Assign Roles to Users and Teams

As an administrator, you can assign roles to users and teams using a variety of methods. You can assign roles to multiple users or teams on the Roles or Permissions page for the role or directly to an individual user on the Users page.

Other ways that you can assign roles include, using a SAML mapping, importing users from a CSV file, and using an API to programmatically assign roles. You can also create new or edit existing roles so that SAP Analytics Hub roles and authorizations are dynamically assigned.

Who does this apply to?

System administrators who have the Create or Update permissions selected for the User and Team object types.

Note

For security reasons, you should assign roles to users via teams, instead of individually.
As a best practice, assign custom roles, instead of the standard application roles, to users.
If no role is assigned when users are created or imported, the default role is applied. For information about default roles, see Create Roles.

Note

You'll see a warning message if your SAP Analytics Cloud tenant has already exceeded the license limits. When you've reached the maximum license usage limit, you'll be restricted from assigning a role to users and teams. See, Manage License Usage Limits.

Assigning a Role to Multiple Users and Teams

Context

When you create or edit a role, you can also add multiple users or teams to that role. You can use either the Roles page or the Permissions page to assign a selected role.

The link for assigning users changes after users and teams are assigned. When a role is not assigned to any users, you can select the Assign Users link. When a role is already assigned to one or more users or teams, the link changes to show the number of users or teams. The following image of roles from the Roles page shows roles with (1) no assigned users or teams and (2) one assigned team and two assigned users.

Similarly, when editing a role on the Permissions page, the link changes to show the number of (1) users and (2) teams the role is assigned to.

Procedure

From the side navigation, select Security Roles.
For the role, select the link to assign the role.
On the Assign Role To User dialog, select the available users and teams that you want to assign the role to, and select OK.

The change is saved and you are redirected to the Permissions page. The link to assign users is updated to reflect the change.

Assigning or Updating an Individual User's Role

Context

When you create or edit a user, you can assign a role directly to the user on the Users page.

Procedure

From the side navigation, select Security Users.
For the row of the user you are creating or editing, go to the Roles column and select the icon.
On the Select User Roles dialog, select whether to assign one of the following types of roles:
- User License, where the user can log on and will always have access to the application.
- Concurrent Session License, where only a limited number of users can log on and have access to the application at one time.
For more information on these options, see Create Roles.
Select OK.

Setting a Default Role

Context

You can set one or more of the existing custom roles as the default roles. Default roles will be assigned to new users who are created without any role assignment.

Note

If no default role is defined, the minimum required permissions are assigned to a user. The user will be able to log in and request a role, but only if you have configured one or more roles for self-service, and assigned users a manager.

Procedure

From the side navigation, select Security Roles, and select an existing role.
Select (Role Configuration).
Select Use as Default Role.
Select OK.

Mapping Roles Using SAML Attributes

Prerequisites

SAML must be enabled in SAP Analytics Cloud.
Your custom SAML Identity Provider (IdP) must be configured, and you should be able to log in to your tenant without problems.
A new assertion consumer service endpoint to your identity provider must be added. For more information, see step 6 in Enable a Custom SAML Identity Provider.

Context

You can use a SAML role mapping to automatically assign roles to users based on their SAML attributes.

Procedure

From the side navigation, select Security Roles, and select a role.
Select (Open SAML Role Mapping).
On the Create SAML Mapping dialog, under Conditions, select a SAML Attribute, select a Condition, and, if required, enter a Value.
(Optional) Select (New mapping definition) to add additional mappings to the role assignment.
1. For each additional mapping, under Conditions, select a SAML Attribute, select a Condition, and, if required, enter a Value.
2. Under Conditions Logic, select AND or OR.
  
  If AND is selected, the conditions for all attributes must be met for the mapping to be applied. If OR is selected, the conditions for only one of the attributes must be met for the mapping to be applied.

Results

The selected role will be applied to all users who meet the specified conditions when logging onto SAP Analytics Cloud via SAML authentication. If the selected role was previously assigned to a user, but the user does not meet the specified conditions, the role will be revoked when the user logs on.

Assigning SAP Analytics Hub Roles Dynamically

Prerequisites

You must have an SAP Analytics Hub license to grant SAP Analytics Hub authorizations to new and existing roles.
Your current system must also be subscribed to an SAP Analytics Hub system; to verify, check whether Analytics Hub is available from the product switch in the upper-right corner: .

Context

You can dynamically assign SAP Analytics Hub authorizations to roles in your system. With these roles, you want to make sure all users who are assigned the role have, at the very least, authorization to read assets. These roles would typically be assigned to users who need to work with content in SAP Analytics Hub.

Tip

For SAP Analytics Hub, you can have two different types of roles: content editors or validators. For more information, see Create Roles.

These instructions are for editing roles for content validators.

Procedure

From the side navigation, select Security Roles, and open an existing custom role.
Go to the Analytics Hub Assets row and select the Read permission checkbox.

Note
You cannot assign Read permission to standard SAP Analytics Cloud roles.
Choose (Role Configuration).
In the Role Configuration dialog, select the Use as Default Role checkbox and select OK.

This option assigns this default role to new users if no other role is specified when users are imported or created.
Save the changes to the role.
Go back to the Roles page to confirm that the role is set as a default role.
To create a new role so it can assign SAP Analytics Hub authorizations dynamically, follow the steps for creating a custom role (see Create Roles) and make sure to set the following:
- Go to the Analytics Hub Assets row and select the Read permission checkbox.
- In the Role Configuration dialog, select the Use as Default Role checkbox.
When you are finished creating the role, go back to the Roles page to confirm that the role is set as a default role.

Assigning Roles When Importing Users

When you import users from a CSV file, you can assign roles during the import process. The roles that you assign, must already have been created and exist in the system. In the CSV file, make sure that for each user you import, the Roles parameter has a valid entry. For more information, see Create Users.

Tip

If needed you can change the roles for several users by importing data for existing users. For more information, see Modify Users.

Assigning Roles Programmatically

You can assign roles programmatically using the SAP Analytics Cloud REST API. For more information, see SAP Analytics Cloud REST API.