Understand Licenses, Roles, and Permissions

This is an overview of how licenses, roles, and permissions work in SAP Analytics Cloud.

SAP Analytics Cloud uses licenses, roles, and permissions to manage application security and capabilities. Licenses determine which features are available to users. Roles are collections of permissions that allow you control the features you make available to selected users. Permissions are authorizations that can be granted to give access to resources, or individual objects in SAP Analytics Cloud.

The following diagram provides an example of how licenses, roles, and permissions work in SAP Analytics Cloud. User A is granted both the BI Admin role and BI Content Creator role. Because both roles are associated with a Business Intelligence license, User A is also assigned a Business Intelligence license. Team 1 is assigned the BI Content Creator role, so all users that belong to Team 1 are granted the BI Content Creator role, and also assigned a Business Intelligence license.

This image is interactive. Hover over each area for a description.

User A is assigned both a BI Admin and BI Content Creator role. User A is also assigned a Business Ingelligence license. Team 1 is assigned a BI Content Creator role. User B inherits a BI Content Creator role from Team 1 and the associated Business Ingeliligence license. User C inherits a BI Content Creator role from Team 1 and the associated Business Ingeliligence license. The BI Content Creator role is associated with a Business Intelligence license. This role is a collection of permissions that allows users to create and edit content. The BI Admin role is associated with a Business Intelligence license. This role is a collection of permissions that allow users to perform Admin duties. A Business Intelligence license is associated with multiple roles, including standard application roles such as BI Admin and BI Content Creator, and any custom roles you create.

Understanding Licenses

A license makes a specific set of features available to a user.

The licenses available depend on what was purchased for your SAP Analytics Cloud system. For example, a user with a Business Intelligence license may be able to create stories in SAP Analytics Cloud, but will not have access to any planning features.

All users must have a license. When a new user is created, the roles assigned to the user determine the license type that they consume. An administrator may assign a different role to users after they are created, and their license assignment may change. A user can only be assigned one license, plus licenses for any purchased add-ons such as the SAP Analytics Hub, or the SAP Digital Boardroom. For example, a user with a Business Intelligence license, may also be assigned a license to use the SAP Analytics Hub.

Licenses may be named or concurrent. With named licensing, each user in the system is assigned a single license. With concurrent licensing, a set number of licenses are available on the system. Concurrent users are automatically assigned a license only when they are logged on to the system. Licenses are freed if they are not in use, and more users may be added to the system than the number of concurrent licenses that were purchased. If the number of users attempting to log onto the system exceeds the number of concurrent licenses available, they may not be able to log on.
Note

Only Business Intelligence licenses can be concurrent.

License types available in SAP Analytics Cloud:

  • Business Intelligence

  • Business Intelligence Restricted

  • Concurrent - Business Intelligence

  • Planning Standard

  • Planning Professional

License add-ons:
  • Analytics Hub

  • Digital Boardroom

For detailed information on the specific features that are available for each license type, see Features by License Type for Analytic Models and Features by License Type for Planning Models.

Note
Every system has one system owner. The system owner does not consume a license and is granted all rights across all available licenses types. To learn more about changing the system owner, see Transfer the System Owner Role.

Understanding Roles

Roles allow you control over what features users can use and access in SAP Analytics Cloud.

Roles allow you to select a subset of the features available to a license type, and modify permissions to make features available, or restricted, to all users assigned to the role. For example, a user with a Business Intelligence license can be assigned a role that only allows them to view stories but not edit them.

Roles may be created for the following license types:
  • Business Intelligence

  • Business Ingelligence Restricted

  • Planning Standard

  • Planning Professional

  • Analytics Hub

Note

The Digital Boardroom add-on does not support roles.

The following diagram provides an example of how roles can be assigned to users and teams. User A is granted both the Analytics Hub Admin role and BI Admin role. Because of these role assignments, User A is also assigned both an Analytics Hub License and a Business Intelligence license. Team 1 is assigned the BI Content Creator role, so all users that belong to Team 1 are granted the BI Content Creator role, and also assigned a Business Intelligence license.

This image is interactive. Hover over each area for a description.

User A is assigned both an Analytics Hub Admin and BI Admin role. User A is also assigned the associated Analytics Hub license and Business Intelligence license. Team 1 is assigned the BI Content Creator role. User B inherits a BI Content Creator role from Team 1 and the associated Business Ingeliligence license. User C inherits a BI Content Creator role from Team 1 and the associated Business Ingeliligence license. An Analytics Hub license is associated with multiple roles, including standard application roles such as Analytics Hub Content Creator and Analytics Hub Admin, and any custom roles you create. A Business Intelligence license is associated with multiple roles, including standard application roles such as BI Admin and BI Content Creator, and any custom roles you create.

Types of Roles

SAP Analytics Cloud is delivered with several standard application roles, but you may also create custom roles. One standard application role can be assigned as the default for all new users, but an administrator may assign another role to a user at any time. Users may be assigned multiple roles.

Standard Application Roles

Standard application roles represent the main tasks that a user might perform. They are automatically updated whenever new application rights are added to the system. For more information about standard application roles, see Standard Application Roles. Each standard application role is associated with one license type, and when a user is given that role, they are assigned the corresponding license. You can see the roles and licenses assigned to users on the Users page in SAP Analytics Cloud.
Note
One user must always be designated the System Owner role.

Custom Roles

You can create custom roles if the standard application roles included with your licenses are not sufficient for your uses. When you create a new role you must choose the license type it is associated with. It is reccomended that you create custom roles using an existing Standard Application Role as a template, and modify individual permissions, before saving it as a new role. However, you can also start with a blank template. For more information, see Creating Custom Roles.

Default Roles

Each license type may be assigned one default role. The default role may be either a standard application role or a custom role. New users who are created without a role assigned will automatically be assigned to the default role. For more information, see Assign Roles to Users and Teams.

Note

If no default role is defined, the minimum required permissions are assigned to a user. Users will be able to log in and request a role, but only if you have configured one or more roles for self-service, and have assigned users a manager. For more information, see Approve Role Requests for Your Users.

Choosing Between Assigning Roles to Users or Teams

As an administrator, you'll need to choose between assigning roles to individual users or teams. When to assign roles to users or teams:
  • If you've created a custom role and want to assign it to a particular user, you can assign the role directly using the Users page. If you want to assign a role to a specific list of users, you can also assign roles to multiple users using a SAML Mapping.
    Note

    Only the system owner can edit SAML configurations in the system. To learn more about how to map roles using SAML attributes, see Mapping Roles Using SAML Attributes.

  • If you want to assign roles to multiple users who will be working on similar tasks, or to allow users to share stories and files with their team members, assigning roles to a team allows all team members to inherit the roles assigned to the team. For more information, see Assign Roles to Users and Teams

Note

If you want to see which users are in a certain team or a role, you can use the Monitoring page in SAP Analytics Cloud or the User and Team Provisioning API. For more information, see Monitor System Usage.

Understanding Permissions

Permissions are authorizations provided to allow a user to perform a certain task or access a specific resource in the system.

Permissions are sometimes called privileges or rights. They include: Create, Read, Update, Delete, Execute, Maintain, Share, and Manage. For example, a user who wants to publish content to the Catalog would need the Execute permission for publishing content. A user who wants to change the contents of a model would need the Update permission for that model. For detailed information on what permissions are available, see Permissions.

Roles are collections of permissions that can be assigned to users. You can assign permissions based on standard user roles, for example Admin or Viewer, but if some of your users don't fit any of the included standard application roles, you can create custom roles with the exact permissions you choose.

You can also assign files and folder permissions to users or teams using sharing settings, instead of roles. However, sharing is best used only for individual files and folders. For details, see Share Files or Folders.

The following diagram shows an example of how permissions are granted to users and teams. User A is granted the BI Admin role, and permissions to access My Folder. Team 1 is assigned permissions to My Folder and the BI Content Creator role. All users that belong to Team 1 are granted permissions to My Folder, and assigned the BI Content Creator role, in addition to any roles or permissions they have been granted individually.

This image is interactive. Hover over each area for a description. Click highlighted areas for more information.

User A is granted all permissions included in the BI Admin role, and permissions to view or edit the contents of My Folder. Team 1 is granted all permissions included in the BI Content Creator role, and permissions to view or edit the contents of My Folder. User B inherits all permissions included in the BI Content Creator role, and permission to view or edit the contents of My Folder. User C inherits all permissions included in the BI Content Creator role, and permission to view or edit the contents of My Folder. The BI Admin role is a collection of permissions that allow users to perform Admin duties. My Folder is shared with User A and Team 1 The BI Content Creator role is a collection of permissions that allows users to create and edit content.

Types of Permissions

There are two types of permissions:
  • Object Type Permissions: For most SAP Analytics Cloud objects, permissions apply to all objects of a particular type. For example, if you grant a user the Read permission for Digital Boardroom objects, that user can open and view any Digital Boardroom presentations that have been shared with them.

  • Individual Type Permissions: You may want to grant permissions only for objects that users already own. For example, if you grant users the Delete permission for dimension objects, those users can delete any dimensions they own.