Skip to content

create-a-hierarchy-data-access-control-0afeeed.md

Latest commit

 

History

History
522 lines (327 loc) · 15.6 KB

create-a-hierarchy-data-access-control-0afeeed.md

File metadata and controls

522 lines (327 loc) · 15.6 KB

Create a "Hierarchy" Data Access Control

Users with the DW Space Administrator role (or equivalent privileges) can create data access controls in which criteria are defined as hierarchy values. Each user can only see the records that match the hierarchy values she is authorized for in the permissions entity, along with any of their descendants.

Prerequisites

To create data access controls, you must have a scoped role that grants you access to the space with the following privileges:

  • Data Warehouse General (-R------) - To access SAP Datasphere.
  • Data Warehouse Data Builder (-R------) - To access the Data Builder.
  • Data Warehouse Data Access Control (CRUD----) - To create, read, update, and delete data access controls.

The DW Space Administrator role template, for example, grants these privileges. For more information, see Privileges and Permissions ↗️ and Standard Roles Delivered with SAP Datasphere ↗️.

Prepare a Permissions Entity and a Hierarchy" Entity

Before creating your data access control, you must have identified the following entities:

  • An entity with a semantic usage of Hierarchy containing parent-child relationships for the records in the permissions entity (see Create an External Hierarchy for Drill-Down ↗️).

    Note:

    Only external hierarchies with a single pair of parent-child columns are supported. Level-based hierarchies, dimensions with internal hierarchies, and entities with a semantic usage of Hierarchy with Directory cannot be used, and the data in your hierarchy must respect the following rules:

    • A single root node with a parent value of null
    • No nodes with multiple parents
    • No circular relationships

  • A permissions entity containing the following columns:

    • User ID column - Containing user ids in the format required by your identity provider (email addresses, logon names, or other identifiers). If you are using SAML authentication, this column must contain values in the form defined as your User Attribute / IdpUserID (see Enabling a Custom SAML Identity Provider (Legacy Custom IdP) ↗️).

      Note:

      If a user has no entries in the permissions entity, then they will not have access to any records in the protected view.

    • Criterion column - A column containing the criterion data. This criterion data is organized into a hierarchy via an external entity with a semantic usage of Hierarchy.

For example:

  • The Geo Hierarchy table has a semantic usage of Hierarchy and contains the following records:

    Child Geo Location

    Parent Geo Location

    World

     

    Europe

    World

    France

    Europe

    Paris

    France

  • The Geo Permissions table is used as a permissions entity, and contains the following records:

    User ID

    Geo Criteria

    [email protected]

    Europe

    [email protected]

    France

    [email protected]

    Paris

  • The Geo Hierarchy data access control uses the Geo Permissions table as a permissions entity and, when it is applied to a view, ensures that the following users will only have access to records with the appropriate geo location values:

    • bob - Europe, France, or Paris.
    • jim - France or Paris.
    • ann - Paris.

Create a "Hierarchy" Data Access Control

  1. In the side navigation area, click (Data Builder), select a space if necessary, and click New Data Access Control to open the editor.

  2. Complete the properties in the General Section:

    Property

    Description

    Business Name

    Enter a descriptive name to help users identify the object. This name can be changed at any time.

    Technical Name

    Displays the name used in scripts and code, synchronized by default with the Business Name.

    To override the default technical name, enter a new one in the field. Technical names can contain only alphanumeric characters and underscores.

    Note:

    Once the object is saved, the technical name can no longer be modified.

    Package

    Select the package to which the object belongs.

    Packages are used to group related objects in order to facilitate their transport between tenants.

    Note:

    Once a package is selected, it cannot be changed here. Only a user with the DW Space Administrator role (or equivalent privileges) can modify a package assignment in the Packages editor.

    For more information, see Creating Packages to Export.

    Owner

    Enter the name of the person responsible for your data access control.

    Status

    [read-only] Displays the deployment and error status of the object.

    For more information, see Saving and Deploying Objects ↗️.

    Deployed On

    [read-only] Displays the date and time of the last deployment.

    Structure

    Select Hierarchy.

    Permissions Entity

    Select the table or view containing your user ids and criteria.

    The permissions entity must match the structure selected in the Structure field. Click the Open in New Tab button to the right of the field to open the entity in its own editor.

    Identifier Column

    Select a column containing user ids in the format required by your identity provider (email addresses, logon names, or other identifiers).

  3. Complete the properties in the Criteria section:

    Property

    Description

    Business Name

    Enter a descriptive name to help users identify the object. This name can be changed at any time.

    Technical Name

    Displays the name used in scripts and code, synchronized by default with the Business Name.

    To override the default technical name, enter a new one in the field. Technical names can contain only alphanumeric characters and underscores.

    Note:

    Once the object is saved, the technical name can no longer be modified.

    Criterion Column

    Select the column containing the authorized nodes from the permissions entity.

    Hierarchy Entity

    Select the entity with a semantic usage of Hierarchy that defines the parent-child hierarchy relationships between the records in the permissions entity.

  4. Click Save and then Deploy to deploy your data access control and make it available for use.

    For information about attaching a data access control to a view, see Apply a Data Access Control to a Graphical or SQL View ↗️.

    Note:

    You can use the View as User tool in the Data Viewer panel to review the effects of the data access controls you apply by checking the records that another user will be allowed to see (see Viewing Object Data ↗️).

  5. The tools in the editor toolbar help you work with your object throughout its lifecycle:

    Tool

    Description

    (Save)

    Save your changes to the design-time repository. You can use Save As to create a copy of the object.

    See Saving and Deploying Objects ↗️.

    (Deploy)

    Deploy your changes to make them available in the run-time environment.

    See Saving and Deploying Objects ↗️.

    (Export)

    Export the object to a CSN/JSON file.

    See Exporting Objects to a CSN/JSON File ↗️.

    (Impact and Lineage Analysis)

    Open the Impact and Lineage Analysis graph for the object.

    See Impact and Lineage Analysis ↗️.

    Status

    [read-only] Displays the status of the object.

    See Saving and Deploying Objects ↗️.

    Versions

    Open the Version History dialog for the object.

    See Reviewing and Restoring Object Versions ↗️.

    Details

    Toggles the display of the Properties panel.