3167189 - Data Access Control (DAC) in SAP Analytics Cloud Collective KBA

Concepts and expected behavior of dimension-based data access control for roles and data access management (security):

• Dimension based data access control (DAC) in SAP Analytics Cloud (SAC) is used to control and limit which users or teams can see specific dimension members and data.
• Data access control can be enabled by accessing the Model via Browse > Models > “Select Model” > Model Structure > “Select Dimension” > “Data Access Control” under “Rights / Access”.
• For example, if data access control is applied on an “Employee” Dimension, a “Read” and “Write” column will now be visible within that dimension.
• If it is desired that only “John” can see the “John” dimension member, and data associated with this member, then the user “John” should be entered into the “Read” column entry for the “John” dimension member.
• You must switch on the Hide Parents option to restrict which dimension members can be seen in the Modeler or in Stories: If this option is enabled, users will see only the members that they have at least Read access to.
• When accessing a story using (referencing) this model where this “Employee" dimension is used, John will only be able to see data for the “John” Dimension member from the “Employee” Dimension.

Common issues

• User is able to see data despite Dimension based Data Access Control being enabled.
• User is not able to see data that they have "Read" permissions for in Dimension based Data Access Control
• Data Access Control "Read / Write" column entries are lost when Data Access Control is disabled and enabled
• User cannot see data of parents in a Hierarchy when "Hide Parents" option is enabled

• SAP Analytics Cloud (Enterprise)

Impact of Full Data Access on Dimension-based DAC

Roles take precedence over any Data Access Control, so if a User has a Role which has “Full Data Access” enabled, such as “BI Admin” or “Admin”, then this will take priority over any Data Access Control set on any Dimension or Public Dimension used within a Model.

Therefore, if the same “John” User inherits a Role with “Full Data Access”, this User would be able to see all Dimension Members and the data associated with it, despite the existing Data Access Control settings that dictate that this User should only be able to “Read” the “John” Dimension Member.

Therefore, when opening a Story consuming any Model where Data Access Control is enabled, these settings will be ignored, and the User will be able to see all Dimension Members and data available from the Model.

 

Difference between object-level access and data-level access

Object level access restricts the visibility and access to a particular Model, and the ability to see and consume this within a Story. A User can have “Full Write Access” to a Model and will be able to View and Maintain the Model, but if Data Access Control is set for their User, Data Access Control restrictions will apply, and when accessing a Story consuming this Model, they will only be able to see data for the Dimensions that they have been granted “Read” access to.

 

Concept & expected behavior of Model-based DAC

Data Access can also be restricted on Model level, via the Roles Menu found at Menu > Security > Roles > “Model Name” > Select Model. On any particular Role, access can be restricted for each Model, with more flexibility.

As a prerequisite, model based DAC must be enabled from Browse > Models > “Select Model” > Model Preference > Access and Privacy > Model Data Privacy.

Since a User can inherit more than one Role, any restrictions or access set via the Roles menu, will exhibit OR behavior, so any data access rules set will be combined.

For example, if user “John” has a Role “Manager” which gives read access to “Mary” Dimension Member of “Employee”, and also another Role “Manager B” which gives read access to “Susan”, the “John” User will be able to have read access to both “Mary” and “Susan”, and the filter appears as:



(EMPLOYEE = ‘Mary’ (from first role DAC filter) OR EMPLOYEE = ‘Susan‘ (from second role DAC filter))

>  EMPLOYEE = ‘Mary’,’Susan’

 

Note: This behavior is only applicable if Data Access Control has not already been set on the Dimension.



Relationship between Model-based DAC and Dimension-based DAC

However, if both Dimension and Role/Model Data Access has been set, these two rules and restrictions will be subject to an INTERSECTION (AND) behaviour.

For example, if the same dimension with Employee records existed and Dimension based Data Access Control was enabled on this Dimension, and “John” had read access to "Mary”, but the same User also inherited a Role with Model Data Access set with read access to “Susan”, the following filter would apply;

 

(EMPLOYEE = ‘Susan’ (from first role DAC filter) AND EMPLOYEE = ‘Mary’ (from dimension DAC setting)

>  EMPLOYEE = ‘’

 

However, if the User “John” inherits an additional Role with Model Data Access set with read access to “Mary”, then User “John” will then be able to read data for “Mary” only, due to the following filter conditions;

 

(EMPLOYEE = ‘Susan’ (from first role DAC filter) OR EMPLOYEE = ‘Mary’ (from second role DAC filter) AND EMPLOYEE = ‘Mary’ (from dimension DAC setting)

> EMPLOYEE = ‘Mary’

 

Impact of “Full Data” option being set for a Model for a Role

The same behaviour will apply here if a user inherits a Role with Model Data Access Control set with “Full Data” option selected. For example, if user “John” has a Role with “Full Data” option selected for the “Employee” Model, this user will still only be able to see the dimensions that are set in Dimension based Data Access Control for his User, due to this INTERSECTION behaviour.



Impact of "Hide Parents" Option

When activating the “Hide Parents” option, this applies to a dimension with hierarchy only, and can be activated via Browse > Models > “Select Model” > Model Structure > “Select Dimension” > “Data Access Control” under “Rights / Access”.

 

To explain the behaviour when enabling this option, please see the example below;

Imagine we have a model with Dimension “Location” with below hierarchy:

 

Europe

|_ UK

|_ Germany

North America

|_ US

|_ Canada

 

And the following data...

 

Location	Sales
UK	100
Canada	200
US	300
Germany	400

 

In a Story, the following behavior will apply;

 

Example 1: Without DAC enabled, the chart, when drilled to the continent level will show something like;

Location	Sales
Europe	500
North America	500

And after drill down to country level, will show the full data from all four countries, for example:

Location	Sales
UK	100
Canada	200
US	300
Germany	400

 

Example 2: With DAC enabled but no “hide parent” option, and user has read on UK only, the parent of UK in hierarchy is accessible with data adjusted to include only those accessible children nodes

Location	Sales
Europe	100

And after drill down to country level, will show UK data only

 

Example 3: With DAC and “hide parent” both enabled, and user has read on UK only, the parent of UK in hierarchy cannot be accessed or shown

Location	Sales
UK	100

If UK doesn’t have any children nodes, then no drill up or drill down options are available.  However, if UK has children, drill down is still possible.

Additional Resources

• Setting up Data Access Control - https://help.sap.com/viewer/00f68c2e08b941f081002fd3691d86a7/release/en-US/b46f2f74aea04c399ccb5c9b1bcc225e.html
• 3167293 - Data Access Control Settings are lost after disabling and enabling DAC in SAP Analytics Cloud (SAC) & SAP Digital Boardroom
• 2423166 - Users are able to see master data (dimension members) and enter transaction data when data access control is enabled in SAP Analytics Cloud

• 2815108 - SAP Analytics Cloud Best Practice - Where can I find resources and best practices for security?
• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an case for SAP Analytics Cloud?
• 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
• Search for SAP Analytics Cloud content using Google or Bing:
• https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
• Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud Connection Guide
• Getting Started with SAP Analytics Cloud Expert Community page
• SAP Analytics Cloud Get More Help and SAP Support
• Need More Help? Contact Support or visit the solution finder today!

Your feedback is important to help us improve our knowledge base.

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, SAP AC, Cloud-Analytics, CloudAnalytics, SAPCloudAnalytics,Error, Issue, System, Data, User, Unable, Access, Connection, Sac, Connector, Live, Acquisition, Up, Set, setup, Model, BW, Connect, Story, Tenant, Import, Failed, Using, Working, SAML, SSO, sapanalyticscloud, sap analytical cloud, sap analytical cloud, SAC, sap analyst cloud, connected, failure, stopped, sap analyst cloud, https://hcs.cloud.sap, https://hanacloudservices.cloud.sap, https://cloudanalytics.accounts.ondemand.com, https://hanacloudservices-us.accounts.ondemand.com, https://www.sap.com, https://help.sap.com, predictive analytics (analysis), data analysis (analytics) tools, analytics tools, sap analytics cloud, data literacy, advanced analytics, data democratization, analytics software, real time analytics, self service analytics, advanced data analytics, analytics as a service, analytics cloud / cloud analytics, saas analytics, cloud bi, enterprise planning, cloud data analytics, cloud based analytics, analytics cloud platform, modern analytics, real time analysis, cloud analytics solution(s), what is sap analytics cloud, cloud analytics tools, analytics in the cloud, cloud analytics software sac roles and data access management kba security , KBA , data access control not working in sac , sac access restriction in the public dim , in the public dimension sac kba , LOD-ANA-ADM , SAC Administration , LOD-ANA-AUT , SAC Authentication / Login , Problem

SAP Analytics Cloud 1.0