SapHanaTutorial.Com HOME     Learning-Materials Interview-Q&A Certifications Quiz Online-Courses Forum Jobs Trendz FAQs  
     Explore The World of Hana With Us     
About Us
Contact Us
 Apps
X
HANA App
>>>
Hadoop App
>>>
Tutorial App on SAP HANA
This app is an All-In-One package to provide everything to HANA Lovers.

It contains
1. Courses on SAP HANA - Basics, Modeling and Administration
2. Multiple Quizzes on Overview, Modelling, Architeture, and Administration
3. Most popular articles on SAP HANA
4. Series of Interview questions to brushup your HANA skills
Tutorial App on Hadoop
This app is an All-In-One package to provide everything to Hadoop Lovers.

It contains
1. Courses on Hadoop - Basics and Advanced
2. Multiple Quizzes on Basics, MapReduce and HDFS
3. Most popular articles on Hadoop
4. Series of Interview questions to brushup your skills
Apps
HANA App
Hadoop App
';
Search
Stay Connected
Search Topics
Topic Index
+
-
SAP HANA Modeling
+
-
Spatial Processing
+
-
Predictive Analysis

Analytic Privilege

In the article SAP HANA Modeling Introduction and SAP HANA Calculation View we explained the basics of SAP HANA data modeling. We also learnt how to create modeling views in Build Your First SAP HANA Model in 10 Minutes
In this article we will explain what is Analytic privilege in HANA and how does it work.

What is Analytic Privileges?

Analytic privileges control access to SAP HANA data models.
Analytic privileges are used to grant different users access to different portions of data in the same view depending on their business role. It allows us to maintain row-level access.

Why do we need Analytic Privilege?

SQL privileges implement authorization at object level only. Users either have access to an object, such as a table, view or procedure, or they do not.

While this is often sufficient, there are cases when access to data in an object depends on certain values or combinations of values. Analytic privileges are used in the SAP HANA database to provide such fine-grained control of which data individual users can see within the same view.

Example:

SAP HANA Modeling

Suppose there is a calculation view which contains the sales data of all the regions like Asia, Europe and America.

The regional managers must have access to the calculation view to see the data. However, managers should only see the data for their region. The manager of America region should not be able to see data of other region.

In this case, an analytic privilege could be modeled so that they can all query the view, but only the data that each user is authorized to see is returned.

Important Facts about Analytic Privileges:

    • Analytic privileges are intended to control read-only access to SAP HANA information models, that is
        • Attribute views
        • Analytic views
        • Calculation views
    • Analytic privileges do not apply to database tables or views modeled on row-store tables.

Create and Manage Analytic Privilege.

Here is the sequence of steps to achieve this
  1. Create Analytic Privilege and assign restriction for region “Asia”.
  2. Assign the Analytic Privilege to User to restrict the data on HANA Views.

SAP HANA System Privileges Required to Create/Manage Analytic Privilege:

To create analytic privileges, the system privilege CREATE STRUCTURED PRIVILEGE is required.
To drop analytic privileges, the system privilege STRUCTUREDPRIVILEGE ADMIN is required.

In the SAP HANA modeler, repository objects are technically created by the technical user _SYS_REPO, which by default has the system privileges for both creating and dropping analytic privileges.
The database user requires the package privileges REPO.EDIT_NATIVE_OBJECTS and REPO.ACTIVATE_NATIVE_OBJECTS to activate and redeploy analytic privileges in the Modeler.

Steps to Create an Analytic Privilege:

Prerequisite:
We need to create the modeling view first which will be used in the Analytic Privilege.
Create a calculation view by following the article Create a calculation view in 10 minutes.
The output of the calculation view is

SAP HANA Modeling

Let us see how we can restrict the output only for "Asia" region.
    1. Right click on the package and select “Analytic Privilege”

      SAP HANA Modeling

    2. Specify Name and label for the Analytic Privilege

      SAP HANA Modeling

    3. Select the calculation view and click on Add button. Then click on “Finish”.

      SAP HANA Modeling

    4. Click on Add button as shown below and select the column REGION_NAME.

      SAP HANA Modeling

    5. Now we need to assign the restriction. Click on the add button as shown below and select the value “Asia”.

      SAP HANA Modeling

    6. Save and activate the analytic privilege.
The analytic privilege is ready. Now we can assign this analytic privilege to any user.

Assign Analytic Privilege to a User:

Note: You must have authorization to create/assign privileges to a user.
    1. Go to Security -> Users. Right click and create a new user. Specify user name and password.

      SAP HANA Modeling

    2. Click on the “Analytic Privileges” tab and add the analytic privilege created in previous step.

      SAP HANA Modeling

    3. You also need to assign following privileges required to get access to modeling views.
        • Execute & Select access on _SYS_BI
        • Execute & Select access on _SYS_BIC
        • Execute on REPOSITORY_REST
Done!! We have created an analytic privilege and assign that to a user.
Now add the same HANA system using new user. Open the data preview of the same calculation view. It will show only the data for region “Asia”.

SAP HANA Modeling


Support us by sharing this article.



Explore More
Close X
Close X

24 thoughts on “Analytic Privilege

  1. Hemchandra says:

    Here you have mentioned that we cannot assign analytic privileges on “Views MODELED on Row-store tables”, in your earlier topic on Modeling you have mentioned that Modeler does not support creating views on top of ROW store tables. i am confused when you can create a model at all on the tables how can try to assign Analytic privileges ?

    i would appreciate if you can Please elaborate “Views MODELED on Row-store tables” mean i.e. is it possible to create information models based on ROW store tables?

    Thanks
    Hemachandra

    • Admin says:

      Hi Hemachandra,
      There are 2 types of tables in HANA. Row Store and Column Store.
      Column store tables are mostly used for analytic applications. You can create modeling views (Attribute, Analytic and Calculation view) on top of Column Store tables.
      Analytic privileges can be used on top of these modeling views.

      Row Store can not be used to create Modeling views. But still we can create SQL views on top of Row Store tables. However SQL views created on top of Row Store table can not be used in Analytic privileges.

      Hope this will clear your doubts.

      • Sumeet says:

        Can you please explain what do you mean by SQL views here? As per my knowledge, whatever information models we create ( attribute,analytical or analytical view) column store tables are only supported, we cannot model on row tables.

        • Admin says:

          Hi Sumeet,
          By SQL views I meant standard SQL views created via SQL statement CREATE VIEW AS ….

          Although it is not efficient, but you still can create SQL views using statement (CREATE VIEW ) in HANA.

          Regards,
          Admin

      • Sumeet says:

        Also I have one more question as below.

        In the Apply Privilege Property of any Information view (In View Properties Tab), there exists two options
        Analytic Privilege
        SQL Analytic Privilege

        When I select SQL Analytic Privilege and activate the view it gets activated. But when I do Data Preview it throws error.
        Could some one explain what does SQL analytic privilege mean?

        BR
        Sumeet

        • Admin says:

          Hi Sumeet,
          SQL Analytic privileges are used for BW on HANA
          When BW object is converted into HANA view then these are generated automatically by the system as per the BW authorizations.

          Regards,
          Admin

          • Anni says:

            hi,

            I noticed that I have to change the classical analytic privilege to SQL analytic privilege when I create dynamic analytic privilege. Anyway I’m not able to view the raw data after changing the property, error saying not authorized…I’ve already set those modeling roles and privileges, such as _SYS_BI, _SYS_BIC, Repository_rest, mychema,root package…any advise?

            sincerely,
            Anni

  2. Wilchek says:

    Is it possible to structure AP and Permissions so that a user can consume an CA view which has other modeled views without having rights to run the child views directly? For Example if I have complex CA views I would like to basically have all of the children views be under the hood to the user and just set AP access and Row Level restrictions on the final Exposed CA view. Great resource here! TIA for any reply.

    • Admin says:

      Hi Wilchek,
      Before answering your question, let me explain a concept.

      Suppose there are 2 calc views. CalcView1 and CalcView2. CalcView1 is used inside CalcView2.
      Now you want to enable user to fetch data from CalcView2.

      This can be achieved via 2 ways.
      1- Create an AP for CalcView1 and another AP for CalcView2. Assign both of them to user.
      2- Create an AP and add both CalcView1 and CalcView2 in it. Assign this AP to end user.

      Please note that, AP of CalcView1 also should be assigned to user otherwise he will not be able to get data from CalcView2.

      Now coming to your question. No, this is not possible. As I mentioned in above concept, that you muct create AP for all the child views and assign them to user. Otherwise user will not be able to open the parent calc view.

      Regards,
      Admin

  3. DD says:

    Hi Admin,
    when attribute view is used in a analytic view, the AP created on attribute view is not working when the user is accessing the analytic view, Is my understanding correct ?

    Thanks
    DD

  4. CK says:

    Hi Admin,

    First of all, thanks for this beautiful site with excellent Hana knowledge.

    <>

    This statement looks to me little contradictory : <>

    Since i’m able to create information view using row store table and also able to apply analytical privilege on that view to restrict the records. It’s working fine.

    Please correct me if i am wrong.

    Best Regards
    CK.

  5. CK says:

    Sorry the statement is : Analytic privileges do not apply to views modeled on row-store tables.

  6. Sebastian says:

    Great article, thank you.
    Your link to “Create a calculation view in 10 minutes” is broken. In the html it should be “href” instead of “hre”.

  7. venkatesh says:

    hi

    how to assign following privileges required to get access to modeling views

    Execute & Select access on _SYS_BI
    Execute & Select access on _SYS_BIC
    Execute on REPOSITORY_REST

    • Admin says:

      Hello,

      Did you try this ?
      GRANT SELECT ON SCHEMA TO _SYS_REPO WITH GRANT OPTION;

      Please, email us for further query , send a screenshot of what are you doing at “admin@saphanatutorial.com” .

      Thanks,
      Admin

  8. Hana_RJ says:

    hi,

    great article ..thanks.
    my question is how to use procedures in AP.

  9. Ankush says:

    Hi ,
    I have Created AP and assigned it user. but still user is able to see all data. Did I missed something here?

  10. Guy Livne says:

    Hello,
    Thanks for the article.
    I’m using HANA SPS11 and created an AP based on Hierarchy dimension.
    It’s working fine in the hana studio but when consuming the HANA view via design studio dashboard, the privilege does not apply and I get all the data.
    It seems that the HANA studio does not recognize the application user from the design studio.
    Do you have any idea?
    Does all users have to be define as HANA users when I’m using privilege on application user?

    Thanks,
    Guy

  11. Hari Kumar says:

    Hi Admin,
    Good info on Analytic privileges.
    I created one accordingly but I am unable to see any view under my content folder for USER_1.
    Can you pls help me

  12. Sriram says:

    Hello
    Is there a way to find which HANA views have analytical privileges enabled through a sql command? which means does any table stores such data? please advice

    • Admin says:

      Hi Sriram,
      The is a system view called GRANTED_PRIVILEGES. You may use that. For example:
      SELECT * FROM GRANTED_PRIVILEGES WHERE OBJECT_TYPE = ‘ANALYTICALPRIVILEGE’

      Regards,
      SAPHANATUtorial.com Team

  13. Imran says:

    Hello,

    I’m creating analytic privilege on calculation view. Calculation view has projection 1 and projection 2 and their data source is attribute views. So when I created analytic privilege on calculation view I also added secured model attribute views for projection 1 and projection 2. When I preview data I run into authorization that Authorization failed in calculation engine. User is not authorization to ‘SELECT’. In object privilege I have added _SYS_BI, _SYS_BIC, AND REPOSITORY_REST along with attribute views. Please advise.

Leave a Reply

Your email address will not be published. Required fields are marked *

Current day month ye@r *

 © 2017 : saphanatutorial.com, All rights reserved.  Privacy Policy