3585634 - SAC - Data action parameter not properly set from story filter

Although a data action parameter is linked to a story filter, it unexpectedly allows selection of all master data values, including those restricted by role-based data access control. This occurs when no filter values have been selected in the story filter.

SAP ANALYTICS CLOUD

behavior is expected and by design

When using role-based data access control to restrict the access to the data based on the defined rules, this does  not restrict the access to the dimension members that a user can see, e.g. in the Data Dimensions.

Restricting the member data which can be seen by a user can only be achieved by using the Hide parents feature in the DAC settings of a dimension, see also: 0003167189 - Data Access Control (DAC) in SAP Analytics Cloud Collective KBA ,"You must switch on the Hide Parents option to restrict which dimension members can be seen in the Modeler or in Stories: If this option is enabled, users will see only the members that they have at least Read access to."

Please note that when seeing a different set of members in the control for the story filter and in the member selector for the data action parameter prompt, however, this does not mean that the data access is handled differently for those two member selections - but in fact is only a side effect of how those member selectors are set up in combination with which data the user can see (based on the access roles):

• The selection that is shown for the "Data Dimensions" filter control in the story only shows the available members as specified when this filter was set up. Note that, by default, when setting up this filter the option to "show unbooked members" is disabled. As a result, only booked members (members for which the user sees data) are included in the available set of selectable members. If the option is changed to include also unbooked members, also the members for which the user cannot see data will be included. (Please note, that in the optimized story mode, the controls are available in the member selector via the Settings tab
• The selection that is opened for the data action parameter prompt intendedly has a different setting by default, namely, including all members, even unbooked members (i.e., members for which the user does not see data, e.g., because they do not have access). This is necessary in order to allow any member to be selected for a data action parameter, even if this member does currently not have (visible) data or cannot be written (published) to.

To summarize, both controls show expected behavior. The difference in the members that can be seen being restricted in the filter control are only an implicit side effect of data access control: The non-accessible member data leads to the associated members also being not included in the available members of the filter control.

Hiding the members themselves (rather than just their fact data) can only be achieved when using the "Hide Parents" functionality , which however is only usable for dimension data access control.

Also there is a difference between "access control" and what happens in the member selector configuration:

•  The member selector in the filter control does not exclude the members because their data cannot be accessed based on DAC. It does exclude those members because there is no data that is visible to the user for those members - this can happen due to two reasons:
  • due to missing read rights and
  • due to there simply being no data at all for those members
• The member selector for the parameter value selection does show all members because it does not discern between members where there is data (visible) for the users and data where there isn't any data (visible)
  • If a user wants to select e.g. region US as a target member but there currently is not yet any data for the US member (even with the user having full read access) the user still should be able to select US as a target member.
  • If the member selector (based on an option to only show "booked" members) would only show members where there is currently data (visible) for the user, they would no longer be able to select members which currently do not have any data (visible).

There is an enhancement request about this limitation: https://influence.sap.com/sap/ino/#/idea/342305

•  0003167189 - Data Access Control (DAC) in SAP Analytics Cloud Collective KBA

• https://influence.sap.com/sap/ino/#/idea/342305

• 2569847 - Where can you find SAC user assistance (help) to use, configure, and operate it more effectively?
• Have a question? Ask it here and let our amazing SAP community help! Or reply and share your knowledge!
• 2487011 - What information do I need to provide when opening an incident for SAP Analytics Cloud?
• 2511489 - Troubleshooting performance issues in SAP Analytics Cloud
• Search for SAP Analytics Cloud content using Google or Bing:
  • https://www.google.ca/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
  • https://www.bing.com/search?q=site%3Ahttps%3A%2F%2Fapps.support.sap.com+SAP+Analytics+Cloud
  • Note: Add relevant text or warning/error messages to the text search field to filter results.
• SAP Analytics Cloud Connection Guide
• Getting Started with SAP Analytics Cloud Expert Community page
• SAP Analytics Cloud Get More Help and SAP Support
• Need More Help? Contact Support or visit the solution finder today!

SAP Cloud for Planning, sc4p, c4p, cforp, cloudforplanning, Cloud for Analytics, Cloud4Analytics, CloudforAnalytics, Cloud 4 Planning, BOC, SAPBusinessObjectsCloud, BusinessObjectsCloud, BOBJcloud, BOCloud., SAC, Data action, DAC, data access control, story filter, unbooked member, restricted access, hide parent, member selector, Enhancement request, Product limitation. , KBA , LOD-ANA-PL-DA , Data Actions , LOD-ANA-DES , Story Design & Visualizations , Problem