Planning process in SAP Analytics Cloud – data security
Anna Chwistek, Konsultantka SAP BI
- 19 September 2024
- SAP Analytics Cloud
- 3 min
It would seem to go without saying today how important it is to take care of data security in the modern world. However, the topic of authorisation is often neglected at the planning stage of a solution, which is a serious mistake.
It is an issue closely linked to other elements of our reporting solution. It is best to determine at the outset which authorisation method is required and most convenient from the users’ point of view.
Here, I will outline the authorisation capabilities that the SAP Analytics Cloud application offers us. In this article, we will focus on roles, data access control using Model Data Privacy and Data Access Control, and the sharing functions for individual models, reports and folders.
Roles and licences
At the outset, the user is assigned a certain Role and therefore also one of several available licences – Business Intelligence, Planning Standard, Planning Professional.
A licence gives the user a specific set of options available to them. Each SAP Analytics Cloud user to use the tool must be assigned a licence. The type of licence determines which functionalities the user will be able to use and to what extent – the ability to create, read, edit, delete. The following graphic illustrates the main differences in the scope of a licence, e.g. a user with a basic Business Intelligence (BI) licence cannot actively participate in value planning, however, he/she can view the values already planned for analysis.
Roles allow you to manage the options that are available to you within a licence. SAC offers built-in Roles e.g. BI Admin, BI Content Creator, Planner Reporter and many others. Additionally, we can create our own roles, tailored perfectly to our needs. At this stage, we can define who will have what access to which system functionalities, e.g. if we have a user who will only be using pre-built reports, they will not be given permission to modify or delete Story. In the next part of this article, I will show how roles can be used to restrict access to data at the model level.
In addition, to make it easier for us to manage permissions for people with the same rights, we can create a team – Team. We will then be able to manage the permissions of a given Team, without having to update the permissions for each user separately.
Model Data Privacy
Model Data Privacy is one of the options for managing access to data at the model level. If this option is enabled, only the model owner and users with granted access by assigning appropriate roles have access to the model data (facts). This allows one report to be used by multiple users who will see completely different data. For simplicity, I will illustrate this with an example.
Let’s imagine that an HR employee is responsible for employee cost planning, but he or she does not have insight into payroll, as this is handled by his or her manager. Using the Data Privacy Model, we can create a role for the HR employee, specifying the filters to which data they should have access. In the example below, access was granted from the system to Place of Cost (MPK) = ‘HR’ and the relevant measures were selected, excluding payroll. The data interval restriction configuration used will work on all reports based on the selected data model.
Along the same lines, a separate role will be created for the HR executive, with oversight of HR staff and insight into payroll, but who is not the decision-maker in this matter – so cannot make changes to their values. In this position, he also sees costs arising in units other than HR. The screen shot below from the system shows the view of the data from the HR manager’s point of view.
Thanks to the Model Data Privacy settings, employees from different departments using the same report will only see the data they are responsible for. Data Access Control Another way to restrict access to data at the model level is to select Data Access Control. We define at the level of a particular dimension who has access to which element (dimension member). We can give users the ability to read (Read) and write (Write) data in planning reports. For example, we will take the Employee dimension, where we will enable Data Access Control. We will assign Read and Write permissions to Team Europa for a dimension member with an ID equal to ‘AN’ and ‘ZE’.
View without Data Access Control enabled:
View with Data Access Control enabled:
The ‘Employee’ dimension can be a dimension assigned to only one model or we can create it as a Public Dimension and use the same dimension with the same authorisation in multiple models.
Sharing files and folders
Another way to control access is the Share option, which does not operate directly on the data, but restricts access to specific models, reports or folders. For example, a user entering planning data must have the right to edit the model as it saves its results in the model’s transaction data. When creating a report or a group of reports in a folder, we can specify which group will only be able to view, edit the report, or have developer access (Full Control). We can also specify in detail what actions will be available to selected users using custom options (Custom).
The foundation for the effective operation of SAP Analytics Cloud is the Single Source of Truth (SSoT) principle, which means that all reports are based on a single data source to ensure consistency. Appropriate access settings allow multiple users to access a single report, but due to implemented access restrictions, each user can see a different range of data. The user authorisation process is one of the most important considerations during the initial implementation phases of the SAP Analytics Cloud platform.
Start using cloud-based business analytics capabilities.
- On 18/09/2024
0 Comments