Saturday, 14 September 2024

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

Introduction

Welcome to the first segment of this two-part series. In this introductory blog, I want to provide an overview of the following key aspects in relation to data access control in SAC and going from SAC to Datasphere:

  • What is Data Access Control (DAC) in SAC?
  • The different type of DACs - dimension based and role based
  • Benefits & drawbacks for both dimension based and role based controls
  • Which Type of Data Access Control Is Best for Different Situations

What is Data Access Controls (DAC)

Data Access Control (DAC) are essential for ensuring that users have appropriate levels of access to data based on their roles and responsibilities. These controls help maintain data security, privacy, and compliance with regulatory requirements. DACs help ensure that sensitive data is protected and that users have access only to the information they need to perform their jobs effectively. This is critical for maintaining data security, compliance, and operational efficiency within an organization.

What are the Different Types of DAC?

There are two types of DAC within SAC:

  • Dimension-Based
  • Role-Based

In the below example, for both dimension-based and role-based data access controls, I created a very simple dataset and story. It consists of 3 drink departments:

  • Soft drinks
  • Juices
  • Water

Dimension-Based

In SAP Analytics Cloud (SAC), Data Access Control (DAC) can be used to restrict users' access to specific dimension members. To ensure data security and appropriate access, you implement DAC. For this scenario, based on an analytical or planning model, you need to restrict a user's access to specific data within this dataset.

Example Scenario: From the manager’s account, he configured DAC settings to grant the analyst user read-only access specifically to the Soft Drinks department. As a result, when this user accesses the story, they can only view information related to Soft Drinks and do not have access to data from the Juices or Water departments. This ensures that sensitive or irrelevant data remains secure, and that the user only sees the information appropriate to their role.

Steps:

  1. Dimension-Based Section
  2. Enable Data Access Control (DAC)
  3. Assign Read or Write Values
  4. Example Outputs in SAC

1. Dimension-Based Section

Dimensions in SAC are derived from an analytical or planning model. For instance, in our drinks department data model, we have dimensions like ‘Drink Department’, ‘Version’, and ‘Region’. Let's consider the ‘Drink Department’ dimension which includes categories like Soft Drinks, Juices, and Water. Open the relevant model within the Modeler app. Your model will open to a screen like this, where you will select the relevant dimension… in this scenario, it will be the Drink_Department.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

2. Enable Data Access Control (DAC)

In the modeler, choose the model that contains the dimension you want to apply DAC on. For example, select the drink data model. In the model, locate and select the dimension for which you want to restrict access. In our example, this is the ‘Drinks Department’ dimension. Click on the Details button on the top bar. This will open a window on the right-hand side. You want to look for the Data Access Control settings. Toggle the Data Access Control switch to 'On'. This activates DAC for the selected dimension.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

3. Assign Read or Write Values

Once you toggle on the DAC, you will see two columns appear: Read & Write. You can now add users or teams to either the read or write columns. In this scenario, from the manager’s account, we want to configure DAC settings to grant the analyst user (Gemma) read-only access to the Soft Drinks department in the drinks_sales_data model.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

Gemma will have read-only access specifically to the Soft Drinks department. As a result, when she accesses the story, she can only view information related to Soft Drinks and does not have access to data from the Juices or Water departments.

4. Example Outputs in SAC

Before DAC is applied:

- All departments' data (Soft Drinks, Juices, Water) are visible.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

After DAC is applied:

- Only Soft Drinks department data is visible to Gemma.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

This ensures that sensitive or irrelevant data remains secure, and that the user only sees the information appropriate to their role. By following these steps, you can effectively manage data access within SAC, ensuring users only access the data relevant to their roles.

Role based


Role-based Data Access Control (DAC) allows senior staff members to create custom roles and assign specific read or write permissions to users. This method is not specific to any single model; instead, the role is applied to all analytical models in the public folder.
 
Example Scenario:

Imagine you are a manager overseeing data access for different departments within your company. You need to ensure that analysts in the Soft Drinks department can only view data relevant to their work, without accessing information related to other departments. To achieve this, you create a custom role with appropriate permissions and assign it to the relevant analysts - in this case, Gemma, a Soft Drink Analyst.

Steps:

For instance, a manager can create a custom role that permits analysts in the Soft Drinks department to read only the data related to that department. This custom role can be assigned to any number of users. Consequently, when a user with this assigned role opens the associated story, they will only see data concerning the Soft Drinks department.

  1. Navigate to Security Roles
  2. Create a New Custom Role
  3. Assign Models and Set Access Permissions
  4. Specify Attribute-Based Access
  5. Add Users to the Custom Role
  6. Example Outputs in SAC

1. Navigate to Security Roles

In SAC, go to Security >> Roles

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

2. Create a New Custom Role

Click on create a new custom role. Give the role a name and description. You can also assign the role a specific license type.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

3. Assign Models and Set Access Permissions

Once you click on ‘Create’, you will be brought to a screen where you can select specific models you want to assign the role for. You can also add the Read and/or Write access to the role for the specific model for specific dimensions if needed. In this example we want to add read access for the drinks_sales_data model.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

- Limited Access: The Read/Write access is defined under the Limited Access option.
- Full Access: Full access gives the user both read and write access without any restrictions. The Read/Write access cannot be defined here.

4. Specify Attribute-Based Access

Here we want to select the attribute and value we want to assign read access to for this role. E.g. if a user is assigned this role, they will only be able to see the Soft Drinks data in the Drinks Department.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

5. Add Users to the Custom Role

Next you must add users to this custom role. You can select as many users as you like. You can also select certain teams if required.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

6. Example Outputs in SAC

Once the user is assigned to this role, they will only be able to see the Soft Drinks data.

Exploring Data Access Control: Ensuring Consistency from SAC to Datasphere and Back - Blog 1

Benefits and Drawbacks


Dimension-Based

Benefits Drawbacks

Dimension-based controls allow very detailed, specific access permissions, ensuring high security levels.

Managing permissions at such a detailed level can be complex and time-consuming.

Limits exposure to sensitive data by restricting access to only relevant dimensions. As the number of data objects grows, maintaining dimension-based access controls can become increasingly difficult.

Role-Based

Benefits Drawbacks

Roles can be easily managed and updated, simplifying the administration of user permissions.

Role-based DAC may require creating multiple roles, potentially one for each team. This can lead to increased complexity and administrative effort in managing and maintaining these roles.

Role-based controls scale well with organisational growth, as new users can be quickly assigned to existing roles

The need for specific permissions may lead to the creation of numerous roles, complicating role management.

Ensures consistent access across users with the same role, reducing the risk of permission errors.

 

For role-based DAC to work, the model needs to be in the public folder. This may limit the flexibility of data management. If models are stored in private folders for security reasons, they would need to be moved to the public folder to use role-based DAC, potentially exposing sensitive data to broader access than desired. 


Which Type of Data Access Control Is Best for Different Situations


Dimension-Based Data Access Controls

Best For: Environments needing precise access control for specific data dimensions to enhance security.

Considerations: Needs very detailed and specific definitions of dimensions, which can be time-consuming and may require frequent updates to stay accurate.

Role-Based Data Access Controls

Best For: Organisations that need scalable and consistent access controls, making user management and onboarding simpler.

Considerations: Defining roles carefully is essential to prevent excessive permissions and manage role proliferation effectively.

Conclusion

In this first part of our series on Data Access Control (DAC) in SAP Analytics Cloud (SAC), we explored the fundamentals of DAC, including its types and their respective benefits and drawbacks. We discussed the importance of DAC in ensuring data security, privacy, and compliance. Choosing the right type of DAC depends on your organization’s specific needs. For environments requiring precise access control to specific data dimensions, Dimension-Based DAC is ideal. For organizations looking for scalable and easily managed access controls, Role-Based DAC is more suitable.

No comments:

Post a Comment