• Justin Muldoon

Assuring Data Security & Compliance in SAP Analytics Cloud

Updated: Apr 7, 2021

How to Simplify Data Security Through Data Access Controls

I spent the beginning of my career in data analytics, receiving and building reports in Excel. While other technologies existed, Excel was the standard and how it had always been done. A mentality of, “If it isn’t broken, why fix it?”.  I was trained to write Visual Basic for Application (VBA) scripting to process workbooks into separate tabs or individual workbooks based on a variety of constraints including location and product. Due to the nature of the data, many times we needed to password protect each workbook. Managing dozens of workbooks and passwords was not only cumbersome but left much to be desired in the way of security. 

Luckily, the days of “Excel databases” are fading with new technologies such as SAP Analytics Cloud (SAC) making data management and security easier than ever.

Data Security within SAP Analytics Cloud The Basics

Within SAC there are three cornerstones of access provisioning that form the groundwork of all security within the system. Without properly defining these three access points, there could be security lapses and necessary functionality not enabled for the right users.

Each of the three User, Team, and Role security provision types allows different nuances to access within SAC.

Users are the singular accounts for persons utilizing the platform. Secured by a unique username and password.

Roles are what assigns a specific license to a user (BI, Planning, Concurrent, etc.) and which functionalities they may use.  They also define the permissions of what a user or team may view, edit, or create.

Teams are groups of users. They are useful for when a group of users in need of identical accesses into a certain folder structure or group of models/stories. For example, separating financial information from Human Resource information. 

Introduction to Data Access Controls

While Users, Roles, and Teams will help ensure compliance at a structural level, in many cases, users tend to require additional security around data as well. This is where Data Access Controls (DAC) come in handy. These controls allow read and/or write access to subsets of data, based on dimension values. Think of this control as a filter in the model instead of the story. Building this filter in the model will increase story speed, but also ensure the filter cannot be turned off or broken within the story, thereby avoiding a breach of security. Can the simple toggle of a switch really eliminate the need for dozens of workbooks and passwords?  Almost.

As an example, a client has a model with sales revenue across ten territories in the United States.  Your sales org uses this model to track their progress to goal, and the sales management uses it to track performance and forecast future revenue goals. We want the sales reps to see all revenue tied only to their territory and the sales management to see the performance of only the territories they oversee.  

Traditionally this data segmentation may be done through different pages or different stories altogether. With data access controls, we can tie each team to their territory in the model so the teams will only see their sales revenues when viewing the same story. 

Setting Up Data Access Controls

While the setup of data access controls is straightforward and intuitive, it relies on a solid foundation to be effective.

Firstly, you must create teams, separating users based on their data access requirements. If there are reps spread across multiple territories, this is ok. Users may be added to as many teams as necessary. Teams will be created for each territory, then another team will be created for the sales manager. Since the reps will only need view access, but the manager will need the ability to use planning capabilities, they will need different roles, and in turn, different teams. 

Next, the dimension that will be used for segmentation will be selected and the data access control enabled.

Lastly, for each dimension member, a territory team from the first step will be attributed to the “Read” column to allow access, and a sales manager team will need to be attributed to the “Write” column. In DAC, "Write" permission contains "Read" ability as well. In the example above, we discussed a dimension containing territories.  Teams will be created for each territory, containing the users in each of those territories, and another set of teams for the sales managers. Each dimension member containing a territory will receive both a team for sales reps and a team for management, allowing both groups to see the data within designated territories. Teams may be attributed to as many dimension members as needed.

SAP Analytics Cloud has made report segmentation and distribution an efficient and secure process. What took hours monthly, now can be completed in about thirty minutes, as a one-time activity. The only password needed will be the user’s password to access SAC, and the only place access will be controlled is the model.  Fewer steps and fewer security access points leads to stronger compliance and easier audit.   

Ready to begin your learning journey with Analysis Prime University? Browse our course catalogue and start skilling-up for the future today. Need help getting started? Contact us for additional information.


About the Author: Justin Muldoon

Justin Muldoon is a Consultant on the Experts as a Service team at Analysis Prime focusing on SAP Analytics Cloud. He works as a trusted advisor to multiple clients in the realms of business intelligence, data visualization, and model architecture. He has also worked with Analysis Prime University to sculpt interactive lessons and best in class content. In his free time, Justin is an avid cyclist and enjoys all things rugby; playing, coaching, and refereeing for over a decade.