Model and Version Security

A number of options are available to apply user role security to models and dimensions, and also to apply more detailed restrictions.

Two approaches are available for applying more detailed security and access restrictions:

  • Model Security (Privacy) – Use this option to make the model accessible only to the owner and other user roles that are explicitly granted access by the administrator.
  • Dimension Security (Data Access Control) – Use this option to restrict access to individual values in the model to specific users.

Typically, you would opt for either one approach or the other, although it is also possible to combine the two methods in the same model – in which case, access would be possible only when all security conditions had been met.

Model Security based on User Roles (Privacy Setting)

An administrator applying security restrictions in Start of the navigation pathSecurity Next navigation step RolesEnd of the navigation path can use the following options:

  • Granting Permissions to access specific functional areas of the application (including models).
  • Granting read or write access to Selected Models and model dimensions.

Firstly, using permissions, administrators can restrict access to the Models feature or to certain types of model: separate options are available under permissions for the three model types (Planning Models, Analytic Models, and SAP Cloud Platform data sources) so that each type can be secured separately.

Secondly, where Privacy has been enabled for a model, Full Access or Limited Access to the model can be granted for each role. Limited Access provides a very detailed level of read/write control for all members and categories of the model.

Users with an SAP Analytics Cloud for planning, standard edition license must be assigned a role with Maintain permissions on planning models and analytic models. For more information, see Creating Custom Roles.
Dimension Security Based on User IDs (Data Access)

Security at the level of individual dimensions adds two extra Read and Write columns to the data table for the dimension where it has been activated. You can use these to control access (based on teams or individual user IDs) to specific cells or values. To enable dimension security, select the Enable Data Access Control check box in Dimension Preferences (see Dimension Preferences).

Restrictions created using Data Access Control apply only to transaction data (fact data). Master data (members in member selection dialogs) will still be visible.

The following example illustrates how the data permissions restrict what users can do with the model.

The model P&L Planning has the following permission on its dimensions:
  • Account: Access control enabled
  • Organization: Access control enabled
  • Version
  • Date
The user who created the model has defined data access for the Account dimension as follows:
Member ID Read Write
The user who created the model has defined data access for the Organization dimension as follows:
Member ID Read Write
Germany - -
France - -
China - -
The model has the following data:
Organization Public Version: Account.P00001 Public Version: Account.P00002
EMEA 300 400
Germany 200 300
France 100 100
APJ 400 500
US 200 300
China 200 200
When Martin Brody opens his story and adds the organization to the row and the account to the column, he will see only the following data:
Organization Public Version: Account.P00001
EMEA 300
Germany 200
France 100
Version Security

Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit. Users who don't have write permissions can't publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.

Similar to using Data Access Control (DAC) for other dimensions, you use DAC for Version dimensions to restrict access.

  • Only users with the Update privilege (defined in Start of the navigation pathSecurity Next navigation step RolesEnd of the navigation path) can set DAC for a version dimension.
  • Version security applies only to planning-enabled models.
  • The default read/write/delete permission is “none”. You must explicitly enable read/write/delete access to users or teams, including yourself.
  • The Version dimension was named the Category dimension in older versions of the application.

To restrict read and write access to a Version dimension:

  1. In Modeler, open or create a model, and select the Version dimension.
  2. Select Start of the navigation path Next navigation step Dimension PreferencesEnd of the navigation path.
  3. Select Enable Data Access Control and then select OK.

    The three additional columns Read, Write, and Delete appear.

  4. Select a cell under Read, and then select to choose users and teams who you want to grant read access to.
  5. Do the same for the Write and Delete cells, to grant write and delete access.

You can see details of your choices in the Preview panel.