2966376 - Data Privacy Control is not working as expected when multiple roles are assigned to a user in SAP Analytics Cloud (SAC)

After enable Model Data Privacy on the model, then set a rule with limited access on dimension A in a custom role A by adding read access, do the same for another dimension B in custom role B, for example, in the model there are 2 dimensions: Country and City, and in the custom role A, add limit access to Country=Germany, and in custom role B, add limit access to City=Munich. Then assign both roles A and B to a user, the expectations from customer is that both roles are working, i.e. the user can only read the data of Country=Germany and City= Munich, but the actual result is user can read the data of all cities in Germany.

And if configure the rule to make it without and subset of the data, like Country=China and City=Munich, then the user can read the data of all the cities in China and data of city Munich.

• SAP Analytics Cloud (Enterprise)

1.  Enable Model Data Privacy in a model, for example name is Test.
2.  Create two custom roles A and B from Template BI Admin.
3.  Open the created role A and add the model Test in Select Model tab.
4.  Select Limited Access and click Add Read Access.
5.  Add a Data Access Filter for the model, like City=Munich.
6.  Do the same steps 3-5 in role B, add another Data Access Filter for the model, like Country=Germany.
7.  Assign both roles A and B to a user, then login SAC with the user, the user can read the data of all the cities in Germany. 

By design behavior.

• Data access control (DAC) defined on dimensions of a model takes effect as an intersection of granted access on dimensions.
• Data access filter defined for a secured model on roles takes effect as a union of filters. It's similar to application privileges defined in roles.
• Combining dimension based DAC and role based DAC will get the data access as an intersection (except roles with Full Data Access which trumps all other DAC settings).

• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud > Learning > Data Connections
• SAP Analytics Cloud > Learning > Guided Playlists
• SAP Analytics Cloud > Learning > Guided Playlists > Getting Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped , KBA , LOD-ANA-ADM , SAC Administration , Problem