Creating and Assigning Roles in SAP Analytics Cloud

Objectives

After completing this lesson, you will be able to:

  • Assign a team to a standard role
  • Create a custom role
  • Enable self-service role requests in a role

Working with Roles

In this lesson, we'll cover the following:

  1. An overview of roles, license types, and permissions.
  2. How to manually assign teams to roles.
  3. How to create a custom role from the Roles page.
  4. How to enable self-service requests in a role.
Note
If you are using a custom SAML identity provider, you can also use SAML attribute mapping to automatically assign roles to users based on their SAML attributes. This is covered later in the course in the Configuring Custom and Optional Authentication for SAP Analytics Cloud unit.

Working with Roles in SAP Analytics Cloud

Roles represent the main tasks that a user performs in SAP Analytics Cloud. For example, if a user needs to be able to open stories but doesn't need to create them, then you would assign them to the Viewer role. Watch this short video to learn more about roles in SAP Analytics Cloud.

Access the Roles Page

In SAP Analytics Cloud, roles are created and maintained in the Roles page.

You can access the Roles page from the Security option in the vertical menu, as shown in the following example.

SAP Analytics Cloud with Security selected in the vertical menu. Roles is also highlighted as one of the six Security options available to administrators.

Roles, License Types, and Permissions

Licenses

A license makes a specific set of features available to a user. A user with a Business Intelligence license may be able to create stories in SAP Analytics Cloud, but will not have access to any planning features.

Each user's license consumption is determined solely by the roles that they've been assigned. For example, a user who has been assigned only to the BI Admin standard role consumes only a single Business Intelligence license.

Roles

Roles allow you control over what features users can use and access in SAP Analytics Cloud.

Roles allow you to select a subset of the features available to a license type, and modify permissions to make features available, or restricted, to all users assigned to the role. For example, a user with a Business Intelligence license can be assigned a role that only allows them to view stories but not edit them.

Consuming License Types

A single role can consume only one license type.

A single user can consume more than one license type.

Licenses are assigned to users by their roles, either directly (based on the role they have been assigned) or through the roles assigned to their team. For example, User A is assigned two roles, the Analytics Hub Admin role that consumes an Analytics Hub license and the BI Admin role that consumes a Business Intelligence license. If a team is assigned two roles, then User B, as a member of the team consumes both of those licenses.

Image to accompany the examples provided in the preceding text.

Additional Information

For more information on license types, please visit Understanding License Types | SAP Help Portal.

Roles and Permissions

This topic is covered in detail in the Securing Content and Objects in SAP Analytics Cloud unit.

Using roles, content can be secured by:

  1. Object type permissions.
  2. Individual object permissions.

Object Type Permissions: An administrator can select the permissions included in a custom role, including permissions for individual objects, such as specific dimensions.

The following screenshot shows some of the permissions that can be set for each object type by role.

Role Permissions. The BI Content Creator role is used as an example.

Individual Object Permissions: The majority of the individual object permissions are handled using the sharing option available in the Files area of SAP Analytics Cloud by assigning individual object permissions to users or teams, however, for some SAP Analytics Cloud objects, permissions can be applied using roles.

Additional Information

For a complete list of permissions and what each permission allows a user to do, see Permissions | SAP Help Portal.

Assign Roles

Assign Teams and Users to Standard Roles

Select the link to assign the role. On the Assign Role To User dialog, select the available users and/or teams that you want to assign the role to, and select OK.

The change is saved and you are redirected to the Permissions page. In the screenshot below, you can see that 1 team and 1 user have been added to the BI Content Creator role.

The BI Content Creator role Permissions page with 1 team and 1 user highlighted at the top of the screen. You can see at the bottom of the screen a notification that users have been assigned to the role.

On the Roles page, the link to assign users is also updated to reflect the change.

The Roles page with the BI Content Creator role highlighted to show 1 team and 1 user has been added to the role.

Additional Information

For more information about assigning standard roles, please visit Assign Roles to Users and Teams | SAP Help Portal

Create a Custom Role

Create Roles

You can assign standard SAP Analytics Cloud roles to your users, however, we recommend creating custom roles with specific permissions based on your company's business requirements. Custom roles can easily be created by using the standard roles as a template.

There are two ways to create a custom role on the Roles page:

  1. Click Add in the tool bar to open the Create a New Role dialog where you select the License Type that will be used as the template for the role.
  2. Scroll down to the required License Type and select Create a New Role, automatically using it as a template.

Some key things to remember when creating custom roles in SAP Analytics Cloud:

  • The custom role must have a unique name that is different from the standard role it's based on.
  • Spaces are not allowed in the role name.
  • When assigning permissions for a custom role, permissions that belong to different license types may not be available to select. For example, if you chose the Planning Standard license type, the planning model permissions are not available, because those permissions are available only with the Planning Professional license type.
  • You can define the permissions for your new role for every activity – either for all objects of a business object type, or individually for every existing business object.
  • You can change the role template by selecting the Role Template icon in the Permissions toolbar.

Configure Role

Select Role Configuration if you want to define the options shown in the table below.

OptionDescription
Use as Default RoleThe default role is assigned to new users if no role is specified when users are imported or created. The Assign as option will not be visible if you don't have Concurrent session licenses in your system. Concurrent session licensing is only available for Business Intelligence license so the option will only show up for BI roles.
Full Data AccessIf you activate this option, any user who is assigned this role can see all the data of any model regardless of how the data access for the model is defined. Recommendation: Grant full data access carefully and only to selected users.
Enable Self-ServiceIf you activate this option, any business user can request this role for himself in the Request Roles dialog. This is covered in detail later in this lesson.

Assign Users and Teams

Assigning users and teams to custom roles follows the same process covered earlier in the lesson.

Create Custom Roles

Business Scenario

The teams have been created and now you need to create custom roles. You have been asked to create a new custom role for the HR users using the BI Content Creator role as a template and assign the HR_Adhoc_NA team to the new custom role.

In this practice exercise, you will:

  • Create a custom role from the Roles page using a role template.
  • Add a team to the role.
  • Modify the permissions for the new role.
  • View the new custom role on the Roles page.

Additional Information

For more information on creating roles in SAP Analytics Cloud, please visit Create Roles | SAP Help Portal.

Self-Service Role Requests

Request Missing Roles

To reduce the cost of system administration, roles can be configured so that every user can easily request missing roles in SAP Analytics Cloud. Another user with the appropriate authorization then approves the requested role assignment.

Role Configuration

The Enable Self-Service property must be enabled for a role. Only the roles that have been configured as self-service roles are available to the requester.

The Approver is defined in the Role Configuration and can be:

  • Manager: The user's manager as assigned in the Users list.
  • Other User: A user is selected from a list of available users. Any user with permission to change user data for the role can be selected.
From the Role, the Setting cog is selected. The Role Configuration dialog (shown) opens on screen. Enable Self-Service is selected with Manager as the Approver.

Request a Role

After a user sends the role request, the request is added to a queue and the approver receives a notification.

Selecting Request Roles in your user profile opens the Request Roles dialog. Self-Service Roles is select and the available roles to a user are displayed. In this example, HR_Users_OS is selected and for this role, user A00 is the designated Approver instead of the users manager.

The approver navigates to the Role Requests list in the Security area, select the user, and review the role request. They can approve or reject the request. If the request is rejected, approvers must submit a reason explaining why it was rejected.

  • Approve: The user is notified that the request is approved, and the role is immediately assigned to the user (they may need to refresh the system to see the changes).
  • Reject: The user is notified that the request is rejected with the reason specified.
After selecting Security in the vertical navigation menu, the approver can select Requests (highlighted, bottom). The screen visible is the Requests list. One request from user A07 for the HR_Users_OS role is listed. Once they select the request, the approve and reject buttons become available (highlighted, top)

Enable Self-Service Role Requests

Business Scenario

To reduce role administration, you have been asked to configure a role to enable self-service role requests. This will allow users to request the role and have it approved by an assigned approver, which in this case is the assigned manager, instead of each request having to be completed by the SAP Analytics Cloud administrator.

In this practice exercise, you will:

  • Access a previously created role from the Roles page.
  • Add Enable Self-Service using the Role Configuration dialog.

Additional Information

For more information on approving role requests in SAP Analytics Cloud, please visit Approve Role Requests for Your Users | SAP Help Portal.

Log in to track your progress & complete quizzes