Analysis Authorization - alternative to manual configuration?

Hey ONE DATA community,

on our project we are working with SAP data. In the final app users should only see results for the company code they are located in.

This information could for example be provided by a table containing the following columns

  • user name
  • company code

Currently for the hand full of users we can configure analysis authorization manually. But what if in the future hundreds of users need access to our app?
Do you have experience with such a setup and know

  • the most efficient way to manage the access rights
  • the input needed to implement it

Thank you a lot

User Management in large scale user bases is always tricky - yet alone when it comes to AA configurations. For larger user groups we can attach identity providers.
Is there any possibility to connect data from e.g. LDAP to the OD user accounts (as we do on internal)?

If the user has a list of companies in their user metadata in LDAP, this information should be extractable into a user-bound system variable (has to be configured via certain extraction rules, can point you to the internal documentation if needed). If you then in turn set up an AA dimension for columns containing the company, you can create a rule based on the user-bound system variable containing the company.

The setup is a bit complicated but it should be doable.
Currently, I cannot supply you with a working example. Maybe someone working with AA-enabled Apps on internal can help you (at least with the “rule based on system variable” part. We might already have working setups for e.g. department-affiliation-based AA).


in settings for analysis authorization you can rely for example on ldap settings like email adress

What you can easily do is adding the user id to the table you want to filter and do it directly with user ids

1 Like