Introduction

Analytic Privileges restrict the user to view sensitive data for which they are not authorized. It is used to enable data access in calculation views by filtering the data based on the values of one or more attributes.

Figure1: Process Flow

Business Scenario:

User A, responsible to see sales data only for Sales Office/Region say Gurgaon and must not have access to see sales data for other office/region. Similarly, User B and User C is responsible to see sales data only for Sales Office/Region Mumbai and Bangalore respectively and must not have access to see sales data for other office/region.

Pre-requisite:

• BTP Onboarding.

• User has access to Business Application Studio.

• Project created.

• User has access to assign roles.

Process1: Create Analytic Privileges

Step1: Login to Cloud Foundry

Open Business Application Studio (BAS)

Figure 2: Business Application Studio

Login to Cloud Foundry (Navigation: View -> Find Command -> Search CF: Login to Cloud Foundry)

Figure 3: Login to Cloud Foundry

Note: Make sure your cloud foundry endpoint is correct.

Select Cloud Foundry Organization and Space, click Apply.

Figure 4: Select target Cloud Foundry Org. and Space

Step2: Create Analytic Privilege folder under src

Navigate to project folder (path to create analytic privilege) and create Analytic Privilege folder.

Figure5: Analytic Privilege Folder

Step3: Create .hdbanalyticprivilege file under Analytic Privilege folder

Create .hdbanalyticprivilege file (SALES_VIEW_GURGAON.hdbanalyticprivilege) to restrict user based on Gurgaon Sales Office.

Figure6: .hdbanalyticprivilege File

Step4: Add Models

Click Add button under Secured Model and search the calculation view to secure

Figure7: Search Calculation Views

Step5: Add Attributes

Click Add button under Associated Attributes Restriction and select the field to restrict

Figure8: Select Field

Click Restriction button under Restriction Type and search the field value to restrict

Figure9: Select Field Value

Similarly, create Analytic Privilege for other sales regions/offices e.g. Mumbai and Bangalore.
Before deploying the Analytic Privilege, we have to enable/map SQL Analytic Privileges in our selected Calculation View. Navigate to Calculation View -> Semantics -> View Properties -> General -> Apply Privileges

Figure10: Map SQL Analytic Privileges

Click rocket button and deploy Calculation View first and then deploy all Analytic Privileges.

Figure11: Deploy Analytic Privilege

Analytic Privileges deployed and created successfully.

Process2: Role Creation

Step1: Create .hdbrole

Navigate to roles folder under src (create roles folder, if missing) and create .hdbrole for Gurgaon sales region/office. Assign object privilege (selected calculation view) and Analytic Privilege

Figure12: .hdbrole

Step2: Create .hdbroleconfig

Create .hdbroleconfig file under roles folder for Gurgaon sales region/office and assign reference schema

Figure13: .hdbroleconfig

Similarly, create and deploy roles for Mumbai, Bangalore sales regions/offices

Process3: Assign roles to users

Step1: Login to SAP HANA Cockpit

Open SAP BTP Cockpit and Launch SAP HANA Database Explorer

Figure14: SAP BTP Cockpit

Step2: Open SQL Console & execute commands

Execute below SQL commands to assign roles to users

Figure15: Role Assignment

Roles successfully assigned to users i.e. KK-GURGAON, KK-MUMBAI, KK-BANGALORE, KK

Process4: Validation

Step1: Login to HANA Database Explorer and validate the result for user KK

Check if user has access to view sales data for all the sales regions/offices

Figure16: All sales offices access

User has access to view sales data for all the sales regions/offices

Step2: Login to HANA Database Explorer and validate the result for user KK-GURGAON

Check if user has access to view sales data only for Gurgaon sales region/office

Figure17: Only Gurgaon sales office access

User has access to view sales data only for Gurgaon sales region/office

Step3: Login to HANA Database Explorer and validate the result for user KK-MUMBAI

Check if user has access to view sales data only for Mumbai sales region/office

Figure18: Only Mumbai sales office access

User has access to view sales data only for Mumbai sales region/office

Step4: Login to HANA Database Explorer and validate the result for user KK-BANGALORE

Check if user has access to view sales data only for Bangalore sales region/office

Figure19: Only Bangalore sales office access

User has access to view sales data only for Bangalore sales region/office

Conclusion

Analytic privilege allows the use of same calculation views by different users who might not be allowed to see the same data. Hope this article helps you to achieve your business requirement by restricting the user to view sensitive data for which they are not authorized.
 

List of Important Notes:

• 2467056 – No calculation view shows up in drop-down list in SAP Analytics Cloud using Live Data Conn...

List of Important Links:

• SAP HANA Cloud, SAP HANA Database Security Guided

• SAP HANA Cloud, SAP HANA Database Developer Guide for Cloud Foundry Multitarget Applications (SAP Bu...

 Feedbacks, questions and comments are most welcome!!

Please follow my profile for future posts on SAP Security and GRC. Also, follow myself via LinkedIn

Happy Learnings!
Krishan Singh Chauhan