Exploring Data Access Control: From SAC to Datasphere
Introduction
Welcome to the first segment of this two-part series. In this introductory blog, I want to provide an overview of the following key aspects in relation to data access control in SAC and going from SAC to Datasphere:
What is Data Access Control (DAC) in SAC?
The different type of DACs - dimension based and role based
Benefits & drawbacks for both dimension based and role based controls
Which Type of Data Access Control Is Best for Different Situations
What is Data Access Controls (DAC)
Data Access Control (DAC) are essential for ensuring that users have appropriate levels of access to data based on their roles and responsibilities. These controls help maintain data security, privacy, and compliance with regulatory requirements. DACs help ensure that sensitive data is protected and that users have access only to the information they need to perform their jobs effectively. This is critical for maintaining data security, compliance, and operational efficiency within an organization.
What are the Different Types of DAC?
There are two types of DAC within SAC:
Dimension-Based
Role-Based
In the below example, for both dimension-based and role-based data access controls, I created a very simple dataset and story. It consists of 3 drink departments:
Soft drinks
Juices
Water
Dimension-Based
In SAP Analytics Cloud (SAC), Data Access Control (DAC) can be used to restrict users' access to specific dimension members. To ensure data security and appropriate access, you implement DAC. For this scenario, based on an analytical or planning model, you need to restrict a user's access to specific data within this dataset.
Example Scenario:
From the manager’s account, he configured DAC settings to grant the analyst user read-only access specifically to the Soft Drinks department. As a result, when this user accesses the story, they can only view information related to Soft Drinks and do not have access to data from the Juices or Water departments. This ensures that sensitive or irrelevant data remains secure, and that the user only sees the information appropriate to their role.
Dimension-Based Section
Dimensions in SAC are derived from an analytical or planning model. For instance, in our drinks department data model, we have dimensions like ‘Drink Department’, ‘Version’, and ‘Region’. Let's consider the ‘Drink Department’ dimension which includes categories like Soft Drinks, Juices, and Water. Open the relevant model within the Modeler app. Your model will open to a screen like this, where you will select the relevant dimension… in this scenario, it will be the Drink_Department.
Enable Data Access Control (DAC)
In the modeler, choose the model that contains the dimension you want to apply DAC on. For example, select the drink data model. In the model, locate and select the dimension for which you want to restrict access. In our example, this is the ‘Drinks Department’ dimension. Click on the Details button on the top bar. This will open a window on the right-hand side. You want to look for the Data Access Control settings. Toggle the Data Access Control switch to 'On'. This activates DAC for the selected dimension.
Assign Read or Write Values
Once you toggle on the DAC, you will see two columns appear: Read & Write. You can now add users or teams to either the read or write columns. In this scenario, from the manager’s account, we want to configure DAC settings to grant the analyst user (Gemma) read-only access to the Soft Drinks department in the drinks_sales_data model.
Gemma will have read-only access specifically to the Soft Drinks department. As a result, when she accesses the story, she can only view information related to Soft Drinks and does not have access to data from the Juices or Water departments.
Example Outputs in SAC
Before DAC is applied -> All departments' data (Soft Drinks, Juices, Water) are visible.
After DAC is applied -> Only Soft Drinks department data is visible to Gemma.
This ensures that sensitive or irrelevant data remains secure, and that the user only sees the information appropriate to their role. By following these steps, you can effectively manage data access within SAC, ensuring users only access the data relevant to their roles.
Role based
Role-based Data Access Control (DAC) allows senior staff members to create custom roles and assign specific read or write permissions to users. This method is not specific to any single model; instead, the role is applied to all analytical models in the public folder.
Example Scenario:
Imagine you are a manager overseeing data access for different departments within your company. You need to ensure that analysts in the Soft Drinks department can only view data relevant to their work, without accessing information related to other departments. To achieve this, you create a custom role with appropriate permissions and assign it to the relevant analysts - in this case, Gemma, a Soft Drink Analyst.
For instance, a manager can create a custom role that permits analysts in the Soft Drinks department to read only the data related to that department. This custom role can be assigned to any number of users. Consequently, when a user with this assigned role opens the associated story, they will only see data concerning the Soft Drinks department.
Navigate to Security Roles
In SAC, go to Security >> Roles
Create a New Custom Role
Click on create a new custom role. Give the role a name and description. You can also assign the role a specific license type.
Assign Models and Set Access Permissions
Once you click on ‘Create’, you will be brought to a screen where you can select specific models you want to assign the role for. You can also add the Read and/or Write access to the role for the specific model for specific dimensions if needed. In this example we want to add read access for the drinks_sales_data model.
Limited Access: The Read/Write access is defined under the Limited Access option.
Full Access: Full access gives the user both read and write access without any restrictions. The Read/Write access cannot be defined here.
Specify Attribute-Based Access
Here we want to select the attribute and value we want to assign read access to for this role. E.g. if a user is assigned this role, they will only be able to see the Soft Drinks data in the Drinks Department.
Add Users to the Custom Role
Next you must add users to this custom role. You can select as many users as you like. You can also select certain teams if required. In this case we assign Gemma Regan to this role.
Example Output in SAC
Once the user is assigned to this role, they will only be able to see the Soft Drinks data.
Benefits and Drawbacks
Dimension-Based
Benefits | Drawbacks |
Dimension-based controls allow very detailed, specific access permissions, ensuring high security levels. | Managing permissions at such a detailed level can be complex and time-consuming. |
Limits exposure to sensitive data by restricting access to only relevant dimensions. | As the number of data objects grows, maintaining dimension-based access controls can become increasingly difficult. |
Role-Based
Benefits | Drawbacks |
Roles can be easily managed and updated, simplifying the administration of user permissions. | Role-based DAC may require creating multiple roles, potentially one for each team. This can lead to increased complexity and administrative effort in managing and maintaining these roles. |
Role-based controls scale well with organisational growth, as new users can be quickly assigned to existing roles | The need for specific permissions may lead to the creation of numerous roles, complicating role management. |
Ensures consistent access across users with the same role, reducing the risk of permission errors. | For role-based DAC to work, the model needs to be in the public folder. This may limit the flexibility of data management. If models are stored in private folders for security reasons, they would need to be moved to the public folder to use role-based DAC, potentially exposing sensitive data to broader access than desired. |
Which Type of Data Access Control Is Best for Different Situations
Dimension-Based Data Access Controls
Best For: Environments needing precise access control for specific data dimensions to enhance security.
Considerations: Needs very detailed and specific definitions of dimensions, which can be time-consuming and may require frequent updates to stay accurate.
Role-Based Data Access Controls
Best For: Organizations that need scalable and consistent access controls, making user management and onboarding simpler.
Considerations: Defining roles carefully is essential to prevent excessive permissions and manage role proliferation effectively.
Conclusion
In this first part of our series on Data Access Control (DAC) in SAP Analytics Cloud (SAC), we explored the fundamentals of DAC, including its types and their respective benefits and drawbacks. We discussed the importance of DAC in ensuring data security, privacy, and compliance. Choosing the right type of DAC depends on your organization’s specific needs. For environments requiring precise access control to specific data dimensions, Dimension-Based DAC is ideal. For organizations looking for scalable and easily managed access controls, Role-Based DAC is more suitable.
In the next part of this series, we will delve into whether DAC settings are maintained when data is sent from SAC back to Datasphere.
If you or your colleagues have further questions and would like to understand more about Datasphere, please feel free to contact us - gemma.regan@seaparkconsultancy.com
