cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAC - Intersection between different Data access roles

Go to solution
former_member722898
Explorer

on ‎01-12-2021 12:39 PM

0 Kudos

Hi,

How can I create intersection between 2 different data access roles in SAC for a specific user.
Both of the roles apply a different data access to a specific model.

For a basic example, one role is allowing data access to "EMEA" region and the second role allow access to "Leonardo" customer.

When an user have both of the roles he can access the union between them as default at the moment.

I want to see only the intersection, In the above example, I want the user to able to access "Leonardo" customer in "EMEA" region data and not the union.

Thank you,
Idan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

VijayetaSharma
Active Contributor
‎01-12-2021 1:37 PM
0 Kudos

sac-developer123 can you insert image again.

By the way Data Access Control on dimensions and Data Access Privacy (aka Model Data Privacy).

on model are two different things. I guess you know this already.


What I am suggesting is to use DAC on dimensions with least access and where require use DAP/MDP for elevated access via roles.
Now say the both roles are assigned to same user. As DAP/MDP is specific to a model, elevated access will be granted to one particular model.
On the other hand DAC is global and have same access in all the models where dimensions is used. So in a model without MDP setup access will be granted to only "Leonardo"

other way around is also possible, where you have given higher access (EMEA) access via DAC and all models have higher access. You restrict one model by DAP/MDP to only "Leonardo":

This way you do not need intersection of two roles.

Show replies
Show replies

Answers (3)

Answers (3)

former_member722898
Explorer
‎01-12-2021 4:13 PM
0 Kudos

Thank you vijayeta.sharma.

Now I see what you mean this is different way to protect the data.

The problem is that using that way, needs to apply manually to the dimensions by the same as the model level access privilege.

I want that merging Roles will automatically make an intersection without manually enter the restriction of each dimension to specific users.

If you didn't understand me we can talk on googlemeet my email is idan.huber@iprosis.com

Thank you very much,
Idan

Show replies
Show replies
VijayetaSharma
Active Contributor
‎01-12-2021 5:03 PM
0 Kudos

sac-developer123 may be after business hours. Year end you know 🙂

Although I think we an resolve this. We are very close.

Typical SAC security setup start by DAC and use MDP as and where required. DAC let you share access across models (where dim is used) in the SAC tenant and hence require less maintenance. Where as MDP are reserved for specific scenario and requires more maintenance. DAC based setup is done using individual user ID or Teams (common).

former_member722898
Explorer
‎01-12-2021 3:17 PM
0 Kudos

Sorry @vijayeta.sharma there where a problem to upload screenshot.

Role 1:

Role 2:

I want to use multi roles data access for the same user that the choosing of dimensions will be only in the roles level for a model. My propose to see the intersection between multi roles. When I using DAC it will be as you said globally for the dimension above the model. I need to intersect the data in the model level.

Sorry if I wasn't clear.

Thanks,
Idan

Show replies
Show replies
VijayetaSharma
Active Contributor
‎01-12-2021 3:42 PM
0 Kudos

Not a problem 🙂

Thanks for sharing snapshot. It helped me understand what you already have.
What you are using is model level access privilege (via MDP - Model Data Privilege) role. For your scenarios you need to use a combination of Model based access and Dimensions based access. This should do the trick.

In your snapshot I can see customer and Region available under Data Access Control (aka DAC) section. They are off in your case.
Once you enable them, you should be able to see additional columns/ property (read and write) for Region and Customer dimensions.Here you can define additional layer of security. You should be able to define another level of access control (on dimensions)

Rest is already explained in previous posts. This should let you get what your are looking for.

Let me know if you have any query.

VijayetaSharma
Active Contributor
‎01-12-2021 12:57 PM
0 Kudos

Hello Idan,

You can control this by a combination of Data Access Control (on dimensions) and Data Model Privacy ("Model Preferences > Data Access > Model Data Privacy") option.

give least privilege to DAC (on dimensions). In your case it will be only "Leonardo". If a model require higher access (say EMEA) then setup DMP role for that model. Now for that specific model union of DAC and DMP will result in giving access to entire EMEA region.

Additional Details:

Model based access (via Security>Roles> Select Model) is used along with dimensions based access to achieve specific scenarios of access. Example - User is authorized to see US in the country dimension, but in the model, that user should see all the country. This can be achieve by allowing user on the specific model level. Access will be union of privileges on dimension as well as on model.

If you find solution helpful, don't forget to up-vote and accept as best answer 🙂

Thanks,

Vijayeta

Show replies
Show replies
former_member722898
Explorer
‎01-12-2021 1:24 PM
0 Kudos

Hi Vijayeta,
Thank you for your fast answer.

In the model setting The model is define as a data access.

All the data access dimensions access is being use in the role data access to model like in the screenshots:

I still didn't understand how to reach the intersection of the roles in order to see in the example only "Leonardo" (customerID =100) data and not the UNION of all "EMEA" (region = 10).

Is there a way to intersect between the roles?

Thanks,
Idan

Ask a Question