top of page
Search

Design SAP Analytics Cloud Reporting SECURITY model

  • Writer: kinjar patel
    kinjar patel
  • Feb 24, 2020
  • 2 min read

SAP standard Security solution to be implemented and access to confidential data to be restricted. Restrictions will work at two levels:


+ Component Level: using the structure to restrict different Info providers i.e. reports, cubes, objects, and data sets etc.

+ Data Level: using Authorisations to restrict on characteristics like Company Code, Plant etc. or org levelsIf required, users will be granted access to create ad hoc reports for self-service reporting.


Users will only be allowed to create these reports under a specific naming convention (i.e. Z_ADHOC*) and will be restricted to do so in their access for their own reports.


Development and Administration of roles in reporting will depend on the overall strategy for BW (i.e. Embedded or a separate BW system). However; technically, the reporting role development is similar to S/4 system and will follow the best practices. Technical details will be documented in detail in the reporting detailed solution design document.


SAP Analytics Cloud security will be manually maintained. However, it will continue to be aligned with the S/4 Security approach already in place.





S/4HANA integration with SAC


SAC Role

A Role can contain many Users and a User can be in many RolesNeed to have multiple roles, because a single role can only consume 1 license type by application (Analytics Hub, BI, Planning Pro, and Planning Standard). 1 license type by user license (named user, concurrent session)


SAC Team

A Team can contain multiple users and a user can belong to multiple TeamsTeams can have their own folder, but generally more problematic than beneficial


SAC Rights

Rights are assigned to objects (folder/file) by: Teams and/or Users (not RolesSAP Analytics Cloud’s folder/team/role structures and separately maintained in alignment to S/4HANA security design with some level of automation on user and/or team provisioning and role assignment depending on which option below is adopted. Dynamic use creation method will be preferred option for driving automation around user creation and role assignment within SAC.


Control measures for dynamic user creation can utilise AD (ADFS as IdP) group membership to ensure only appropriate user would get SAML assertion to enable automated user account provisioning within SAC.


Below table provides more information around options available with SAC for users, team and roles provisioning.




Hope you enjoyed reading!

 
 
 

댓글

©2020 by Edgelite. Proudly created with Wix.com

bottom of page