� Mastering Data Security in SAP Datasphere: Enabling Department-Based Access Control

As organiza�ons scale, so does their data — and with it, the need for secure, role-based access. Not every user should see
every row of a sensi�ve dataset. In this ar�cle, we’ll walk through a real-world example of implemen�ng row-level
security in SAP Datasphere using Data Access Controls (DACs) — with a focus on department-based filtering.

We’ll go from raw data to secure views where users can only see records related to their department, using a no-code,
model-driven approach in SAP Datasphere.

Why Row-Level Security Maters

Imagine an HR dashboard that exposes salaries across the company. What if Sales staff can see Finance data? Or
Engineering sees HR records?

Enter Data Access Controls (DACs) — a powerful way to enforce who sees what in a secure, scalable way. In our example,
users will only access employee records for their own department, without wri�ng a single line of code.

Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
The Use Case

We’re working with two datasets:

1. employee_data
Contains sensi�ve HR details such as:

o Employee_ID

o Full_Name

o Department

o Job_Title

o Salary

2. permissions
This acts as a mapping table that links users to the departments they are authorized to view:

o User_ID

o Department

Our goal: apply a department-level filter on employee_data based on the permissions table, using SAP Datasphere’s DAC
feature.

Step-by-Step Implementa�on

Step 1: Create the Data Access Control (DAC)

1. Go to Data Builder → Click Create > Data Access Control.

2. Name it:

o Business Name: Department Access Control

o Technical Name: Department_Access_Control

3. Set Structure to Single Values (each user maps to one department).

4. Choose the permissions table as the source.

5. Map:

o Iden�fier Column: User_ID

o Criteria Column: Department

This sets the rule: Only allow users to see rows where the Department = their assigned department.

Click Save.

Step 2: Create a View from employee_data

1. Drag employee_data into the Data Builder canvas.

3. Check that all fields (Employee_ID, Full_Name, Department, Job_Title, Salary) are present.

Step 3: Apply the DAC to the View

1. With the View selected, open the Proper�es panel (right side).

2. Under Data Access Controls, click � Add.

3. Select the Department_Access_Control DAC.

4. Click Save.

Now, this view is governed by department-level restric�ons.

Step 4: Join View Columns to DAC Columns

1. Open the Join tab in the View.

2. Map:

o View.Department → Department_Access_Control.Department

3. This is the filter condi�on for the DAC.

A�er the join is set, the DAC becomes ac�ve when the view is queried.

Step 5: Test the Result

1. Click Preview on the view.

2. If you're logged in as a user with access to “Sales”, you’ll only see rows where Department = Sales.

3. Try with different users (if possible) or simulate with roles.

You’ll no�ce:

• User E001 sees only Sales records.

• User E002 with Finance rights won’t see Sales data.

Row-level access control: � Done.

Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]
Final Result

Users now only see the employee data that they’re authorized to access, based on their department. This is managed
en�rely within SAP Datasphere — no manual filtering, no duplicated datasets, and no complex coding.

Disclaimer:SAP is a trademark of SAP SE. The systems mentioned, including SAP S/4HANA, ODP datasources, and SAP Datasphere, are part of trial and evaluation
systems. All content is for personal use only and not for productive or commercial purposes. Prepare by Poorna Mahe [email protected]