onboarding.

  • User has access to Business Application Studio.

  • Project created.

  • User has access to assign roles.


Process1: Create Analytic Privileges


Step1: Login to Cloud Foundry


Open Business Application Studio (BAS)


Figure 2: Business Application Studio


Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)


Figure 3: Login to Cloud Foundry


Note: Make sure your cloud foundry endpoint is correct.

Select Cloud Foundry Organization and Space, click Apply.


Figure 4: Select target Cloud Foundry Org. and Space



Step2: Create Analytic Privilege folder under src


Navigate to project folder (path to create analytic privilege) and create Analytic Privilege folder.


Figure5: Analytic Privilege Folder



Step2: Create .hdbanalyticprivilege file under Analytic Privilege folder


Create .hdbanalyticprivilege file (SALES_VIEW_GURGAON.hdbanalyticprivilege) to restrict user based on Gurgaon Sales Office.


Figure6: .hdbanalyticprivilege File



Step3: Add Models


Click Add button under Secured Model and search the calculation view to secure


Figure7: Search Calculation Views



Step4: Add Attributes


Click Add button under Associated Attributes Restriction and select the field to restrict


Figure8: Select Field


Click Restriction button under Restriction Type and search the field value to restrict


Figure9: Select Field Value


Similarly, create Analytic Privilege for other sales regions/offices e.g. Mumbai and Bangalore

Before deploying the Analytic Privilege, we have to enable/map SQL Analytic Privileges in our selected Calculation View. Navigate to Calculation View -> Semantics -> View Properties -> General -> Apply Privileges


Figure10: Map SQL Analytic Privileges


Click rocket button and deploy Calculation View first and then deploy all Analytic Privileges.


Figure11: Deploy Analytic Privilege


Analytic Privileges deployed and created successfully.

Process2: Role Creation


Step1: Create .hdbrole


Navigate to roles folder under src (create roles folder, if missing) and create .hdbrole for Gurgaon sales region/office. Assign object privilege (selected calculation view) and Analytic Privilege


Figure12: .hdbrole



Step2: Create .hdbroleconfig


Create .hdbroleconfig file under roles folder for Gurgaon sales region/office and assign reference schema


Figure13: .hdbroleconfig


Similarly, create and deploy roles for Mumbai, Bangalore sales regions/offices

Process3: Assign roles to users


Step1: Login to SAP HANA Cockpit


Open SAP BTP Cockpit and Launch SAP HANA Database Explorer


Figure14: SAP BTP Cockpit



Step2: Open SQL Console & execute commands


Execute below SQL commands to assign roles to users


Figure15: Role Assignment


Roles successfully assigned to users i.e. KK-GURGAON, KK-MUMBAI, KK-BANGALORE, KK

Process4: Validation


Step1: Login to HANA Database Explorer and validate the result for user KK


Check if user has access to view sales data for all the sales regions/offices


Figure16: All sales offices access


User has access to view sales data for all the sales regions/offices

Step2: Login to HANA Database Explorer and validate the result for user KK-GURGAON


Check if user has access to view sales data only for Gurgaon sales region/office


Figure17: Only Gurgaon sales office access


User has access to view sales data only for Gurgaon sales region/office

Step3: Login to HANA Database Explorer and validate the result for user KK-MUMBAI


Check if user has access to view sales data only for Mumbai sales region/office


Figure18: Only Mumbai sales office access


User has access to view sales data only for Mumbai sales region/office

Step4: Login to HANA Database Explorer and validate the result for user KK-BANGALORE


Check if user has access to view sales data only for Bangalore sales region/office


Figure19: Only Bangalore sales office access


User has access to view sales data only for Bangalore sales region/office

Conclusion


Analytic privilege allows the use of same calculation views by different users who might not be allowed to see the same data. Hope this article helps you to achieve your business requirement by restricting the user to view sensitive data for which they are not authorized.

 

List of Important Notes:



List of Important Links:



 

Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn

 

Happy Learnings!

Krishan .
9 Comments
Labels in this area
Popular Blog Posts