An overview of security concepts and best practices for SAP Analytics Cloud. Ideal for any architect or IT admin at the start of an SAP Analytics Cloud project and wishing to understand the big picture and how best to setup their SAP Analytics Cloud service

1. PUBLIC
Matthew Shaw, SAP @MattShaw_on_BI
August 2019 Version 1.2
SAP Analytics Cloud
Security Concepts and Best Practice

2. 2PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 A Role can contain many Users and a User can be in many Roles
 Need to have multiple roles, because a single role can only consume:
– 1 license type by application (Analytics Hub, BI, Planning Pro, Planning Standard)
– 1 license type by user license (named user, concurrent session)
 Roles are the only place where you can define ‘Application level rights’
 Do NOT use the default roles. Always create custom roles (based on a copy of the default ones)
 Roles define Application Rights:
Role
User User
Roles can contain
many users
User
Role Role
A User can be in
many roles

3. 3PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 A Team can contain multiple users and a user can belong to multiple Teams
 Teams can have their own folder, but generally more problematic than beneficial
 Top Tip – Use normal Public Folders, avoid Team Folders!
– De-select the ‘Create Team Folder’ option when creating Teams
– Teams cannot be exported or imported from one SAP Analytics Cloud Service to another
– The Team folder can only be shared by users within the team and not with anyone outside of the Team
– Teams cannot be re-named, unlike normal Public Folders
User User
Team can contain
many users
User
A User can be in
many Teams
Team Team Team

4. 4PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 Teams can ‘aggregate’ roles together!
 If a Team or User is a member of multiple roles, they
inherit the ‘Union’ of the roles rights
 Top Tip - Use Teams to group your Roles
 Top Tip – Include the team name in the teams
description. Currently team names are not shown
when sharing content, only the description is!
 Currently a Team cannot be assigned to a Role
defined as ‘Concurrent session’
– You’ll need to add each user individually to the role
Team
Role BRole A

5. 5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 Rights are assigned to objects (folder/file) by:
Teams and/or Users (not Roles)
 The ‘User A’ will not inherit the rights to the
folder because
– folders can not be secured by roles
– the user isn’t in the team
 Just because a team is assigned to the role,
doesn’t mean all users of the role (the team is
a member of) inherit the teams’ rights to the
folder
Team
User B
Role
User A
Folder
User C
Assign rights

6. 6PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 Map a User Attribute to the Team
– This means the IdP defines who is a member of which Team
– In general the number of teams, defined as user attributes in
the IdP, is small and certainly much smaller than the number
of SAP Analytics Cloud Roles
 Assign the Team to multiple roles
 Assign the Folder rights to the team
 Place rights on folders to benefit from inheritance (rather than
on every file)
Team Folder
Assign rights
 Top Tip – Use your own IdP,
you’ll need it for SSO to
‘Live’ data sources
 Doc links:
– Enabling SAML SSO
– Mapping Team Attributes
Map Users to
Teams
SAML2
Identity
Provider (IdP)
User
User Attribute
Team
SAP Analytics
Cloud
User
Role B
Team
Role A

7. 7PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 SAML2 IdP ensures Seamless Single-Sign-On
for connections to data sources (typically on-
premise)
– Must be the same IdP
– SAML is not the only option. X509 certificate
and Kerberos is also possible if the database
supports it
 Top Tip: Enable “Dynamic User Creation” so
users are automatically created in SAP Analytics
Cloud!
– No automatic deletion of users to keep their
personal content safe
SAML2
Identity Provider (IdP)
SAP Analytics
Cloud
Database
SAML2
Trust relationship
SAML2
Trust relationship
SAML token
SAML token
SAML token

8. 8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 Organise Public Folders so to take advantage of inheritance rights
– Not too deep! Users experience the structure!
– Need to avoid too many clicks for the user
 A folder per Project (or Line of Business)
– The generic ‘Models’ folder generally isn’t suitable, as different
models need to be secured differently. Storing all models in one
folder means managing the security on every model individually
– Models are best placed in each Projects folder so to benefit from
folder security inheritance
– Users will also be less confused. Makes more sense that Stories
and Models are in the same place
 Top Tip - Delete the system generated ‘Models’ folder
 From wave 2019.13 (and the 2019 Q3 Quarterly Release) you can
limit who can create content in the Public root
Public
Project B
Project C
Project A
Models

9. 9PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Read
Project A Ad-hoc
Secure
Project A
Ad-Hoc
Project A
Secure
Create
Read
(deny others)
Project A
Ad-Hoc
Project A
Standard
Project A
Secure
Standard
Security Concepts and Best Practice
 Assign the rights as shown between Teams and Folders
 Store the ‘standard’ models/stories/applications in the Project ‘root’ folder so to keep the
number of clicks reduced
– The 'Standard' sub-folder could be used, but using such a folder is unnecessary and
just forces the user to have an additional click. So, best to collapse it into the 'root' of
the Project Folder.
 A typical Project will contain
– 'Standard' content that everyone within
the Project will need access too.
This content is 'static' in general and
'approved' by 'IT' for standards, layout
and performance etc.
– Ad-hoc content.
This is content the Business Users create
and use. Once content here is identified
as 'business critical', it should be
managed by 'IT', brought up to standards
(for layout and performance etc.) and
then moved into the 'Standard' content
area (potentially via a development
environment beforehand)
– Secure content.
This is content that only a selected
number of users within the Project have
access too

10. 10PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Security Concepts and Best Practice
 Use inheritance to your advantage
– Avoid assigning rights on individual files or individuals
– Assign rights to Teams and Folders only
 Denying rights
– You can not explicitly ‘deny’ a right
– Can only grant rights
– So, remove the right to ‘All Users’ as required
 Content, including models, can be searched on by name
 Good naming convention is essential
– For models, content (stories, applications) & folders
– Users like ‘codes’ to ease searching
– Avoid long names as it clutters the interface
 Top tip
– Filter the file types to exclude Models
– It prevents users from seeing Models
listed alongside other content, like
Stories and Digital Boardrooms

11. Contact information:
Matthew Shaw
SAP
https://blogs.sap.com/2019/06/21/sap-analytics-cloud-
security-concepts-and-best-practice/
@MattShaw_on_BI
Thank you.