Community
Technology Blog Posts by Members
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Datasphere – Architecture and Security Concept

Martin_Kuma
Contributor
‎2024 May 15 10:52 AM
5,849

SAP Datasphere (DSP) design differs from classic BW and therefore, a new approach is needed.

Space is the point of entry. Consider Spaces as Info Areas. Creating spaces and assigning users to specific spaces allows easier security maintenance and more straight forwards consumption. Row-Level data security is still applied however.

Roles Used:

Role

Description  

Space  

System Architect 

System and Cloud Administration

All

Data Architect 

Knows inbound data from all sources

Central

Solution Architect

Works on specific reporting requirements

Functional

 

Spaces Used:

Space

Description

Central

Connections (including Data-Lake access), Data Persistency, DACs, Time and Conversion Tables, Private-Like Views and Reusable-like Views for sharing with Functional spaces

Security

Security Tables, Audit Logs

Functional

Reusable and Query-like views for consumption

External (optional)

For CSV Uploads (if necessary for key users / like BW-Workspace)

For Data Lake (if used)

 

Access Used:

Role

Space  

Access Type

System Architect 

All Spaces

Full

Data Architect 

Central

Full

Data Architect 

Functional

Read

Solution Architect

Central

Read

Solution Architect

Functional

Full

Security Team

Security

Full

Support Team

Central

DIM only

 

Security:

  • Security Tables will be placed in a separate Space to ensure, that only specific users have access to them, but the DACs are built and assigned in the Central Space.
  • Audit Logs will also be placed in this separate Space as the log data are sensitive

Central:

  • All connections – full control of all connections to all source systems
  • Data Lake access 
  • Persist the data (with Task Chains) – full control of the quota
  • Assign DAC (based on shared tables from the Security Space) to the persisted data / views / remote tables
  • Conversion (TCUR*, T006*) tables will be shared as Views
  • Time Tables can be shared directly or as Views
  • Central Space shares Reusable-Like views to Functional spaces.  

Functional:

  • Only functional relevant (virtual) object
  • No data persisted
  • Possible to expand to Branche/Country Spaces. Proper technical name and self-explaining business name is necessary
  • Functional Spaces use shared reusable views from the Central space.

CSV:

  • Purely optional and only used if it is necessary to upload any CSV data (BW-Workspace like)
  • Separate space as the functional spaces should not persist any data

 

Main blog: https://community.sap.com/t5/technology-blog-posts-by-members/bw-vs-datasphere-dsp-amp-sac/ba-p/1428...