Permissions
An administrator can select the individual permissions included in a custom role, including permissions for individual objects, such as specific dimensions.
You can assign permissions based on standard user roles, for example Admin or Viewer, but if some of your users don't fit any of the included standard roles, you can create custom roles with the exact permissions you choose.
If you want to assign permissions based on standard roles, see Standard Application Roles. To create custom roles, see Create Roles.
This help topic explains the permissions in detail.
Object-type permissions
For most SAP Analytics Cloud objects, permissions apply to all objects of a particular type. For example, if you grant a user the Read permission for Digital Boardroom objects, that user can open and view any Digital Boardroom presentations that have been shared with them.
- When assigning permissions for a custom role, permissions that belong to different license types may not be available to select. For example, if you chose the Planning Standard license type, the Planning Model permissions are not available, because those permissions are available only with the Planning Professional license type.
- The Business Intelligence Standard license permissions are a subset of the Planning Standard license permissions, which are a subset of the Planning Professional license permissions. For more information, see Features by License Type for Planning Models.
| Permission | Meaning |
|---|---|
| Create |
Permits creating new objects of this item type. Users need this permission to create files and folders or upload data to an object, such as models, stories, point of interest, and others. If you grant users the Create object-type permission, be sure to also grant the Read object-type permission, so that users can access the objects they create. When granted on Uploaded Files, allows users to upload local files to the tenant. For details, see the notes for Uploaded Files. |
| Read | Permits opening and viewing an item and its content. |
| Update | Permits editing and updating existing items, including the structure of models and dimensions. Compare this permission with the Maintain permission, which doesn't allow changes to the data structure. Note: some object types need the Maintain permission to update data. See the Maintain entry. |
| Delete | Permits deletion of the item. |
| Execute | Permits executing the item to run a process. For example, running a simulation using a legacy Value Driver Tree, or acquiring data from a data source. |
| Maintain | Permits the maintenance of data values, for example adding records to a model, without allowing changes to the
actual data structure. Compare this permission with the Update permission, which does allow changes to the data
structure. When granted on Dimension objects, permits updating of dimension members. When granted on Planning Model and Analytic Model objects, permits updating of both fact data and members of embedded (private) dimensions. When granted on Lifecycle objects, permits importing and exporting objects. When granted on
Connection, the When granted on Data Locking, permits the changing of a lock state for data slices. |
| Share | Permits the sharing of the selected item type. |
| Manage |
Caution This permission lets users manage content; for example, deleting content for any users,
and resharing, copying, and moving content. It should therefore be granted only to system
administrators.When granted on the User and Team objects, permits assigning users or teams to roles, and approving role assignment requests from users. When granted on Public Files and Private Files, permits full control over those files and folders. When granted on Deleted Files, permits reading and restoring of deleted files, including those that you don't own or did not delete. When granted on Catalog Administration, permits enabling and disabling of the Catalog tab on the Home page. By default, all administrators have this permission. Note If a user has the Manage permission for a content space, and the user opens a file from that space, the user's
rights are upgraded to full privileges.Example: Let's say a user shares a story with you with only read rights. However, this story is stored in the Public folder, and you have Manage rights on Public Files. If you open the story, your rights are automatically updated to full privileges. |
The following table lists the permissions that can be set for each object type.
| Object Type | Permissions | Notes |
|---|---|---|
| Dimension | CRUD-M-- | Set the Maintain permission to permit adding members to a dimension without being able to change the actual
definition. Set Update to allow changing the dimension definition itself. Note On the Roles
page, when you expand Dimension to list individual dimensions, they are shown by dimension
Description, not dimension Name. |
| Currency | CRUD---- | Lets users see and work with currency conversion tables. |
| Planning Model | CRUDEM-- | Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges). Set Execute to enable planning features. |
| Analytic Model | CRUD-M-- | Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges). |
| SAP Business Technology Platform (BTP) Data Source | ----E--- | Set the Execute permission to permit users to connect to and create models based on live SAP HANA data
sources. We recommend that you enable this permission and the Execute permission for SAP BTP if you want to use both live data connections and import data connections. |
| Other Data Sources | ----E--- | Set the Execute permission for users to see the Connections menu and import-data connections
in the Connections list, and to permit users to create connections to on-premise, cloud, and live data sources. This
permission is used together with the Connection permissions. We recommend that you enable this permission and the Execute permission for Other Data Sources if you want to use both live data connections and import data connections. |
| Translation | CR-D---- | To access the Translation dashboard, you must have at least one of the permissions Create, Read, or
Delete: Create: Lets you upload translations via XLIFF files, or review/edit from the translation dashboard. Read: Lets you download the source XLIFF files from the Translation dashboard in SAP Analytics Cloud. Delete: Lets you delete the translations. |
| Role | CRUD---- | Lets users access roles. |
| User | CRUD---M |
The Read permission lets you see a list of users in a dialog; for example, when choosing which users to share a story with, or when choosing users to add to a team. To see the user list in Set the Manage permission to permit assigning users to roles, and approving role assignment requests from users. |
| Team | CRUD---M |
Set the Read permission to let users see the The Update permission lets you make changes to the Teams area. Set the Manage permission to permit assigning teams to roles. |
| Activity Log | -R-D---- | Lets users access activity logs. |
| Data Change Log | -R-D---- | Provides access to the  Security  Data Changes area. Set the Read permission to permit displaying the audit report. Set the Read and Delete
permissions for the appropriate model to permit downloading and deleting log entries.
|
| Lifecycle | -R---MS- |
The Maintain permission allows you to access and import packages from the Content Network, and the Share permission allows you to export and manage packages in the Content Network. The Read permission provides access to the |
| Connection | CRUD-M-M | These permissions let users create, read, update, delete and share individual connections. You must also set the Execute permission on Other Data Sources for users to have access to the Connections area. The Maintain permission is required to make the Note that the Connections page shows only the connection objects that the user has permission for, or that have been shared with the user. On the Schedule Status page, the Refresh Now button and the Open Data Model link will only be accessible if the user has permission for the model. The Manage
permission should only be assigned to a user with an administrator role. This permission allows a user to read,
update, delete, and share all import data connections except SAP ERP, Concur, Fieldglass and Salesforce
connections.
Note
A connection may only be shared if sharing credentials is enabled when the connection is created. |
| Public Files | CR-D---M | Permits access to public folders and files. For example, to be able to create stories, users need to have the Create permission. Set the Manage right for Public Files to let users access the System content folder on the left side of the Files page. In the System folder, users have full control over Public folders, Samples, and Input Forms on that tenant. Users also have the right to change the sharing permissions on the Public folder. |
| Private Files | CR-D---M |
Permits access to a user's private folders and files. For example, to be able to create stories, users need to have the Create permission. Set the Manage right for Private Files to let users access the System content folder on the left side of the Files page. In the System folder, users have full control over all private content on that tenant. For example, if someone leaves your organization, and has left behind some private content that you don't want to lose, a user with the Manage permission could access the private content, and move it or change ownership of it. |
| Deleted Files | -------M | Set the Manage permission to give users the right to read and restore all deleted files from all users in the tenant. |
| Ownership of Content | ----E--- | Users with the Execute permission can transfer the ownership of content to another user when
a user is deleted or when using the 
Change Owner action from the Files page.
|
| System Information | -RU----- |
Users with the Read permission can access the About area in the System menu. Users with the Update permission can access the Monitor, Administration, Synonym Definitions, and About areas in the System menu. |
| Allocation Step | CRUDE--- | Users with the Execute permission can execute an allocation step in an allocation process. For more information, see the description for Allocation Process. |
| Allocation Process | CRUDE--- | Users with the Execute permission can execute an allocation process in a story. To execute an allocation process, you need the Execute permission for the process and all its steps.
|
| Explorer | ----E--- | Set Execute to provide access to the Data Exploration mode in a story. |
| Personal Data Acquisition | ----E--- | Users with the Execute permission can upload data to a story, and create points of interest based on that data. |
| Automated Discoveries | ----E--- | The Automated Discoveries permissions are deprecated, and have no effect. |
| Digital Boardroom | CRUD--S- | Lets users access digital boardroom presentations. |
| Analytics Hub Assets | CRUDE--- | Lets users access Analytics Hub assets. Users with the Execute permission can validate or reject draft assets sent for review. |
| Analytics Hub Structures | CRUD---- | Lets users access Analytics Hub structures. |
| Data Locking | CRUD-M-- | For users that need to configure driving dimensions and data locking ownership, set the Create, Read, Update, and Delete permissions. To change the state of a lock as a data lock owner, a user must have the Read and Maintain permissions. |
| Data Action | CRUDE--- | Lets users create, read, update, and delete data actions. Users with the Execute permission can run data actions (for example, in stories). |
| Predictive Scenario | CRUD---- | Lets users create, read, update, and delete predictive models to find the best one to bring the best predictions to address the business question. |
| Multi Action | CRUDE--- | Lets users create, read, update, and delete multi actions. The Read permission lets users
open the multi actions start page and open multi actions in the designer. It’s also required to add a multi action to
a planning trigger and to run a multi action. The Execute permission let users run multi
actions. For the Create, Update, and Delete permissions, you can create a custom role based on the following standard application roles: Admin or Modeler. Also, for these permissions, note the license requirement: SAP Analytics Cloud for Planning, professional edition. For Read and Execute, you can create a custom role based on the following standard application roles: Admin, Modeler, Planner, Reporter, or Viewer. Also, for these permissions, note the license requirement: SAP Analytics Cloud for Planning, professional edition or standard edition. |
| Applications | CRUD---- | Lets users access analytic applications. |
| Dataset | CR------ | Users with Read permission can read dataset content. Users with Create permission can create, read, edit, and delete datasets. |
| Point of Interest | CRUD-M-- | Lets users access points of interest. The Maintain permission is included in some roles, but is currently not used. |
| Calendar Admin | -------M | Lets users view and edit all calendar events of this SAP Analytics Cloud tenant, except publications. |
| Schedule Publication | C------M | Lets users create schedules for publishing content. The Manage permission on
Schedule Publication allows you to become the manager of the schedules available in the
tenant. This means you can view or modify the schedules created for publishing stories and analytical
applications. However, you cannot delete the schedule or modify the Distribution section
and the File Type, and the option Include link to story.
Note As a
prerequisite, you should have the Manage permission on Public and
Private files to view the schedules of public or private
content. |
| Theme | CRUD---- | Lets users access themes for analytic applications. |
| Data Analyzer | ----E--- | Lets users work with the data analyzer. |
| Global Bookmark | CRUD--S- | Lets users access global bookmarks. |
| Private Bookmark (Personal) | CRUD--S- | Lets users access private bookmarks. |
| Private Bookmark (Others) | C------- | Lets users copy private bookmarks created by others with the analytic application or optimized story. |
| Discussion | CR------ |
Users with the Read permission can view and contribute to discussions that they are a part of. Also, they can remove attachments, add participants (users or teams) to the discussions, or leave the discussions. When you select the Create permission, the Read permission is automatically selected as well. With the Create permission, users can create discussions. For discussions that users create (or own), they can change the name, remove participants, and archive or delete the discussions. Tip
To allow users to attach files to a discussion, set the Create permission for Uploaded Files. |
| Comment | CR-D---- |
Users with Read permission can only read existing comments and like them. When you set the Create permission, the Read permission is automatically set as well. With the Create permission, users can start new comment threads or add comments to existing comment threads. When you set the Delete permission, the Read permission is automatically set as well. With the Delete permission, users can delete comments. If all these permissions are selected, the access to the commenting actions for adding, viewing, and deleting comments is given to a user at the time content is shared. If none of these permissions are selected, users will not have any access to the commenting actions for adding, viewing, and deleting comments when content is shared. For more information, see About Comment Permissions and Options. |
| Custom Widget | CRUD---- | Lets users access custom widgets in analytic applications. |
| Validation Rule | CRUD---- | For users who need to configure validation rules, set the Create, Read, Update, and Delete permissions. This
privilege requires the Planning Professional license. Define Valid Member Combinations for Planning Using Validation Rules |
| Publish Content | ----E--- | Users with the Execute permission can publish content to the Catalog on the Home page. |
| Catalog Administration | -------M | Set the Manage permission to let users enable and disable the Catalog on the Home page. By default, all administrators have this permission. |
| Content Link | CRUD---- | Lets users access content outside of SAP Analytics Cloud. |
| Workspace | -R-----M | Set the Read permission to let users see the workspaces they are assigned to. Users who are
workspace members can select the workspace from the list view on the Files page. Users who are
assigned as workspace administrators on the Workspace Management page can select the workspace
from the System view. When you set the Manage permission, the Read permission is automatically set as well. With the Manage permission, users can open the Workspace Management page to create and delete workspaces. Also for any workspace, they can edit the workspace name and description, assign teams as workspace members, and assign users or teams as workspace administrators. |
| Synonym Dictionary | CRUD---- | Lets users create, read, update, and delete synonyms for their terms. |
| Private Insight | C------- | Lets users create insights. However, users can't edit or rename the insight in the file repository. |
| Remote Repository Snapshot | C------- | Lets users save data change insights snapshots of analytic applications in the data repository configured via System Administration Data Source Configuration. |
| Runtime Notification | C------- | Lets users send notifications at analytic application runtime. |
| Private Insight | C------- | Lets users that are not allowed to create public or private files create private insights. |
| Uploaded Files | C------- | Set the Create permission to give users the right to upload local files to the tenant. This
permission on its own allows users to attach files to discussions. When used with Private Files and Public files object-type permissions, users can upload files from the Files page:
For custom roles created from standard application roles, review this permission and adjust as needed. |
Individual object permissions
For some SAP Analytics Cloud objects, permissions can be applied to all objects of a particular type, or only to specific objects. For example, if you grant users the Delete permission for Dimension objects, those users can delete any dimensions they own.
To grant permissions only on specific dimensions, expand the Dimension row, and then use the check boxes on the individual dimension rows.
-
Private dimension (also called embedded dimension) permissions are not inherited from the model. For example, if you create a model, and grant User A only the Read permission for that model, but User A has been granted the BI Content Creator role, User A will, by default, be able to edit and maintain the private dimensions within the model.
The Read permission affects only the actions on the model itself. So for example, with Read permission, User A wouldn't be able to add new dimensions to the model or rename the model.
-
If the object type allows individual object permissions, for example Dimension objects, then users need both of the following:
- The object-type permission for the object
- The individual object permission for the object; OR, the user is the owner of the object
If the object type doesn't allow individual object permissions, for example Digital Boardroom objects, then users need just the object-type permission for the object.
- On the Roles page, when you expand Dimension to list individual dimensions, they are shown by dimension Description, not dimension Name.
Assigning object permissions to users or teams, not roles
You can also assign individual object permissions to users or teams, instead of to roles. For details, see Share Files or Folders.