Creating and Assigning Roles in SAP Analytics Cloud

In this lesson, we'll cover the following:

1. An overview of roles, license types, and permissions.
2. How to manually assign teams to roles.
3. How to create a custom role from the Roles page.
4. How to enable self-service requests in a role.

Roles represent the main tasks that a user performs in SAP Analytics Cloud. For example, if a user needs to be able to open stories but doesn't need to create them, then you would assign them to the Viewer role. Watch this short video to learn more about roles in SAP Analytics Cloud.

In SAP Analytics Cloud, roles are created and maintained in the Roles page.

You can access the Roles page from the Security option in the vertical menu, as shown in the following example.

A license makes a specific set of features available to a user. A user with a Business Intelligence license may be able to create stories in SAP Analytics Cloud, but will not have access to any planning features.

Each user's license consumption is determined solely by the roles that they've been assigned. For example, a user who has been assigned only to the BI Admin standard role consumes only a single Business Intelligence license.

Roles allow you control over what features users can use and access in SAP Analytics Cloud.

Roles allow you to select a subset of the features available to a license type, and modify permissions to make features available, or restricted, to all users assigned to the role. For example, a user with a Business Intelligence license can be assigned a role that only allows them to view stories but not edit them.

A single role can consume only one license type.

A single user can consume more than one license type.

Licenses are assigned to users by their roles, either directly (based on the role they have been assigned) or through the roles assigned to their team. For example, User A is assigned two roles, the Analytics Hub Admin role that consumes an Analytics Hub license and the BI Admin role that consumes a Business Intelligence license. If a team is assigned two roles, then User B, as a member of the team consumes both of those licenses.

For more information on license types, please visit Understanding License Types | SAP Help Portal.

This topic is covered in detail in the Securing Content and Objects in SAP Analytics Cloud unit.

Using roles, content can be secured by:

1. Object type permissions.
2. Individual object permissions.

Object Type Permissions: An administrator can select the permissions included in a custom role, including permissions for individual objects, such as specific dimensions.

The following screenshot shows some of the permissions that can be set for each object type by role.

Individual Object Permissions: The majority of the individual object permissions are handled using the sharing option available in the Files area of SAP Analytics Cloud by assigning individual object permissions to users or teams, however, for some SAP Analytics Cloud objects, permissions can be applied using roles.

For a complete list of permissions and what each permission allows a user to do, see Permissions | SAP Help Portal.

Select the link to assign the role. On the Assign Role To User dialog, select the available users and/or teams that you want to assign the role to, and select OK.

The change is saved and you are redirected to the Permissions page. In the screenshot below, you can see that 1 team and 1 user have been added to the BI Content Creator role.

On the Roles page, the link to assign users is also updated to reflect the change.

For more information about assigning standard roles, please visit Assign Roles to Users and Teams | SAP Help Portal

You can assign standard SAP Analytics Cloud roles to your users, however, we recommend creating custom roles with specific permissions based on your company's business requirements. Custom roles can easily be created by using the standard roles as a template.

There are two ways to create a custom role on the Roles page:

1. Click Add in the tool bar to open the Create a New Role dialog where you select the License Type that will be used as the template for the role.
2. Scroll down to the required License Type and select Create a New Role, automatically using it as a template.

Some key things to remember when creating custom roles in SAP Analytics Cloud:

• The custom role must have a unique name that is different from the standard role it's based on.
• Spaces are not allowed in the role name.
• When assigning permissions for a custom role, permissions that belong to different license types may not be available to select. For example, if you chose the Planning Standard license type, the planning model permissions are not available, because those permissions are available only with the Planning Professional license type.
• You can define the permissions for your new role for every activity – either for all objects of a business object type, or individually for every existing business object.
• You can change the role template by selecting the Role Template icon in the Permissions toolbar.

Select Role Configuration if you want to define the options shown in the table below.

Assigning users and teams to custom roles follows the same process covered earlier in the lesson.

To reduce the cost of system administration, roles can be configured so that every user can easily request missing roles in SAP Analytics Cloud. Another user with the appropriate authorization then approves the requested role assignment.

The Enable Self-Service property must be enabled for a role. Only the roles that have been configured as self-service roles are available to the requester.

The Approver is defined in the Role Configuration and can be:

• Manager: The user's manager as assigned in the Users list.
• Other User: A user is selected from a list of available users. Any user with permission to change user data for the role can be selected.

After a user sends the role request, the request is added to a queue and the approver receives a notification.

The approver navigates to the Role Requests list in the Security area, select the user, and review the role request. They can approve or reject the request. If the request is rejected, approvers must submit a reason explaining why it was rejected.

• Approve: The user is notified that the request is approved, and the role is immediately assigned to the user (they may need to refresh the system to see the changes).
• Reject: The user is notified that the request is rejected with the reason specified.