Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Beyond Row-Level Security: Implementing Widget-Level Custom Authorization in SAP Analytics Cloud

VijayBhaskaran
Explorer
‎2026 Mar 31 11:47 AM
646

The Challenge: One Dashboard to Rule Them All (But Not Show Them Everything)

We’ve all been there. The Board of Directors requests a "Management Dashboard". They want a 360-degree view of the company: Production efficiency, HR turnover, Finance liquidity, and Sales KPIs all in one place.

But here is the catch: While the CEO wants to see everything, the Head of Production shouldn't be distracted by sensitive HR Payroll charts, and the Sales Lead doesn't need to see the Finance department's deep-dive debt ratios.

The Problem: Standard Row-Level Security (RLS) only filters the data inside the charts. If a user isn't authorized, they often see a "No Data" ghost-chart or a broken visualization. This ruins the Executive Experience.

The Goal: If you aren't authorized to see the data, the chart shouldn't even exist on your screen, or in other words, it should not render.

In SAC, this is achieved by bridging the gap between the User Profile and the Canvas Scripting Engine. We aren't just securing data; we are orchestrating the user interface.

Prerequisites for Success

Before we dive into the "How-To," ensure you have the following in place:

  1. User Mapping Table: A central source (could be an acquired CSV or an import data from any system) that maps User IDs to their respective Functional Areas/KPIs.

  2. Consistent Naming Conventions: Ensure your charts are named logically in the Outline (e.g., Chart_Inv_UnitsChart_Fin_Revenue, Chart_Units_Sold) to make your scripts maintainable.
  3. Dashboard with KPIs visualized: Have a dashboard ready with some charts in it. (In this example., Revenue, Units Sold, and Units in the Inventory are the numeric KPI tiles.)

The image shows you the charts in the dashboard with their respective names.

VijayBhaskaran_0-1772436450202.png

VijayBhaskaran_1-1772436523280.png

Note: Having all the Charts/Widgets in a flow layout panel helps the flexibility of adjusting the position of the widgets based on the visibility of other widgets.

The Solution: Step-by-Step Implementation

1. Defining the Authorization Matrix

Start by creating a specialized model that defines who sees what. This acts as our "Source of Truth" for the UI. 

In this use case, I use Excel as an authorization matrix.

user_idkpi_tiledummy
GE285115rev1
GE283973uni1
GE283973invuni1
GE285115uni1

From the table, we get to know that the user GE285115 can see only "rev" and "uni" kpis, but not the "invuni". And the user GE283973 can see "uni" and "invuni" kpis, but not the "rev" kpi.

Now, using this table from Excel or from any system, create an import model that looks exactly like this.

VijayBhaskaran_2-1772436795005.png

2. The onInitialization Scripting Magic

The heart of this solution lies in the onInitialization event. When the dashboard loads, we don't wait for the user to click anything. We programmatically "audit" the user and hide unauthorized components.

Before implementing the code in the onInitialization, create a table using the Auth model that was created in the previous step with the following fields in it, and make it hidden by default.

VijayBhaskaran_4-1772437309282.png

Here's the code for our example:

Application.showBusyIndicator("Applying Visual level authorization...");
var user_id = Application.getUserInfo();
var i = 0;
Table_1.getDataSource().setDimensionFilter("user_id",user_id.id);
var result = Table_1.getDataSource().getResultSet();
console.log(result);
for(i=0;i<result.length;i++){
	if(result[i]["kpi_tile"].id==="rev")
	{
		Chart_Fin_Revenue.setVisible(true);
	}
	else if(result[i]["kpi_tile"].id==="uni")
	{
		Chart_Units_Sold.setVisible(true);
	}
	else if(result[i]["kpi_tile"].id==="invuni")
	{
		Chart_Inv_Units.setVisible(true);
	} // Add else if incase if you have additional kpis
}
Application.hideBusyIndicator();

And make the default visibility of each chart hidden, as shown below.

VijayBhaskaran_3-1772437130417.png

3. Testing

Logged in as GE283973 (Assumption: This user should see only "Units Sold" and "Units in Inventory" KPI)

VijayBhaskaran_6-1772438921757.png

Logged in as GE285115 (Assumption: This user should see only "Units Sold" and "Revenue" KPI)

VijayBhaskaran_7-1772438967990.png

Lifecycle & Governance:

Maintaining your security matrix shouldn’t be a headache. Whether you’re uploading a flat file or scheduling a job from a source system to the auth model, the admin or the model owner has to maintain it. Always set your import method to "Clean and replace selected version of data." This ensures that as your organizational structure evolves, your dashboard security reflects the current reality, not yesterday’s permissions.

VijayBhaskaran_5-1772438024019.png

Why this matters for the Enterprise

By implementing Visualisation Level Security, you provide:

  • Reduced Cognitive Load: Executives only see what is actionable for them.
  • Clean Authorization: Instead of showing 'No Data' errors or broken charts, the UI dynamically hides unauthorized KPIs, maintaining a professional and secure dashboard layout.
  • Scalability: You maintain one dashboard instead of five different versions for five different departments.

Pro tip: One can pause the refresh for the widgets that are invisible to the users to enhance the dashboard's performance.

I hope this guide helps you elevate your next SAC project from a standard report to a premium executive experience. Have you run into similar challenges with UI-level security? If you have questions or hit a snag during your implementation, feel free to drop a comment below. I’d love to troubleshoot with you and hear your thoughts!

Happy Learning!!!

Vijay Bhaskaran

1 Comment