If you are a system administrator, the following information helps you to understand how the authorization concept of SAP Cloud for Analytics is related to the backend SAP HANA system.
SAP Cloud for Analytics uses its own authorization concept and tool to define and manage the authorizations in the application, but as all the backend SAP HANA access is performed under the current end user, some required SAP HANA authorization and roles need to be assigned to the user accordingly. This is automatically handled during role assignment in SAP Cloud for Analytics. Therefore, the guidelines for authorization as described in the SAP HANA Security Guide also partially apply to SAP Cloud for Analytics.
10.1.1 Dependencies between Roles, Users, and Authorizations
The following information explains how roles, users, and authorizations in SAP Cloud for Analytics and in SAP HANA are related.
The following diagram illustrates the connection between roles and authorizations:
The application role contains the authorizations and can be assigned to an end user in the user management of SAP Cloud for Analytics. When the system administrator creates a new application role, a SAP HANA role is generated accordingly that includes the required SAP HANA privileges to perform all tasks that are defined in the application role. When an application role is assigned to the end user, the corresponding SAP HANA role will automatically be assigned to that user, too.
Note
In SAP Cloud for Analytics, users can also request the application role with a self-service feature.
All levels of authorization that are granted directly or indirectly through roles to a user are combined: Whenever a user accesses an object, the system performs an authorization check on the user, the user's roles, and the directly granted authorizations.
Note
As the owner of an object or a resource, you always have all privileges on that object or resource.
10.1.2 User Administration Tools
Find a list of all tools a system administrator uses to manage users of SAP Cloud for Analytics.
Table 29:
Tool Purpose
SAP Cloud for Analytics Web Client Manages the end user in SAP Cloud for Analytics.
User editor of SAP HANA Studio SAP HANA HDBSQL Sets up the database service user for SAP Cloud for Analytics and manages the password policy in the system.
Tool Purpose
SAP HANA Cloud Platform Cockpit Sets up the connection between HANA XS and Cloud Java Service in SAP Cloud for Analytics.
10.1.3 Standard Application Roles
SAP Cloud for Analytics is delivered with several standard application roles.
You can assign the standard application roles directly to end users or, if you have different business needs, you can use them as a template for defining new roles.
Table 30: Standard Roles
Role Description
Admin Planning Administrator: Full Privileges
Includes all task authorizations available in SAP Cloud for Analytics. Usually assigned to the system administrator to set up users and roles and to perform system transports.
Modeler Planning Modeler: Modelling Privileges
Includes all authorizations that are required to manage models and dimensions. Usually assigned to the user who creates and changes models and dimensions.
Planner_Reporter Planning and Reporting Privileges
Includes all authorizations that are required to perform planning activities such as report design and revenue planning. Usually assigned to the user who does the planning and budgeting.
Viewer Planning Viewer: Read Privileges
Includes the read-only privilege for reports. Usually assigned to the user who is allowed only to read the data.
BI_Admin Business Intelligence Administrator: Full Privileges
Includes all task authorizations excluding those related to planning. Usually assigned to the BI sys tem administrator to set up users and roles.
BI_Content_Creator Business Intelligence Content Creator: Create and Update Privileges
Includes all authorizations that are required to manage models and dimensions not related to plan ning. Usually assigned to the user who creates and changes non-planning models and dimensions. BI_Content_Viewer Business Intelligence Viewer: Read Privileges
Includes the read-only privilege for non-planning reports. Usually assigned to the user who is al lowed only to read the data.
Role Description
HCP_Content_Creator HCP Content Creator: Create and Update Privileges
Includes all authorizations that are required to manage models and dimensions not related to plan ning. Usually assigned to the user who creates and changes non-planning models and dimensions.
Note
The HCP roles allow access only to SAP HANA Cloud Platform (HCP) as a data source.
HCP_Content_Viewer HCP Content Viewer: Read Privileges
Includes the read-only privilege for non-planning reports. Usually assigned to the user who is al lowed only to read the data.
Note
The HCP roles allow access only to SAP HANA Cloud Platform (HCP) as a data source.
10.1.4 Authorization Levels
You can define authorization on three different levels: on activities, on model data, and on resources.
Table 31:
Authorization on Applicable to Description
Activities User activities, models, dimensions Defines the activity that the user is al lowed to perform in the system (for ex ample, Lifecycle) or on the object type (for example, create a model) or on indi vidual objects (for example, edit the di mension Account).
Data Transaction data of a model Defines access to the transaction data of a specific model.
Resource Reports, input schedules, folders, files Defines access to individual resources from the Files area.
10.1.5 Authorizations on Activity Level
You can control activities on specific business objects.
When creating roles in user management, the administrator defines the authorizations by activity levels for every business object. Once you have created or imported users, the activity authorizations are indirectly granted to a user through role assignment.
Table 32:
Object Activity Description
Dimension Create/Read/Update/Delete Maintain
Create, read, update, and delete a dimension Update members in a dimension
Currency Conversion Create/Read/Update/Delete Maintain
Create, read, update, and delete a dimension Update members during a currency conversion Model Create/Read/Update/Delete
Maintain
Create, read, update and delete a model Import transaction data into a model KPI Create/Read/Update/Delete
Execute Share
Create, read, update and delete a model Calculate KPI
Share a KPI with other users
Role Create/Read/Update/Delete Create, read, update and delete a role User Create/Read/Update/Delete Create, read, update and delete a user Activity Log Read Read an activity log
Data Change Log Read Read a data change log
Lifecycle Maintain Manage the content lifecycle (import, export, transport) Event Category Read/Update Read/change an event category
External Connection Read Update
Connect to an external system
Manage the connection to an external system
Related Information
Creating Business Users [page 171] Creating Roles [page 174]Activity Auditing [page 180]
Standard Application Roles [page 167]
10.1.6 Authorizations on Data
You can control access to the transactional data of a model.
The following example illustrates how the data permissions that are defined in the Data Access dialog of the selected model restrict what a user can do with the model.
Example
● Account: Access control enabled
● Organization: Access control enabled
● Version
● Time
The user who created the model has defined data access for the Account dimension as follows:
Table 33:
Member ID Read Write
P00001 MARTIN_BRODY MARTIN_BRODY
P00002 MATT_HOOPER MATT_HOOPER
The user who created the model has defined data access for the Organization dimension as follows:
Table 34:
Member ID Read Write
EMEA MARTIN_BRODY MARTIN_BRODY
Germany - -
France - -
APJ MATT_HOOPER MATT_HOOPER
US
China - -
The model has the following data:
Table 35:
Organization Public Version: Account.P00001 Public Version: Account.P00002
EMEA 300 400 Germany 200 300 France 100 100 APJ 400 500 US 200 300 China 200 200
When Martin Brody opens his report and adds the organization to the row and the account to the column, he will see only the following data:
Table 36:
Organization Public Version: Account.P00001
EMEA 300
Germany 200
10.1.7 Authorizations on Resources
You can control unauthorized access to resources such as folders and reports stored in the Files area. You can grant the following permissions to a resource that you have created:
● Full Access: includes all other permissions
● Update
● Read
● Delete
● In addition, the following permissions are applicable for folders:
○ Create new folder
○ Create new document
Note
Access rights on a folder can be propagated to sub-folders and resources.
How can I define access to a resource?
If you have created a resource, you always have full access to that resource. You can also define permissions for other users on your resource using the following methods:
● In the Files area, select the resource and choose Manage Assign Permissions . In the dialog, choose the
users and appropriate permissions, for example, Delete.
● In the Files area, every user has a private folder. If a user creates a resource in his private folder, the file is not accessible for other users. To make a resource that was created in a private folder accessible to other users, the user can share its resource with others. To do so, select the resource, then from the menu, choose Share. In the dialog, choose one or more users.
Note
Once a user has shared a resource, it cannot be further shared by other users.