In this section, step 5 is considered in the interaction of administrators.
This section of the course is relevant for: SAP Signavio Process Insights Administrators
The administrators for the source system, the network and SAP BTP have finished their tasks and the SAP Signavio Process Insights tenant is available. Source systems have been connected to the tenant and data load has been triggered.
To allow users to see and work with the loaded data some final settings need to be performed in the application SAP Signavio Process Insights itself.
In SAP Signavio Process Insights, the application administrator configures which users are authorized to access data for each source system or system/client combination. For SAP on-premise source systems, you can also configure data access based on organizational attributes.
The default user access to new systems or system/client combinations connected is "No Users". This means that once a system is connected, you need to explicitly grant system access to users who are permitted to access your tenant.
Authorization Concept on SAP BTP and in SAP Signavio Process Insights
On the Access Configuration tab of the Administration screen of the SAP Signavio Process Insights application, you can allow and restrict user access to data in different ways:
- system-based (for system / client) - to allow access to this system for all users
- attribute-based (to configure access to specific data for organizational attributes for the specific source system) - jonly named user get access to the data of this system.(this feature is only available for on-premise source systems)
If you want to restrict access for specific users in a more granular way based on data attributes, you create an authorization policy to give attribute-based access. When you use the "Configure Access" or "Create Policy" feature of SAP Signavio Process Insights to configure access for specific users, any authorizations granted are in addition to the authorizations assigned based on role collections in SAP BTP.
Hint
When you make any changes to user access, keep in mind that these changes don't show up immediately on the user interface because of cached data. The changes only take effect when users refresh the browser page of their open SAP Signavio Process Insights session. So, it's a good idea to plan your changes for times when users are less likely to be using the application.
Follow this steps to make the access configuration:
- On the Administration screen, choose the Access Configuration tab.
- In the table shown, go to the row for the system for which you want to configure access.
- Choose Allow Access to All Users, Create Access (for SAP Ariba source systems), or Create Policy (for SAP on-premise source systems) to configure what users are permitted access
Note:
Hint
Please read the details and limitations of Attribute-Based Access Rules in the documentation before you start to define your "Policy". Attribute-Based Access Rules.
SAP ECC and SAP S/4HANA Source Systems
For on-premise systems you can
- Allow all users access to the system / client combination
- Restrict the access via a policy to restrict access to named users only. Additionally you can further restrict the access to supported organizational units. Multiple policies can be created.
You can use the Create Policy feature to configure attribute-based access to data from source systems. This feature allows you to configure system-based access for specific users and also to configure attribute-based access, which involves configuring access to data based on the organizational attributes for the specific source system.
The following restrictions apply when you configure attribute-based access:
- You can create an authorization policy to configure attribute-based access only for SAP on-premise source systems connected to SAP Signavio Process Insights. Attribute-based access isn't supported for any SAP Ariba source systems connected.
- You can create an authorization policy only when the Allow Access to All Users option is deactivated and access to the system is restricted. Attribute-based access can't be configured for a source system when all users with access to your tenant can access the data for that specific source system/client combination.
- In each authorization policy, you can select up to 200 values for each organizational attribute supported.
- A user can't be included in more than one authorization policy for each source system/client combination at a time.
- If a user has the DATA_PRIVACY_ADMIN role in addition to roles for a business user, any attribute-based access restrictions you define in your authorization policy don't apply to this user.
Hint
Please always check the lastest version of the documentation for system-specific rules for attribute-based access Attribute-Based Access Rules.Procedure
- On the Administration screen, choose the Access Configuration tab.
- In the table shown, go to the row for the system for the SAP on-premise source system for which you want to configure access.
- With Allow Access to All Users deactivated, choose Create Policy to open the wizard where you can configure what data a specified list of users is permitted access.
- Name the policy.You enter a unique and descriptive name for the policy.
- Create a rule that defines what data authorized users can access.You create this rule by selecting attribute values for the organizational attributes for company code, plant, or sales organization. If you don't want access to data to be restricted for an attribute, you select All Attribute Values for that attribute to grant users access to all existing values and any more values later added to your source system.
- Specify one or more users to be included in the authorization policy.As part of the authorization policy that you're creating, you enter the users who are to be permitted to access the system and data you defined.
- Review and confirm that you want to create the policy.You review the details for the policy and make any changes you require before creating the policy.
SAP Cloud (SAP Ariba) Source Systems
For cloud systems (SAP Ariba) you can
- Allow all users access to the SAP Ariba system
- Restrict the access via Access Configuration to only allow named users access to the data.
Now you're on
Maintain the "Access Configuration" for each connected source system / client combination.
By default no user (with access to your tenant) can access the data for the specified source system or system/client combination.
For on-premise systems (SAP ECC and SAP S/4HANA)
- switch on the toggle to allow access to all users
Result: All users with access to your tenant can access the data for the specified source system or system/client combination.
- or define a „Policy" to restrict access to named users only. Additionally you can define attribute-based access.
Result: only named users have access to the system / client data. Additionally attribute-based access can be defined.
For cloud systems (SAP Ariba)
- switch on the toggle to allow access to all users
Result: All users with access to your tenant can access the data for the specified source system or system/client combination
- or define a „Access Configuration" to restrct access to named users only.
Result: only named users have access to the system / client data.
Note
Hint
You can enter multiple users at the same time by separating them with commas, spaces, or semicolons.
Congratulations
You have now completed this Onboarding for Administrators e-learning. When you have finished all exercises you have also completed the steps to set up the SAP Signavio Process Insights Tenant and configured the regular loading of data.
Congratulations.
You can now invite end users to the tenant and use SAP Signavio Process Insights productively.
