Create Roles

SAP Analytics Cloud, by default, includes some standard application roles. As a best practice, you can use these roles as templates for creating custom roles for different departments within your organization.

Who does this apply to?

System administrators with the Create permission for Role.

Note

You can't delete or save changes to the predefined standard roles.

Creating a Custom Role

Context

Using a template will help you save time since many of the object type permissions will already be set up, and you won’t have to search for the object type and select the permissions.

Procedure

From the side navigation, select Security Roles, and choose (Add Role) to add a new row to the roles management table.

Tip

If you go to a license type section on the Roles page and select the Create a New Role link, the license type is automatically selected on the Create a New Role dialog.
In the Create a New Role dialog, enter a unique name for the role and an optional description.

Note
Empty spaces between words is not allowed. You can separate words by using the underline (_) character.
Select the license type.

The selected license type will be given to all users assigned the role.
Select Create.
In the Select a Role Template dialog, select a template.

The role templates available are based on the standard roles associated with the license type you selected. You can also, start with a blank template.

After you select a template, the Permissions page appears, showing you the individual object types and the permissions defined for the role template you chose. If you selected a blank template, all available object types do not have any permissions defined.

Tip

To change the role template, select (Select Template), and choose a different role template.
Define the permissions for each object type in the new role (either for all objects of a business object type, or individually for every existing business object).

For example, to define a user who is allowed to read all data change logs, find the Data Change Log row and select the Read checkbox. The permission is automatically passed on to all existing logs.

For more information about permissions, see Permissions. For information about what permissions are included in a particular role, see Standard Application Roles.

For creating roles for SAP Analytics Hub, see below.
(Optional) If you have existing models that use the Model Data Privacy feature, choose the Select Model tab and search for models so that you can add rules to explicitly grant permission to models that would only be available to the model creator.

Tip

Different license types area available for analytic and planning models. For more information, see Features by License Type for Analytic Models and Features by License Type for Planning Models

Choose

(Role Configuration) to configure the role in the Role Configuration dialog:

Option	Description
Use as Default Role	Assigns this role to users if no other role is assigned to them. If needed, you can select this option for multiple roles. After you select this option, select the type of license available to the user with the associated role: User License, where the user can log on and will always have access to the application. (Default) Concurrent Session License, where only a limited number of users can log on and have access to the application at one time. The license can be assigned to many users, but the number of simultaneous user sessions cannot exceed the number purchased. Note Multiple browser windows consume multiple concurrent sessions, but multiple tabs in one browser window consume one concurrent session. License threshold changes are enforced once a day. For example, if an administrator changes the concurrent user threshold count from 5 to 10, the number of concurrent users allowed in the system will still be 5, until the next day, when it is updated to 10 users. Administrators can see the number of concurrent licenses being consumed in the System Monitor area. Depending on your needs, you can set more than one role as default. If no role is set as default, all users are assigned the minimum required permissions where they can log on and request a role. Users can request default roles if the roles are not already assigned to them.
Full Data Access	Users assigned this role can see all the data of any model regardless of how the data access for the role is defined. Note Grant full data access carefully and only to certain users.
Enable Self Service	Any user can request this role for themselves by using the Request Roles dialog. For more information, see Request Roles. When a user requests the role, you can select who can approve the role assignment: Manager: The user’s manager would approve the request. When this option is used, a manager must be assigned to the user. You can assign a manager to a user on the Users page. Note Only the user's manager or specified users can approve requests for a roles. If the approving users are not available, the role requests remain in the queue until they are available to approve the role requests. For example, Manager 1 is the manager for User A. Manager 1 is away from the office for a week. During the week that Manager 1 is away, User A submits a request for Role X, which must be approved by the user's manager. The request for the role will remain in the queue until Manager 1 is available and can review the role request. For more information, see Approve Role Requests for Your Users. Other User: A specific user that you select would approve the request. Tip When the Other User option is selected, select more than one user as the approver. This will ensure that if one of the approvers is not available, the other approver can review any pending role requests.

Option

Description

Use as Default Role

Assigns this role to users if no other role is assigned to them. If needed, you can select this option for multiple roles. After you select this option, select the type of license available to the user with the associated role:

User License, where the user can log on and will always have access to the application. (Default)
Concurrent Session License, where only a limited number of users can log on and have access to the application at one time. The license can be assigned to many users, but the number of simultaneous user sessions cannot exceed the number purchased.

Note

Multiple browser windows consume multiple concurrent sessions, but multiple tabs in one browser window consume one concurrent session. License threshold changes are enforced once a day. For example, if an administrator changes the concurrent user threshold count from 5 to 10, the number of concurrent users allowed in the system will still be 5, until the next day, when it is updated to 10 users. Administrators can see the number of concurrent licenses being consumed in the System Monitor area.

Depending on your needs, you can set more than one role as default. If no role is set as default, all users are assigned the minimum required permissions where they can log on and request a role. Users can request default roles if the roles are not already assigned to them.

Full Data Access

Users assigned this role can see all the data of any model regardless of how the data access for the role is defined.

Note

Grant full data access carefully and only to certain users.

Enable Self Service

Any user can request this role for themselves by using the Request Roles dialog. For more information, see Request Roles.

When a user requests the role, you can select who can approve the role assignment:

Manager: The user’s manager would approve the request. When this option is used, a manager must be assigned to the user. You can assign a manager to a user on the Users page.

Note

Only the user's manager or specified users can approve requests for a roles. If the approving users are not available, the role requests remain in the queue until they are available to approve the role requests. For example, Manager 1 is the manager for User A. Manager 1 is away from the office for a week. During the week that Manager 1 is away, User A submits a request for Role X, which must be approved by the user's manager. The request for the role will remain in the queue until Manager 1 is available and can review the role request. For more information, see Approve Role Requests for Your Users.
Other User: A specific user that you select would approve the request.

Tip

When the Other User option is selected, select more than one user as the approver. This will ensure that if one of the approvers is not available, the other approver can review any pending role requests.

(Optional) Assign the role to existing users or teams by selecting the Assign Users link and on the Assign Role to User dialog, selecting one or more users or teams.

Tip

To assign roles to an individual user, you can use the Users page. For more information, see Assign Roles to Users and Teams.

Note

You'll see a warning message if your SAP Analytics Cloud tenant has already exceeded the license limits. When you've reached the maximum license usage limit, you'll be restricted from assigning a role to users and teams. See, Manage License Usage Limits.
Save the custom role.

Note

Custom roles will have IDs in the following format:

PROFILE:<t.#>:<role_name> where t.# is the Content Namespace listed in System Administration System Configuration. You must use the role ID when importing role assignments from CSV or assigning roles via the SAP Analytics Cloud REST API.

For more information, see Create Users or SAP Analytics Cloud REST API.

Creating Custom SAP Analytics Hub Roles

Context

To ensure more control over the lifecycle of content in SAP Analytics Hub, you can create two custom roles: Content Editor and Content Validator. When you create these two interrelated roles, use the Analytics Hub Content Creator role template, and change the permissions as described for each custom role. The Analytics Hub Content Creator role grants all content management authorizations to users assigned to this role.

To be able to grant these custom roles, you must have an SAP Analytics Hub license.

Content Editor Role

The Content Editor role includes all authorizations to read, create, and update assets. This role is usually assigned to users who provide content in SAP Analytics Hub. When you create this custom role, set the permissions for the Analytics Hub Assets and Analytics Hub Structures rows as follows:

Permission	Create	Read	Update
Analytics Hub Assets	✓	✓	✓
Analytics Hub Structures		✓
Team		✓
User		✓

Content Validator Role

The Content Validator role includes all authorizations to read assets, and to validate or reject draft assets sent for review that are created by Content Editors. You typically assign this role to users who check the quality of the content displayed in the SAP Analytics Hub. When you create this custom role, set the permissions for the Analytics Hub Assets row as follows:

Permission	Read	Delete	Execute
Analytics Hub Assets	✓	✓	✓
Team	✓
User	✓

Note

For the Content Validator role, you do not need to select any permission for the Analytics Hub Structures row.

For both the Content Creator and Content Validator roles, the Read setting for the User and Team rows must be selected.