Wednesday, 12 June 2024

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

Row-level security in SAP Datasphere is implemented via Data Access Controls (DACs) to allow a more granular assignment of authorisations and access to data on dedicated views within a Space.

In general DACs are objects which can be created in SAP Datasphere as objects in their own right which control access to data for each user within a Space. Hence, an integral part of a DAC is a list of values a user is allowed to see for a dimension (e.g. 'Sales Units') a user is allowed to see. This list can be maintained  in a local table, a view or even a table function. Each value a user is allowed to see must be represented by one record in this list of authorised values.

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

If a user should be authorised to see Sales Units from 2000 to 3000 this would mean that a thousand records would have to be maintained for this user like in the example here. Before the introduction of the new type of DACs 'Boolean Operators' this was one of the major challenges maintaining DACs and row-level security in SAP Datasphere. With the introduction of the new type of DAC this challenge is significantly improved by the possibility to user Boolean Operators. But there are further improvements which adress further integral requirements to efficiently implement row-level security for SAP Datasphere:

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

The possibility of using Boolean Operators significantly reduces:

  • Maintenance effort: There is no need anymore to maintain every dedicated value a user is allowed to see! In our example from above - if a user should be enabled to see 'Sales Units' between 200 and 3000 a range can be defined with the lower value 2000 and the upper value of 3000. This is just one record in the list of authorised values to give a user access to see all data for dimension 'Sales Unit' between 2000 and 3000. Besides the significantly reduced administration effort, there is an additional benefit which comes along with this new Type of DAC.
  • Flexibility: In our example just suppose: A new 'Sales Unit' is introduced in the range the user is allowed to see (e.g. 'Sales Unit': 2501). Having the range defined between 'Sales Units' 2000 and 3000 the user is automatically allowed to see data of this new Sales Unit without the need to update the list of authorised values. Thus, the usage of Boolean Operators also increases flexibility a lot.

Another important capability to increase flexibility: If authorisations should not only be checked for one dimension but for multiple dimensions (e.g. in addition to 'Sales Unit' the authorisations to be checked should be extended to 'Product Group'). 

Before the introduction of the new type of DAC this was also possible by adding just the additional column 'Product Group' to the DAC (or assigning a separate DAC who just checks the dimension 'Product Group' to the view). 

  • Before the introduction of this new type of DAC those dimensions to be checked were always connected via a logical 'AND' meaning that the values for 'Sales Unit' AND 'Product Group' must match for a user at the same time to get access to the data. With the new type of DAC it can flexibly be decided how multiple columns are related with regards to security checks. So they can be related via a logical 'AND' or a logical 'OR' condition.
  • Increases performance: The DAC engine has been redesigned for this new type of DAC and takes advantage of SAP HANA Cloud structured filters. 

So when the new type of DAC supporting Boolean Operators is shipped there are two types of DACs available. The initial one for simple scenarios and the new type of DAC. The benefit of this is, that existing scenarios do not have to be changed or migrated. Customers can flexibly decide when and where to use the new type of DAC.

A third type of DAC is planned to be released to support authorisations on hierarchy nodes.

Configuration

Before we have a close look on how to configure such a DAC let 's see which Boolean Operators are supported:

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

In general all the Boolean Operators are supported which are also available in SAP NetWeaver systems. During configuration the mathematical symbol can be used or the semantic abbreviation known from ABAP (SQL).

Even the operators to handle (sub-)strings like 'contains pattern' (CP) can be used as well as the 'Asterix' (*) value to grant access to all values of a dimension.

So - how can all of this be configured? Let's have a look at the customising. The central entry point to create DACs can be found in the Data Builder of SAP Datasphere (and not in the main menu anymore):

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

Behind this button both options to create the different types of DACs can be found. The initial type of DAC and the new type of DAC supporting boolean operators.

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

The field 'Structure' at the top of the design-time UI determines the type of DAC which is created. To create a DAC supporting Boolean Operators the type 'Operator and Values' must be selected.

The field 'Permission Entity' specifies the local table, view or table function which contains the list of authorised values. The structure of this 'Permission Entity' is fixed and can be seen underneath the latter screenshot. In the 'Criteria' section of the DesignUI the columns of this 'Permission Entity' must be mapped to the respective fields of the DAC in this section.

RestrictionID: Must be the key column of the Permission Entity and ist just a continuous number which must be maintained. Each record must have a unique entry here.

Restriction Column: Here the relationship between multiple columns can be defined in case there are multiple columns to be checked against authorisations. Columns which should be related via a logical 'AND' condition should have the same number in this column. In this case a user can only see data from 'Germany' AND 'EMEA' both authorisations must apply that a record is displayed in a view where this DAC is assigned.

In the example above there is a third column 'ProductGroup' having another value in the 'Restriction Column' (Value: 2). So if user 'John Smith' executes a view where this DAC is assigned he sees data either where condition 1 ist met (Country= Germany AND Region=EMEA) OR where condition 2 applies (ProductGroup between 10-20)

Criterion Column: This column contains the name(s) of the column to be checked by this DAC later on when it comes to assigning the DAC to a view those columns are matched to the respective columns of the view. The technical names of those columns must not be the same. The mapping is done later in the view maintenance.

The Identifier Column: contains the UserID a User of SAP Datasphere is using to log-in to the system.

The Operator Column: finally contains the Boolean Operator to be used from the table of Boolean Operators shown above.

The First- and Second Value column: contains the authorised values for each user or the ranges of authorised values.

What should be demonstrated in the example above is that is it possible to define a set of logically combined authorisations for a given user. If there are multiple dimensions to be checked for a view where this DAC will be assigned. However it is possible to define multiple conditions on one dimension (e.g. a user is allowed to ee Product Groups between 1-10 AND/OR 20-30).

So far only the DAC was created as a standalone object which can be assigned to one or multiple views containing the columns which are checked against the dimensions and authorised values in this DAC.

If this DAC should actively check authorisations it must be assigned to the view in its property section. There is a dedicated option to select an existing DAC for the view. Press the 'ADD' button and choose the DAC to be taken.

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

Having selected the DAC in a second step the fields to be checked by the DAC control must be matched to the respective columns of the view. Again the column names must not match semantically but the values in the columns of the view must be in the same format as in the Permission Entity used by the DAC.

Introducing new type of Data Access Control "Operator and Value" for SAP Datasphere

After re-deploying the view with the DAC assigned, the authorisation checks are activated for this view.

No comments:

Post a Comment