Stories of the SAP Analytics Cloud offer a dynamic, flexible, and interactive canvas, allowing you to explore data to gain insights that drive informed business decisions. The SAP Analytics Cloud supports many sources of structured and unstructured data, including a live data connection to the SAP HANA Cloud. Especially for stories shared among a large audience, it becomes apparent that limiting access to the data is crucial. The envisioned scenario involves restricting User A, belonging to Region A and Business Unit A, to exclusively view data corresponding to Region A and Business Unit A when accessing the story in the SAP Analytics Cloud.
This blog post explains the implementation of a configuration where the Live Data Model, providing data to the stories, is built upon an SSO connection to the SAP HANA Cloud. The Live Data Model retrieves data from a Calculation View deployed within an HDI container on the SAP HANA Cloud. The Calculation View is secured with an Analytic Privilege, providing precise, row-level control over the data visibility to individual users. The Analytics Privilege leverages an SQL Expression, referencing to an Authorization table to identify the specific portion of data accessible to the user.
If you follow the steps of this blog post, you will understand how data in the SAP HANA Cloud backend is dynamically filtered, depending on the specific user accessing the SAP Analytics Cloud story.
In the SAP Analytics Cloud, go to your Connections and create a new Connection. Expand the Connect to Live Data section and select SAP HANA. Give the new connection a name and copy the host name of the HDI container into the Host field. Under Authentication Method choose SAML Single Sign On and copy the Provider Name and download the certificate before you proceed with setting up the trust relationship between SAP HANA Cloud and SAP Analytics Cloud. Continue with the next steps before you select OK and finish creating this connection.
Follow these steps in the SAP HANA Cockpit:
To enable SAP Analytics Cloud users to access the SAP HANA Cloud system, it is necessary to establish a mapping to an SAP HANA Cloud user:
Return to the creation of the connection in the SAP Analytics Cloud and save it. For more details about this section, you may refer to the official documentation.
At this point, it is recommended to confirm that the SSO connection is working. Access the SAP Analytics Cloud and launch the Modeler to initiate the creation of a new model from a live data connection. Choose SAP HANA as the System Type and select the connection created in Step 1. Choose the desired Calculation View in the Data Source field. Successful connection results in the appearance of Measures and Dimensions from the selected Calculation View in the Modeler. Save the model for future use.
In the existing configuration, every user on the SAP Analytics Cloud mapped to SAP HANA Cloud has visibility to all data within the Calculation View. Next, we aim to modify the Calculation View by incorporating an Analytic Privilege, restricting data access exclusively to users with a designated role.
The upcoming steps lay the groundwork for implementing user-based data filtering:
{
"role": {
"name": "name_of_role",
"object_privileges": [
{
"name": "name_of_calculation_view",
"type": "VIEW",
"privileges": [
"SELECT"
]
}
],
"schema_analytic_privileges": [
{
"schema_reference": "name_of_schema",
"privileges": [
"name_of_analytic_privilege"
]
}
]
}
}
{
"name_of_role": {
"name_of_schema" : {
"schema": "name_of_schema"
}
}
}
Utilizing the SSO-Connection, we can uniquely identify the SAP HANA Cloud user (DEMOUSER_SSO). In this section, we make use of this capability to establish conditions that precisely define the data visible to the user.
The Model comprises various Dimensions, including "Region" and "Business_Unit" among others. The data filter is intended to target these two columns of the Calculation View. To handle the data access for multiple users, it is recommended to create a dedicated table to determine which filters are applied to one user. Executing these steps leads to the creation of a new table, which is subsequently referenced in managing user-based data access:
COLUMN TABLE "USER_ACCESS_FILTERS" (
"USER_NAME" NVARCHAR(50),
"Region" NVARCHAR(256),
"Business_Unit" NVARCHAR(256)
)
As a last step, an SQL Expression is added to the Analytic Privilege to utilize the "USER_ACCESS_FILTERS" table. The SQL SESSION_USER Function is leveraged to map the "USER_ACCESS_FILTERS" table to the Analytics Privilege. Here is an example of what the SQL Expression might look like:
("Region" IN (SELECT DISTINCT "Region" FROM "name_of_schema"."USER_ACCESS_FILTERS" WHERE "USER_NAME" = SESSION_USER))
AND
("Business_Unit" IN (SELECT DISTINCT "Business_Unit" FROM "name_of_schema"."USER_ACCESS_FILTERS" WHERE "USER_NAME" = SESSION_USER))
The SQL Expression defines the WHERE statement for the SELECT operation executed on the Calculation View. The Region and Business Unit records are filtered for the entries in the "USER_ACCESS_FILTERS" table that match the SESSION_USER (DEMOUSER_SSO). The SQL Expression can be modified to accommodate various scenarios, given that it remains a valid WHERE statement.
The advantages of implementing this configuration become most evident when sharing the SAP Analytics Cloud story with a broad audience. As of now, only the user DEMOUSER_SSO is granted access to the story. To facilitate the onboarding of additional users with personalized data access, these three steps provide guidance:
Adding multiple users in one batch is possible by executing an SQL script in either the HANA Cloud Cockpit or the SAP HANA Database Explorer. Through the SQL script, you not only add users but also establish a connection to the identity provider and assign the Analytic Privilege role to each user.
The underlying scenario demonstrates the feasibility of implementing user-based data access control seamlessly between SAP Analytics Cloud and SAP HANA Cloud accessing live data. It is worth emphasizing that users intending to execute the outlined steps require access to the root HDI container with the tables referenced in the Calculation view, as well as administrative access to the SAP HANA Cloud Cockpit. Overall, this integration use case contributes to an enhanced, secure, and tailored analytics experience within the SAP Analytics Cloud.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
9 | |
9 | |
8 | |
8 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |