SAP Knowledge Base Article - Public

2966376 - Data Privacy Control is not working as expected when multiple roles are assigned to a user in SAP Analytics Cloud (SAC)


After enable Model Data Privacy on the model, then set a rule with limited access on dimension A in a custom role A by adding read access, do the same for another dimension B in custom role B, for example, in the model there are 2 dimensions: Country and City, and in the custom role A, add limit access to Country=Germany, and in custom role B, add limit access to City=Munich. Then assign both roles A and B to a user, the expectations from customer is that both roles are working, i.e. the user can only read the data of Country=Germany and City= Munich, but the actual result is user can read the data of all cities in Germany.

And if configure the rule to make it without and subset of the data, like Country=China and City=Munich, then the user can read the data of all the cities in China and data of city Munich.


  • SAP Analytics Cloud (Enterprise)

Reproducing the Issue

  1.  Enable Model Data Privacy in a model, for example name is Test.
  2.  Create two custom roles A and B from Template BI Admin.
  3.  Open the created role A and add the model Test in Select Model tab.
  4.  Select Limited Access and click Add Read Access.
  5.  Add a Data Access Filter for the model, like City=Munich.
  6.  Do the same steps 3-5 in role B, add another Data Access Filter for the model, like Country=Germany.
  7.  Assign both roles A and B to a user, then login SAC with the user, the user can read the data of all the cities in Germany. 


By design behavior.


  • Data access control (DAC) defined on dimensions of a model takes effect as an intersection of granted access on dimensions.
  • Data access filter defined for a secured model on roles takes effect as a union of filters. It's similar to application privileges defined in roles.
  • Combining dimension based DAC and role based DAC will get the data access as an intersection (except roles with Full Data Access which trumps all other DAC settings).

See Also

Your feedback is important to help us improve our knowledge base.


SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , LOD-ANA-ADM , SAC Administration , Problem


SAP Analytics Cloud 1.0