Users with the DW Space Administrator role (or equivalent privileges) can create data access controls in which criteria are defined as operator and value pairs. Each user can only see the records that fulfill the operator-value pairs she is authorized for in the permissions entity, including support for complex AND and OR combinations.
To create data access controls, you must have a scoped role that grants you access to the space with the following privileges:
- Data Warehouse General (
-R------) - To access SAP Datasphere. - Data Warehouse Data Builder (
-R------) - To access the Data Builder. - Data Warehouse Data Access Control (
CRUD----) - To create, read, update, and delete data access controls.
The DW Space Administrator role template, for example, grants these privileges. For more information, see Privileges and Permissions
Before creating your data access control, you must have prepared a permissions entity with the following columns:
-
Permission ID column - Which should be marked as a key.
-
User ID column - Containing user ids in the format required by your identity provider (email addresses, logon names, or other identifiers). If you are using SAML authentication, this column must contain values in the form defined as your User Attribute /
IdpUserID(see Enabling a Custom SAML Identity Provider (Legacy Custom IdP)↗️ ).If a user has no entries in the permissions entity, then they will not have access to any records in the protected view.
-
Restriction Column - Each restriction per user must have a unique name, and one or more criteria can belong to each restriction. All criteria belonging to a restriction act together as an
ANDcondition. If you have more than one restriction per user then all restrictions act together as anORcondition. -
Criterion Column - The criteria name must contain only alphanumeric characters and underscores and appears in the Mappings area when a user applies the data access control to their view. It does not need to exactly match a column name, but should guide the user to the column to which it should be mapped.
-
Operator Column - The following operators are supported:
-
ALL(or*) - Provides access to all records. No values required. -
EQ(or=) - Equal to First Value. -
NE(or<>or!=) - Not equal to First Value. -
GT(or>) - Greater than First Value. -
GE(or>=) - Greater than or equal to First Value. -
LT(or<) - Less than First Value. -
LE(or<=) - Less than or equal to First Value. -
CP(orLIKE) - Contains pattern First Value. Optionally Second Value can be set to an escape character.See LIKE Predicate in the SAP HANA Platform documentation.
-
BT(orBETWEEN) - Between First Value and Second Value.
-
-
First Value Column - This value acts as the first argument or lower bound of the operator.
-
Second Value Column - This value acts as the second argument or upper bound of the operator.
For example:
|
Permission ID |
User ID |
Restriction |
Criterion |
Operator |
First Value |
Second Value |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Based on these three records:
-
bobwill have access to records with a:- (restriction 0) -
CodebetweenCAandCZ, and having aTypeequal to1, or - (restriction 1) -
Classbeginning withERR.
- (restriction 0) -
-
ann(restriction 0) - will have access to all records thanks to theALLoperator.A criterion with an
ALLoperator can have any name and can be mapped to any column in a view.
-
In the side navigation area, click (Data Builder), select a space if necessary, and click New Data Access Control to open the editor.
-
Complete the properties in the General section:
Property
Description
Business Name
Enter a descriptive name to help users identify the object. This name can be changed at any time.
Technical Name
Displays the name used in scripts and code, synchronized by default with the Business Name.
To override the default technical name, enter a new one in the field. Technical names can contain only alphanumeric characters and underscores.
Once the object is saved, the technical name can no longer be modified.
Package
Select the package to which the object belongs.
Packages are used to group related objects in order to facilitate their transport between tenants.
Once a package is selected, it cannot be changed here. Only a user with the DW Space Administrator role (or equivalent privileges) can modify a package assignment in the Packages editor.
For more information, see Creating Packages to Export.
Owner
Enter the name of the person responsible for your data access control.
Status
[read-only] Displays the deployment and error status of the object.
For more information, see Saving and Deploying Objects
↗️ .Deployed On
[read-only] Displays the date and time of the last deployment.
Structure
Select Operator and Values.
Permissions Entity
Select the table or view containing your user ids and criteria.
The permissions entity must match the structure selected in the Structure field. Click the Open in New Tab button to the right of the field to open the entity in its own editor.
Identifier Column
Select a column containing user ids in the format required by your identity provider (email addresses, logon names, or other identifiers).
-
Complete the properties in the Criteria section:
Property
Description
Restriction Column
Select the permissions entity column that contains the restriction names.
Each restriction per user must have a unique name, and one or more criteria can belong to each restriction. All criteria belonging to a restriction act together as an
ANDcondition. If you have more than one restriction per user then all restrictions act together as anORcondition.Criterion Column
Select the permissions entity column that contains the criteria names.
The criteria name must contain only alphanumeric characters and underscores and appears in the Mappings area when a user applies the data access control to their view. It does not need to exactly match a column name, but should guide the user to the column to which it should be mapped.
Operator Column
Select the permissions entity column that contains operators.
First Value Column
Select the permissions entity column that contains the lower bound values to apply to the operators.
This value acts as the first argument or lower bound of the operator.
Second Value Column
Select the permissions entity column that contains the upper bound values to apply to the operators.
This value acts as the second argument or upper bound of the operator.
-
Use the Available Criteria table to control which criteria should be applied.
All available criteria are listed in the table and are all selected to be applied by default. To remove a criterion, deselect it in the list.
-
Click Save and then Deploy to deploy your data access control and make it available for use.
For information about attaching a data access control to a view, see Apply a Data Access Control to a Graphical or SQL View
↗️ .You can use the View as User tool in the Data Viewer panel to review the effects of the data access controls you apply by checking the records that another user will be allowed to see (see Viewing Object Data
↗️ ). -
The tools in the editor toolbar help you work with your object throughout its lifecycle:
Tool
Description
(Save)
Save your changes to the design-time repository. You can use Save As to create a copy of the object.
See Saving and Deploying Objects
↗️ . (Deploy)
Deploy your changes to make them available in the run-time environment.
See Saving and Deploying Objects
↗️ . (Export)
Export the object to a CSN/JSON file.
(Impact and Lineage Analysis)
Open the Impact and Lineage Analysis graph for the object.
See Impact and Lineage Analysis
↗️ .Status
[read-only] Displays the status of the object.
See Saving and Deploying Objects
↗️ .Versions
Open the Version History dialog for the object.
Details
Toggles the display of the Properties panel.