Model and Version Security

You can apply security settings to models and dimensions, and you can also apply more detailed restrictions.

Models can be shared the same way that stories and folders can be shared. In the sharing dialog, you can choose the access level for the users or teams that the model is shared with: View, Edit, Full Control, or a Custom access level. Models that aren't shared can't be viewed or modified by anyone but the model owner.

For information about sharing files, see Sharing a File or Folder.

You can also apply security settings based on user roles. In the Start of the navigation pathSecurity Next navigation step RolesEnd of the navigation path area, you can assign general permissions for all planning and analytic models, but you can't assign permissions for individual models. For information on user roles, see Roles.

Users must be assigned a role with the same overall model permission level as the model type they want to access. For example, someone assigned only Read access to Analytic Models in their role (and not also granted Update, Delete, or Maintain) will only ever be able to view data from the models they are allowed to read, even if they are additionally granted Update, Delete, or Maintain permissions on those models.

Think of it like a combination: to read a user's private planning model that has been shared with you, you'll need three things:

  • Rights to read the model via the sharing rights that are set by the user when they share it.
  • Read rights on the Planning Model application privilege.
  • Read Rights on the Private Files application privilege.

If you don't have one of these three rights, you won't be able to read (open or use) the model.

Note
Users with an SAP Analytics Cloud for planning, standard edition license must be assigned a role with Maintain permissions on planning models and analytic models. Users also need the Read and Maintain permissions granted via the Share settings directly on the model itself to upload or change data. For more information, see Creating Custom Roles and Sharing a File or Folder.
Note
For each role, an equivalent Team is created, and all users assigned to a role are also assigned to that team. When you share a model, you can choose to share it with one of these role-based teams. For example, the role BI Admin has full access to models. You can share a model with the team BI_Admin. Then, all users who are assigned to the BI Admin role would have full access to that model.
Dimension Security Based on User IDs (Data Access)

Use data access control to restrict access to individual values in the model to specific users.

Security at the level of individual dimensions adds two extra Read and Write columns to the data table for the dimension where it has been activated. You can use these to control access (based on teams or individual user IDs) to specific cells or values. To enable dimension security, switch on Data Access Control in the Dimension Settings (see Dimension Settings).

Note
Restrictions created using Data Access Control apply only to transaction data (fact data). Master data (members in member selection dialogs) will still be visible.
Note
If a user is assigned the BI Admin role, or is the model owner, that user always has full access to the model, regardless of the DAC settings applied to that model.

The following example illustrates how the data permissions restrict what users can do with the model.

The model P&L Planning has the following permission on its dimensions:
  • Account: Access control enabled
  • Organization: Access control enabled
  • Version
  • Date
The user who created the model has defined data access for the Account dimension as follows:
Member ID Read Write
P00001 MARTIN_BRODY MARTIN_BRODY
P00002 MATT_HOOPER MATT_HOOPER
The user who created the model has defined data access for the Organization dimension as follows:
Member ID Read Write
EMEA MARTIN_BRODY MARTIN_BRODY
Germany - -
France - -
APJ MATT_HOOPER MATT_HOOPER
US    
China - -
The model has the following data:
Organization Public Version: Account.P00001 Public Version: Account.P00002
EMEA 300 400
Germany 200 300
France 100 100
APJ 400 500
US 200 300
China 200 200
When Martin Brody opens his story and adds the organization to the row and the account to the column, he will see only the following data:
Organization Public Version: Account.P00001
EMEA 300
Germany 200
France 100
Version Security

Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit. Users who don't have write permissions can't publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.

Similar to using Data Access Control (DAC) for other dimensions, you use DAC for Version dimensions to restrict access.

Note
  • Only users with the Update privilege (defined in Start of the navigation pathSecurity Next navigation step RolesEnd of the navigation path) can set DAC for a version dimension.
  • Version security applies only to planning-enabled models.
  • The default read/write/delete permission is “none”. You must explicitly enable read/write/delete access to users or teams, including yourself.
  • The Version dimension was named the Category dimension in older versions of the application.

To restrict read and write access to a Version dimension:

  1. In the Modeler, open or create a model, and select the Version dimension.
  2. In the Dimension Settings panel, switch Data Access Control on, and then select OK.

    The three additional columns Read, Write, and Delete appear.

  3. Select a cell under Read, and then select to choose users and teams who you want to grant read access to.
  4. Do the same for the Write and Delete cells, to grant write and delete access.

You can see details of your choices in the Preview panel.