Model and Version Security
A number of options are available to apply user role security to models and dimensions, and also to apply more detailed restrictions.
Two approaches are available for applying more detailed security and access restrictions:
- Model Security (Privacy) – Use this option to make the model accessible only to the owner and other user roles that are explicitly granted access by the administrator.
- Dimension Security (Data Access Control) – Use this option to restrict access to individual values in the model to specific users.
Typically, you would opt for either one approach or the other, although it is also possible to combine the two methods in the same model – in which case, access would be possible only when all security conditions had been met.
An administrator applying security restrictions incan use the following options:
- Granting Permissions to access specific functional areas of the application (including models).
- Granting read or write access to Selected Models and model dimensions.
Firstly, using permissions, administrators can restrict access to the Models feature or to certain types of model: separate options are available under permissions for the three model types (Planning Models, Analytic Models, and SAP Cloud Platform data sources) so that each type can be secured separately.
Secondly, where Privacy has been enabled for a model, Full Access or Limited Access to the model can be granted for each role. Limited Access provides a very detailed level of read/write control for all members and categories of the model.
Security at the level of individual dimensions adds two extra Read and Write columns to the data table for the dimension where it has been activated. You can use these to control access (based on teams or individual user IDs) to specific cells or values. To enable dimension security, select the Enable Data Access Control check box in Dimension Preferences (see Dimension Preferences).
The following example illustrates how the data permissions restrict what users can do with the model.The model P&L Planning has the following permission on its dimensions:
- Account: Access control enabled
- Organization: Access control enabled
|Organization||Public Version: Account.P00001||Public Version: Account.P00002|
|Organization||Public Version: Account.P00001|
Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit. Users who don't have write permissions can't publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.
Similar to using Data Access Control (DAC) for other dimensions, you use DAC for Version dimensions to restrict access.
- Only users with the Update privilege (defined in ) can set DAC for a version dimension.
- Version security applies only to planning-enabled models.
- The default read/write/delete permission is “none”. You must explicitly enable read/write/delete access to users or teams, including yourself.
- The Version dimension was named the Category dimension in older versions of the application.
To restrict read and write access to a Version dimension:
- In Modeler, open or create a model, and select the Version dimension.
- Select .
Select Enable Data Access Control and then select OK.
The three additional columns Read, Write, and Delete appear.
- Select a cell under Read, and then select to choose users and teams who you want to grant read access to.
- Do the same for the Write and Delete cells, to grant write and delete access.
You can see details of your choices in the Preview panel.