CX Works

CX Works brings the most relevant leading practices to you.
It is a single portal of curated, field-tested and SAP-verified expertise for SAP Customer Experience solutions

Embedded Analytics for SAP Commissions - Security Best Practices

9 min read

embedded analytics for SAP Commissions - Security Best Practices

This article talks about security related best practices for embedded analytics for SAP Commissions which includes User Security, Data Security and Asset Security.

Table of Contents

Embedded analytics: Security Management

Embedded analytics for SAP Commissions supports three types of security management:

  • Role - A user's role determines the operations that the user can perform

  • Data Access - A user's data access permissions limit the data a user can view

  • Asset Access - Asset access places limits on, and determines, which stories a user can access. This is achieved through story and folder restrictions

Setting Up User Roles

A user's role determines the operations a user can perform in embedded analytics for SAP Commissions. The following three user roles are supported:

  • Viewer - Viewers can only view stories and cannot edit or create them

  • Author - Authors can create, edit and share stories

  • Administrator - Administrators can create, edit, and share stories, create teams and migrate stories across environments


User Roles are maintained in SAP Identity Authentication Service (IAS) by an IAS Admin.

Embedded analytics User Role

IAS User Groups

Viewer

APP_SCAN , AUTHENTICATED _COMM-SCAN

Author

APP_SCAN, AUTHOR_COMM-SCAN

Administrator

APP_SCAN, ADMINISTRATOR_COMM-SCAN


In addition to setting up above embedded analytics User Roles, if you need to make users a Sales Cloud AI (SCAI) admin, add below User Groups.

SCAI Admin related IAS User Groups

APP_SCAI

ADMINISTRATOR_COMM-SCAI

SCAI Admin access is needed to do Data Access Permissions


Procedure

  • Log in SAP Authentication Service application (IAS), as an IAS Admin

  • Navigate to Users and Authorizations -> User Management and choose the user for which you want to assign roles

   

  • Navigate to User Groups and select Assign Groups

   

  • From the list of available User Groups, assign necessary User Groups for the role user will be performing in embedded analytics and SCAI.

   

  • If there are User Groups which has to be removed, select the User Group and choose Unassign Groups

   

User Sync from IAS to Embedded Analytics

For Users to be synced from IAS to embedded analytics for SAP Commissions, in Identity Provisioning Service (IPS), Source System IAS, Read Job has to be run or Scheduled by an IPS Admin.

Setting up User Data Access Permissions for Stock Data Models

As part of data security, administrators can set up data access permissions for users. This allows you to limit the data a user can see and access.

The data that a user can analyze using embedded analytics Stock Data Models for SAP Commissions is determined by their data permissions settings.

Data can be secured using one of four options:

  • All - User can see all data

  • Business Units - A user can only see data in one or more selected Business Units

  • Position Groups - A user can only see data in one or more selected Position Groups

  • Position Hierarchy - A user can only see data attributed to a specific position in their org hierarchy and any subordinate positions

Data Security for Payees and Managers/Supervisors

  • For Payees who should see their data, do not assign any data permission for the Payee. The system by default will only show their data.

  • For Manager/Supervisor, who should see their own data along with their subordinates data, do not assign any data permission for the Manger/Supervisor. By default, the system will only show their own and the subordinate's data.

You can manage user data access permissions in the Sales Cloud AI(SCAI) for SAP Commissions application.

Procedure

  • Log in to the Sales Cloud AI for SAP Commissions application

  • Click on the icon for Setup (Current Users) tab

  • Select a user. The User Data Access Permissions pane opens below the current users table and the current data permissions for the user appears

   

  • Select an option from the Data Permission Type dropdown.

  • If you selected Business Units, Position Groups, or Position Hierarchy, another dropdown appears. Use this dropdown to further specify the data access restrictions.

  • Click Save.

Setting Up User Data Access Permissions for Custom Data Models

If you have a business scenario where you would like to create a Custom Data Model, follow the below steps as an example to provide correct User Data Access to the Custom Data Model.

  • Login to SAP WebIDE and navigate to Database Explorer.

  • Create a View in EXT Schema based on any combination of TCMP/EXT Tables with Structured Privilege Check.

View should follow the naming convention CSA_<VIEWNAME>_SVW_<CUSTOMERCODE>


Code snippet

CREATE VIEW EXT.CSA_<VIEWNAME>SVW_<CUSTOMERCODE> as select * FROM (….) with Structured privilege check;

Example:

  • Create Structured Privileges in EXT Schema for the EXT Schema View.

Code snippet

CREATE STRUCTURED PRIVILEGE <ANY_PRIVILEGE_NAME> FOR SELECT ON ext.CSA_<VIEWNAME>_SVW_<CUSTOMERCODE> WHERE ….. In the where condition you can filter the view data based on any scenario you want. To get the UserID from Embedded analytics in your Where clause, you can use SESSION_CONTEXT('APPLICATIONUSER').


Example 1: For a Payee/Manager to access their data along with Subordinate data from this EXT View.


Example 2: Admin who has been assigned ALL Data Security for Stock Models should be able to see complete data for the EXT View.

  • Add grants for Structured Privilege.


Code snippet

GRANT STRUCTURED PRIVILEGE <ANY_PRIVILEGE_NAME> TO <TENANT_ID>;

Example:

Asset Access

Asset access places limits on, and determines, which stories a user can access. This is achieved through story and folder restrictions.

On the Story Level

As an Admin/Author role in embedded analytics for SAP Commissions, when a story is created, you can share the story to other users or teams.

  • During  or after the story creation, navigate to Share Option  , where you will have an ability to share the story with users or teams.

   

Below Chart illustrates different Access levels.

    

On the Folder Level

In embedded analytics for SAP Commissions, Admins/Authors can create Folders and save the Stories to the Folders. Instead of sharing at the Story level, you can share the Folder and all the Stories in the Folder will have the same Folder level access.

  • Go to any Folder and navigate to Share Option  , where you will have an option to share the Folder with users or teams.

  • Follow the same steps mentioned in On Story Level  to give access to the Users/Teams to the Folder.


Conclusion

In this article we covered security related best practices for embedded analytics and with the information provided you should be able to do the following:

  • Assign Correct User Roles in Identity Authentication Service (IAS)
  • Assign Correct User Data Permissions for Stock Models in Sales Cloud AI (SCAI)
  • Assign Correct User Data Permissions for Custom Data Models
  • Assign Correct Asset Access

Congratulations, now you have successfully understood Security best practices for embedded analytics on SAP Commissions . Next step for you should be to understand How to setup and use Customer IDP/SAP IAS SSO.

Overlay