Datasphere, a comprehensive data management platform, offers a suite of tools and features to help organizations safeguard their data assets and ensure compliance with security regulations. In this blog post, I will demonstrate how to implement data access controls in Datasphere to enhance security and protect your valuable data.
Understanding Data Access Controls
Data access controls in Datasphere typically refer to the mechanisms and policies put in place to manage and restrict access to data within the Datasphere platform. These controls ensure that only authorized users or systems can access specific datasets or resources, helping to maintain data security, privacy, and compliance with regulations.
Business Proposal:
Business User Perspective
Anna is the Sales Manager, she understands the business needs and the sensitivity of sales data.
John is the Data Analyst from the Irish Sales Department, he uses sales data for analysis and reporting.
Anna and John have a meeting to discuss the upcoming implementation of SAP Datasphere. Anna is aware of the importance of data security and compliance with data governance policies. They decide they need to set up a permissions table to define who can access what data which can then be shared with the IT team so they can implement these controls in Datasphere.
Proposal for Permissions Access:
Sales Executives: Full access to all sales data.
Regional Sales Managers: Access restricted to their respective regions.
Sales Analysts: Access to anonymized or aggregated data for analysis purposes.
Technical User Perspective
Sarah is the IT & Security Administrator: She specializes in data modelling and security and is responsible for setting up and managing Datasphere.
Sarah receives the permissions table from Anna and John. She begins planning how to implement these controls in SAP Datasphere.
Creating Data Access Controls in Datasphere
Prerequisites
- Before creating your data access control, you must have prepared a permissions entity with the following columns:
- User ID column – Containing user ids in the format required by your identity provider (email addresses, logon names, or other identifiers). This column must be selected as the Identifier Column in your data access control.
- One or more columns containing filter criteria (country or region names or ids, department names or ids, or any other criteria to control how your data is exposed to users). These columns must be selected as Criteria columns in your data access control.
- Only users with the DW Space Administrator role (or equivalent privileges) can create data access controls in which criteria are defined as simple values. The organizations IT & Security Administrator Sarah should do this.
Click on the Security Icon on the left-hand bar. Click Roles.
Click on the DW Space Administrator role.
Click on the users Icon. Here the security administrator can assign or remove Users to the role.
Step 1: Setting up your tables.
Business users Anna and John oversee the management of the Permissions table, which is subsequently shared with the IT department. They have set up this table up in the Permissions Space.
Permissions Table Set up:
The IT & Security admin Sarah, who is the technical user, use the shared Permissions table as the basis for Data Access Controls.
Sales Products Table:
Step 3: Set up your Data Access Control in the IT Space.
Sarah logs into SAP Datasphere and navigates to the Data Access Control section.
In the side navigation area Sarah will click Data Access Controls, select the IT space, and click New Data Access Control to open the editor.
Select the input help and add the Permissions table to the ‘Permissions Entity’.
The permissions entity should include at least two columns:
One or more columns with filter criteria (e.g., Sales Org, Product) that determine how data is presented to users. These columns are known as Criteria columns in your data access control.
One column containing user IDs in the required format (such as email address). This column serves as the Identifier Column in your data access control.
Now Sarah can save and deploy the Data Access Control.
Step 4: Applying your DACs to a Graphical View
Sarah will create an analytical model in Datasphere, ensuring it respects the defined access controls.
Open the desired Graphical view. Below she has added the Sales Products Data table into a graphical view.
Click on the View Node. In the Model properties click on the plus icon to add your Data Access Control.
In the Join section map the columns from the Sales Org View to the Data Access Control in order the filter the data appropriately.
Change the Semantic Usage to Fact, turn Expose for Consumption On and add at least one Measure. This will allow you to create your Analytic Model which then Makes the object available for consumption in SAP Analytics Cloud.
Now Sarah can Save and Deploy the View.
Now she can share this view with the Sales Space to be viewed by the Sales Team.
In the Sales Space users can create Analytical Models using the Graphical View as the source and users will be able to see data specific to their user ID.
Step 5: Consume your Model in SAP Analytic Cloud
Sarah ensures the analytical models are accessible in SAC.
Anna and John are pleased with the setup. They log into SAC and find the Sales Performance Dashboard tailored to their access levels. John sees aggregated sales data for the Irish Sales Department, while Anna has a comprehensive view of all sales data. The system ensures that sensitive data is secure and only accessible by authorized personnel.
Johns View in SAC:
Annas View in SAC:
Conclusion
In conclusion, setting up DAC’s in Datasphere is crucial to protect your sensitive information, regulate compliance, mitigate data breach risks, and improve operational efficiency. By following the outlined steps, users can ensure that their data assets are securely managed and accessed only by authorized personnel, thereby minimizing the potential for security incidents, and ensuring the integrity and confidentiality of their data throughout its lifecycle.
