SAP Knowledge Base Article - Public

3742633 - DAC is not restricting the result set until the dimension is added in the drill-down

Symptom

  • Issue with Data Access Control (DAC) built on a dimension.
  • Result set is not restricted immediately when the story is opened.
  • Interaction with the hierarchy story (deselecting “All” and manually selecting nodes) is required before the result set becomes restricted.
  • No error messages or error codes are displayed.

Environment

  • SAP Datasphere

Reproducing the Issue

  1. Open a story or Analytic Model that consumes an Analytic Model where DAC is defined on a dimension.
  2. Observe that the initial result set is not restricted by DAC.
  3. Open the story or Analytic Model used to select the dimension.
  4. Observe that the result set now becomes restricted.

Cause

  • DAC is applied at the dimension level and linked to the dimension by association, with the dimension linked to the fact by another association. DAC does not propagate through associations, leaving the fact (transactional data) unprotected.
  • Because the DAC is multiple levels above the fact, restrictions are only perceived when users navigate starting from the dimension that contains the DAC; otherwise, the Analytic Model remains unfiltered.

Resolution

  1. Explicitly protect transactional data by materializing the authorization path to the fact:
    1.  Create INNER JOINs from the hierarchy to the intermediate dimension, and from the intermediate dimension to the fact, following the same mappings as the existing associations.
    2. Use the resulting joins to filter the fact so that DAC restrictions are enforced at the transactional level.
  2. Alternatively, apply DAC directly at the Analytic Model level to ensure restrictions are evaluated when the story opens.
  3. Note: DAC derivation across dimensions is not supported in this scenario; therefore, the join-based approach is the recommended option.
  4. Test the story to confirm that the initial result set is restricted without requiring manual hierarchy interaction.

See Also

2841717 - Data Access Control (DAC) is only applied to the default hierarchy in SAP Analytics Cloud (SAC)

Data Access Control in SAP Datasphere – Hierarchy DAC

Keywords

data access control, dac, hierarchy, associations, fact table, analytic model, result set not restricted, initial load unfiltered, sac story, default hierarchy, deselect all, manual node selection, inner join path, transactional data filter, authorization propagation , KBA , DS-SEC-DAC , Security – Data Access Control , Problem

Product

SAP Datasphere all versions