Introduction
In SAP Analytics Cloud (SAC), managing access isn’t just about assigning roles—it’s also about controlling how deeply users can interact with content and data. This is where SAC’s security levels come in.
SAC offers three primary levels of security: Role-level, Folder-level, and Model-level. Each level gives you a different degree of control over what users can see or do in the system.
This knowledge base article walks through each level of security, how permissions work at each layer, and how they combine to protect your organization’s data while enabling collaboration.
Security Levels in SAP Analytics Cloud
Role-Level Security (Broadest Control)
Role-level security defines what a user can do across the system, such as viewing dashboards, creating models, or managing users. Roles are typically based on job responsibilities and are either assigned directly to a user or inherited through team membership.
Examples:
- A Viewer role may allow users to read but not edit content.
- A Content Creator role may allow users to build and publish dashboards and models.
- An Admin role may provide access to all system settings, including user management and security configuration.
💡Tip: Use role-level security to establish baseline permissions for different types of users across the organization.
Folder-Level Security (Intermediate Control)
Folder-level permissions determine who can access, view, or edit specific content stored in SAC folders, such as stories, dashboards, and reports.
SAC has different types of folders:
- Team Folders: Shared among all users within a team. Any member can typically create, edit, or delete content within it.
- Public Folder: Acts as the main content repository. Access to subfolders is managed via permissions.
- User Folder: Private to each user. Other users cannot access this unless content is explicitly shared.
Folder-level access can be configured as:
- View Only: User can view content but cannot make changes.
- Edit: User can view and modify content.
- No Access: User cannot see the folder or its contents.
💡Best Practice: Use team-based folder access wherever possible to reduce administrative overhead and keep content organization consistent.
Model-Level Security (Most Granular Control)
Model-level security controls access to the actual data within a model. It allows you to restrict what data users can view—even if they have access to the story or dashboard.
This is useful when:
- Different users need to see different slices of the same dataset (e.g., regional managers seeing only their region’s data).
- Sensitive data should only be accessible by authorized users (e.g., HR data or financials).
You can apply data access controls within a model by:
- Defining data access filters by dimension (e.g., region, business unit)
- Assigning users or teams to the appropriate data slices
🔔Reminder: Model-level security always overrides broader access when data sensitivity is a concern.
How Security Levels Work Together
These three layers of security work in combination to determine a user’s overall access:
- A user may have the role-level permission to edit content, but if they don’t have folder-level access, they still can’t reach the content.
- Even if they can open a dashboard, model-level restrictions might hide certain rows of data.
Understanding the hierarchy and interaction between these layers is essential to configuring SAC securely and effectively.
| Type | Description | Use Case |
|---|---|---|
|
Role-Level |
Broad system access |
Determine what types of actions a user can take (e.g., view vs. edit) |
|
Folder-Level |
Content access |
Control which dashboards, stories, or files a user can access |
|
Model-Level |
Data access |
Restrict the data a user can view or interact with inside models |
Summary
SAC uses a layered security model—through roles, folders, and models—to help organizations manage access in a way that’s both flexible and secure.
Want to dive deeper into how Users, Roles, and Teams work in SAP Analytics Cloud? Explore the full SAP Booster course here.
