Discovering Basic Administration Tasks

Objective

After completing this lesson, you will be able to Discover basic administration tasks.

SAP Analytics Cloud Overview

SAP Analytics Cloud is a software as a service (SaaS) analytics platform designed by SAP. SAP Analytics Cloud is made specifically with the intent of providing all analytics capabilities to all users in one cloud native product.

SAP Analytics Cloud is a single solution for business intelligence and enterprise planning, augmented with the power of predictive analytics and machine learning technology. SAP Analytics Cloud solution helps all types of decision makers by combining business intelligence, enterprise planning, and augmented analytics into a single solution. You do not need to reply on standalone spreadsheets or disparate reporting and planning tools. It helps everyone in your organization make fast, confident decisions for better business outcomes.

As SAP Analytics Cloud is a SaaS solution that is fully managed by SAP, the underlying technologies are transparent to customers. Customers cannot deploy SAP Analytics Cloud on their own in a private cloud.

SAP Analytics Cloud is built on top of SAP Cloud Platform and leverages some of the services offered by the Cloud Platform.

As expected of any platform, SAP Analytics Cloud offers a set of platform services such as: auditing & monitoring, data connectivity, admin, lifecycle management, and many others. In this course, you will learn how to set up security and leverage some of these platform services that are offered.

SAP Analytics Cloud is a true SaaS service previously delivered in SAP data centers (SDC) on SAP’s own Neo platform. In 2018, SAP Analytics Cloud began rolling out on Cloud Foundry in AWS data centers. Most new customer tenants that are provisioned will be Cloud Foundry tenants. Systems hosted by SAP data centers use one digit in their URL, like us1 or jp1. Non-SAP data centers host systems use two digits, such as eu10 or us30.

SAP Analytics Cloud provides customers with global deployment options by partnering with SAP Cloud Platform and public cloud providers to support data center options that meet customer business needs:

Geo-location requirements.
Vendor specific preference.
Local security and privacy compliance laws requirements.

SAC leverages public cloud partners:

AWS: primary public cloud for SAP Analytics Cloud.
Azure: primary alternative option to AWS.
Alibaba: primary public cloud for China market and cyber security compliance.
AWS Government cloud: FedRamp certified data center to support the compliance needs of the U.S. government.

Since the launch of the product, SAP Analytics Cloud is on fast development cycle and the system received updates approximately every two weeks. As of version 2018.19, a change was made to move to a Quarterly Release Cycle to align with SAP’s global strategy for cloud application releases. This means you can expect a new version once every quarter. The system updates are done by the Cloud Operations team and it's not possible for customers to opt out of having the update done on their system. Currently (Q1 2024), the current version of SAP Analytics Cloud is 2024.2.1.

The quarterly release cycle means that you will be on a consistent version of SAP Analytics Cloud for more time. This extra time can be used to develop use-cases, train users, and deploy content within a consistent version of the solution.

While the majority of the customer tenants are updated on a quarterly basis, some customer tenants may still be on the biweekly update cycle and get an update every two weeks. Customers could potentially have a mix of tenants on quarterly release cycle and biweekly update schedule. As you will see later in the course, this scenario can present challenges for content movement between systems.

While SAC offers a comprehensive analytics solution, SAP has many customers who still leverage on-premise Business Intelligence tools such as SAP BusinessObjects BI or have data in their on-premise systems such as BW, HANA, S/4HANA, and many other third-party sources. Large number SAP customers will run hybrid landscapes where some data and applications are in the cloud while others are on-premise. SAP Analytics Cloud can seamlessly integrates with your data and planning solutions to simplify your analytics landscape. It can connect to data from multiple different sources and visually analyze your information to see the full picture of your business and make better-informed decisions. In this course, you'll learn how to connect SAC to variety of on-premise and cloud sources.

Create Users

There are multiple ways to create users in SAP Analytics Cloud. In this lesson, we'll cover the two basic ways of creating users in the system. Creating users via SCIM APIs and Dynamic User Creation using custom SAML IDP is covered later in the course.

The method described below assumes that SAP Analytics Cloud is using its default authentication provider. If you're using a custom SAML Identity Provider, you must provide slightly different information, depending upon how your SAML authentication is configured.

Create Users in the User List

User creation is done from the Main Menu → Security → Users area of SAP Anaytics Cloud.

Each user needs a unique ID. Only alphanumeric and underscore characters are allowed. The User ID is always in upper case characters. The maximum length is 20 characters.
Last Name and Email are mandatory fields. A welcome email with logon information will be sent to the users' email address.
Manager approves this user's request for new role assignments. Users can only request additional roles if they have a custom role that allows for self-service.
User roles can be assigned during user creation. If one or more default roles have already been created, you can leave Roles empty. Default roles will be assigned when you choose save.
User Type(license) is determined by the roles assigned to the user and the licenses available.
Hour glass symbol next to the Email indicates that the user has not yet logged into SAP Analytics Cloud.

The method described assumes that SAP Analytics Cloud is using its default authentication provider. If you're using a custom SAML Identity Provider, you must provide slightly different information, depending upon how your SAML authentication is configured.

Import or Modify Users from a File

When there is a need to create a large numbers of users, it's possible to import those users from a CSV file. When using this approach, it's best to first use the Export Users button to export the existing users from the users page to a CSV file. The CSV file will have the columns that the system is expecting so you can modify the existing file and add new users.

You can upload valid users with a simple file. The user data you want to import must be stored in a CSV file. At the minimum, your CSV file needs columns for User ID, Last Name, and Email, but it's recommended that you also include First Name and Display Name. The file can also include users' role assignments.

To Import Users from a CSV File:

Edit the downloaded CSV file to remove columns whose values you don't want to modify, and to remove rows for users whose values you don't want to modify. Do not modify the USERID column. This ensures that entries can be matched to existing users when you reimport the CSV.
Define mapping – this is a mandatory step. A default mapping is proposed.
Select the target field from the drop-down list.
After you choose the Import button on the Import Users pop-up, the new users are saved. New users will receive an email to activate their account.
This ensures that entries can be matched to existing users when you reimport the CSV.

These are the available mapping parameters when importing CSV user data:

Parameter	Description
User ID
First Name
Last Name
Display Name
Email
Manager
Roles
Mobile
Phone
Office Location
Function Area	Can be used to refer to a user's team or area within their organization.
Job Title
Clean up notifications older than	Set in user settings: When to automatically delete notifications.
Email Notification	Set in user settings.
Welcome message	Message that is shown to the user on the home screen.
Page tips	Enabled/disabled via the help center (deprecated).
Closed Page tips	Closed page tips are tracked so that they are not shown again.
Closed Item Picker Tips	Closed tool tips are tracked so that they won't be reopened again (for first time users).
Current Banner	Saves which banner is currently showing.
Last Banner	The UUID of the last closed banner.
Last Maintenance Banner Version	The version when the last maintenance banner was shown.
Marketing email opt in	Set in user settings.
Home screen content is initialized	If default tiles have been set for the home screen.
Expand Story Toolbar	Set in user settings.
Is user concurrent	If the user has a concurrent license.
Default Application	The application that will launch when you access your SAP Analytics Cloud URL. The default application can be set in System Administration System Configuration or in the user settings.
On the Edit Home Screen dialog, a user can override all the default preferences that have been set by the administrator for the system (System Administration Default Appearance). These are the preferences:
Override Background Option
Override Logo Option
Override Welcome Message
Override Home Search To Insight
Override Get Started
Override Recent Stories
Override Recent Presentations
Override Calendar Highlights

Standard Application Roles

A role represents the main tasks that a user performs in SAP Analytics Cloud. A role represents the main tasks that a user performs in SAP Analytics Cloud. For example, if a user wants to be able to open stories and digital boardroom presentations, but doesn't need to create them, you could assign them to the Viewer role. User who will create content in the system will need the Content Creator role. A user can be part of one or more roles and will get the union of rights provided by the roles. Multiple users can also be assigned to the same role either directly or via a team.

Roles and Permissions

SAP Analytics Cloud is delivered with several standard application roles. The roles you see will depend on the licenses included in your subscription.

A role comes with a collection of permissions. The standard application roles provide a set of permissions that are appropriate for each particular job role. For example, the BI Content Creator role includes the Create and Delete permissions, while the BI Content Viewer role doesn't:

Note

Existing standard roles can't be deleted or edited. If the standard roles don't suit your needs, you can create your own custom roles with the exact set of permissions you choose.

Licenses and Roles

To access the Roles page, go to (Main Menu) Security → Roles.

Roles are grouped by the license type they hold. This example shows some of the predefined standard roles associated with the Business Intelligence and Analytics Hub license type:

Each user's license consumption is determined solely by the roles that they've been assigned. For example, a user who has been assigned only the BI Admin standard role consumes only a Business Intelligence license.

Standard Roles

You can assign standard application roles directly to users or, if you have different business needs, you can use them as a template for defining new roles.

You must use the role IDs below when importing role assignments from CSV or assigning roles via the User & Team Provisioning API. For more information, see SAP Analytics Cloud User and Team Provisioning API.

Role	Role ID	Description
System Owner	`PROFILE:sap.epm:System_Owner`	Full Privileges Includes all user privileges to allow unrestricted access to all areas of the application. Only one user in the system can be assigned to this role, and it must always be assigned to a user. Can create, view, update or delete custom widgets.
Admin	`PROFILE:sap.epm:Admin`	Planning Administrator: Full Privileges Includes all task authorizations available in SAP Analytics Cloud. Usually assigned to the system administrator to set up users and roles and to perform system transports. Can create, view, update, or delete custom widgets.
Modeler	`PROFILE:sap.epm:Modeler`	Planning Modeler: Modeling Privileges Includes all authorizations that are required to manage models and dimensions. Usually assigned to the user who creates and changes models and dimensions. This role also grants authorizations for viewing analytic applications and working with the data analyzer. It also grants authorizations for viewing custom widgets.
Planner Reporter	`PROFILE:sap.epm:Planner_Reporter`	Planner Reporter: Planning and Reporting Privileges Includes all authorizations that are required to perform planning activities, such as revenue planning and automated discoveries. This role also grants authorizations for updating currency tables. Usually assigned to the user who does the planning and budgeting. This role also grants authorizations for viewing analytic applications and working with the data analyzer. It also grants authorizations for viewing custom widgets.
Viewer	`PROFILE:sap.epm:Viewer`	Planning Viewer: Read Privileges Includes read-only privileges. Usually assigned to the user who is allowed only to read the data. This role also grants authorizations for viewing analytic applications and working with the data analyzer. It also grants authorizations for viewing custom widgets.
BI Admin	`PROFILE:sap.epm:BI_Admin`	Business Intelligence Administrator: Full Privileges Includes all task authorizations including predictive. It excludes task authorizations related to planning. Usually assigned to the BI system administrator to set up users and roles. This role also grants all authorizations to view custom widgets. Note: Users with this role have access to content even if Data Access Control settings have been applied to that content.
BI Content Creator	`PROFILE:sap.epm:BI_Content_Creator`	Business Intelligence Content Creator: Create and Update Privileges Includes all authorizations that are required to manage models and dimensions not related to planning. Usually assigned to the user who creates and changes non-planning models and dimensions. This role also grants authorizations for viewing analytic applications and working with the data analyzer. It also grants authorizations for viewing custom widgets.
BI Content Viewer	`PROFILE:sap.epm:BI_Content_Viewer`	Business Intelligence Viewer: Read Privileges Includes read-only privileges for non-planning data. Usually assigned to the user who is allowed only to read the data. By default, this role does not include private files permissions. This role also grants authorizations for viewing analytic applications and working with the data analyzer. It also grants authorizations for viewing custom widgets.
Application Creator	`PROFILE:sap.epm:Application_Creator`	Application Creator: Analytics Designer Privileges Includes all authorizations that are required to manage analytic applications. Usually assigned to the user who creates and changes analytic applications. This role also grants authorizations for working with the data analyzer. This role also grants authorizations for viewing custom widgets.
SAPCP Content Creator	`PROFILE:sap.epm:HCP_Content_Creator`	SAP Cloud Platform Creator: Create and Update Privileges Includes all authorizations that are required to manage models and dimensions not related to planning. Usually assigned to the user who creates and changes non-planning models and dimensions. Note: The SAPCP roles allow access only to SAP Cloud Platform (SAPCP) as a data source.
SAPCP Content Viewer	`PROFILE:sap.epm:BI_Content_Viewer`	SAP Cloud Platform Viewer: Read Privileges Includes read-only privileges for non-planning data. Usually assigned to the user who is allowed only to read the data. By default, this role does not include private files permissions. Note: The SAPCP roles allow access only to SAP Cloud Platform (SAPCP) as a data source.
Digital Boardroom Viewer	`PROFILE:sap.epm:Boardroom_Viewer`	Includes the read-only privilege for the Digital Boardroom area. Usually assigned to the user who is allowed only to view boardroom agendas.
Digital Boardroom Creator	`PROFILE:sap.epm:Boardroom_Creator`	Includes all authorizations to create, edit, share, delete, and view boardroom agendas in the Digital Boardroom area.
Predictive Content Creator	`PROFILE:sap.epm:Predictive_Content_Creator`	Includes all authorizations to create, update, delete, and view predictive scenarios in the Predictive Scenarios area. You must grant both Create and Read privileges to ensure that the user can create predictive scenarios. For more information about the role, see Required User Roles for Predictive Scenarios.
Predictive Admin	PROFILE:sap.epm:Predictive_Admin	Among all task authorizations available in SAP Analytics Cloud, it includes all authorizations to create, update, delete, and view predictive scenarios in the Predictive Scenarios area. You need this role to add and configure Data Repositories, and this role is mandatory to publish a predictive model to a PAi application. For more information about the role, see Required User Roles for Predictive Scenarios.
Translator	`PROFILE:sap.epm:Translator`	Includes all authorizations to create, update, read, and delete an artifact with regards to translation.

SAP Analytics Hub Roles

You can assign the following SAP Analytics Cloud roles directly to SAP Analytics Hub end users or, if you have different business needs, you can use them as a template for defining new roles.

Role Role ID Description

Analytics Hub Admin PROFILE:sap.epm:Analytics_Hub_Admin Includes full assets and structure privileges. Usually assigned to the user who sets up the SAP Analytics Hub application. In addition, this user can perform all content management actions.

Analytics Hub Content Creator

Role	Role ID	Description
Analytics Hub Admin	`PROFILE:sap.epm:Analytics_Hub_Admin`	Includes full assets and structure privileges. Usually assigned to the user who sets up the SAP Analytics Hub application. In addition, this user can perform all content management actions.
Analytics Hub Content Creator	`PROFILE:sap.epm:HCP_Content_Creator`	Includes all authorizations to read, create, update, delete, hide, validate, and reject assets in SAP Analytics Hub. Usually assigned to the user who creates and modifies assets. Note: We recommend that you use the SAP Analytics Hub Content Creator role as a template to define two more specific roles for the content management. For more information about this recommendation, see Creating SAP Analytics Hub Specific Roles.
Analytics Hub Viewer	`PROFILE:sap.epm:Analytics_Hub_Content_Viewer`	Includes read-only privileges. Usually assigned to the user who is allowed only to read the assets.

PROFILE:sap.epm:HCP_Content_Creator

Includes all authorizations to read, create, update, delete, hide, validate, and reject assets in SAP Analytics Hub. Usually assigned to the user who creates and modifies assets.

Note:

We recommend that you use the SAP Analytics Hub Content Creator role as a template to define two more specific roles for the content management. For more information about this recommendation, see Creating SAP Analytics Hub Specific Roles.

Analytics Hub Viewer PROFILE:sap.epm:Analytics_Hub_Content_Viewer Includes read-only privileges. Usually assigned to the user who is allowed only to read the assets.

Data Security Using Dimension Access Controls

Use data access control to restrict access to individual values in the model to specific users.

Security at the level of individual dimensions adds two extra Read and Write columns to the data table for the dimension where it has been activated. You can use these to control access (based on teams or individual user IDs) to specific cells or values. To enable dimension security, switch on Data Access Control in the Dimension Settings or via the model preferences.

Once the Data Access Control is enabled for a dimension, Read and Write columns are available to define which user or team should have Read or Write access to that dimension member. For the Version dimension, a Delete column is added as well as Read and Write columns to control which users can delete each public version. If the dimension has hierarchical members, the data access settings will be inherited by the lower members of the hierarchy. For example, if you grant Read and Write access to United States, users will be able to see data for individual states as well.

Note

Restrictions created using Data Access Control apply only to transaction data (fact data). Master data (members in member selection dialogs) will still be visible.

Note

If a user is assigned the BI Admin role, or is the model owner, that user always has full access to the model, regardless of the DAC settings applied to that model

The following example illustrates how the data permissions restrict what users can do with the model.

Account: Access control enabled
Organization: Access control enabled
Version
Date

Member ID	Read	Write
P00001	MARTIN_BRODY	MARTIN_BRODY
P00002	MATT_HOOPER	MATT_HOOPER

Member ID	Read	Write
EMEA	MARTIN_BRODY	MARTIN_BRODY
Germany	-	-
France	-	-
APJ	MATT_HOOPER	MATT_HOOPER
US
China	-	-

Organization	Public Version: Account.P00001	Public Version: Account.P00002
EMEA	300	400
Germany	200	300
France	100	100
APJ	400	500
US	200	300
China	200	200

Organization	Public Version: Account.P00001
EMEA	300
Germany	200
France	100

Version Security

Adding version security to a model lets you restrict read, write, and delete access to public versions, to prevent other users or teams from changing them. Users who have read-only permission for public versions can still copy data to a private version that they can edit. Users who don't have write permissions can't publish into a public version. With delete permissions for a public version, a user can read, publish to, and delete a public version.

Similar to using Data Access Control (DAC) for other dimensions, you use DAC for Version dimensions to restrict access.

Only users with the Update privilege (defined in Security Roles) can set DAC for a version dimension.
Version security applies only to planning-enabled models.
The default read/write/delete permission is "none". You must explicitly enable read/write/delete access to users or teams, including yourself.
The Version dimension was named the Category dimension in older versions of the application.

To restrict read and write access to a Version dimension:

In the Modeler, open or create a model, and select the Version dimension.
In the Dimension Settings panel, switch Data Access Control on, and then select OK.
The three additional columns Read, Write, and Delete appear.
Select a cell under Read, and then select users and teams who you want to grant read access to.
Do the same for the Write and Delete cells, to grant write and delete access.

You can see details of your choices in the Preview panel.

Promotion of Content in SAP Analytics Cloud Landscapes

As an administrator, you might need to transfer content between systems in your landscape. For example, you might set up stories, analytic applications, and models in your test system and then move them to a production system when they're ready. The concept of Life Cycle Management or Promotion Management is not unique to SAP Analytics Cloud as this process is also done on-premise systems. The landscape architecture is however slightly different as SAP Analytics Cloud is a software as a service (SaaS) solution and runs in the cloud.

Even though SAC is a cloud solution, there's still need to have multiple environments (Sandbox, Dev, QA, Prod) for Life Cycle Management. At the very minimum, you should have at least two tenants to do Life Cycle Management. What is different, however, is that SAP Analytics Cloud systems are updated on a scheduled basis – typically quarterly, but some can be updated on a biweekly basis. Depending upon whether your system is updated on a biweekly or quarterly basis has impact on Life Cycle Management.

Note

When promoting content it's best to have your source tenant and destination tenant on the same release versions. It's not possible to move content from a tenant that's on higher release to a tenant that's on a lower release version.

You can move content between tenants with a couple of different tools:

Content Network: The Content Network stores your exported packages in the cloud, where you can share the packages with other systems in your landscape, and manage the content and sharing settings. You can import content that's shared with your system, including private content as well as public samples, templates, and business content provided by SAP and its partners.
Deployment area: From here, you can export and import content as .tgz files.

To export and import content, you must have permissions to read, maintain, and share Life cycle data. The Admin and BI Admin standard application roles contain these permissions.

Next unit