Permissions

An administrator can select the individual permissions included in a custom role, including permissions for individual objects, such as specific dimensions.

You can assign permissions based on standard user roles, for example Admin or Viewer, but if some of your users don't fit any of the included standard roles, you can create custom roles with the exact permissions you choose.

If you want to assign permissions based on standard roles, see Standard Application Roles. To create custom roles, see Create Roles.

This help topic explains the permissions in detail.

Object-type permissions

For most SAP Analytics Cloud objects, permissions apply to all objects of a particular type. For example, if you grant a user the Read permission for Digital Boardroom objects, that user can open and view any Digital Boardroom presentations that have been shared with them.

Note
  • When assigning permissions for a custom role, permissions that belong to different license types may not be available to select. For example, if you chose the Planning Standard license type, the Planning Model permissions are not available, because those permissions are available only with the Planning Professional license type.
  • The Business Intelligence Standard license permissions are a subset of the Planning Standard license permissions, which are a subset of the Planning Professional license permissions. For more information, see Features by License Type for Planning Models.
Permissions
Permission Meaning
Create

Permits creating new objects of this item type. Users need this permission to create files and folders or upload data to an object, such as models, stories, point of interest, and others. If you grant users the Create object-type permission, be sure to also grant the Read object-type permission, so that users can access the objects they create.

When granted on Uploaded Files, allows users to upload local files to the tenant. For details, see the notes for Uploaded Files.

Read Permits opening and viewing an item and its content.
Update Permits editing and updating existing items, including the structure of models and dimensions. Compare this permission with the Maintain permission, which doesn't allow changes to the data structure. Note: some object types need the Maintain permission to update data. See the Maintain entry.
Delete Permits deletion of the item.
Execute Permits executing the item to run a process. For example, running a simulation using a legacy Value Driver Tree, or acquiring data from a data source.
Maintain Permits the maintenance of data values, for example adding records to a model, without allowing changes to the actual data structure. Compare this permission with the Update permission, which does allow changes to the data structure.

When granted on Dimension objects, permits updating of dimension members.

When granted on Planning Model and Analytic Model objects, permits updating of both fact data and members of embedded (private) dimensions.

When granted on Lifecycle objects, permits importing and exporting objects.

When granted on Connection, the Start of the navigation pathConnection Next navigation step ConnectionsEnd of the navigation path and Start of the navigation pathConnection Next navigation step Schedule StatusEnd of the navigation path pages are visible.

When granted on Data Locking, permits the changing of a lock state for data slices.

Share Permits the sharing of the selected item type.
Manage
Caution
This permission lets users manage content; for example, deleting content for any users, and resharing, copying, and moving content. It should therefore be granted only to system administrators.

When granted on the User and Team objects, permits assigning users or teams to roles, and approving role assignment requests from users.

When granted on Public Files and Private Files, permits full control over those files and folders.

When granted on Deleted Files, permits reading and restoring of deleted files, including those that you don't own or did not delete.

When granted on Catalog Administration, permits enabling and disabling of the Catalog tab on the Home page. By default, all administrators have this permission.

Note
If a user has the Manage permission for a content space, and the user opens a file from that space, the user's rights are upgraded to full privileges.

Example: Let's say a user shares a story with you with only read rights. However, this story is stored in the Public folder, and you have Manage rights on Public Files. If you open the story, your rights are automatically updated to full privileges.

The following table lists the permissions that can be set for each object type.

Note
Some permissions require other permissions to be active first, and may be automatically set. For example, setting the Delete permission on Public Files will automatically set the Read permission as well.
Permissions Available by Object Type(C=Create, R=Read, U=Update, D=Delete, E=Execute, M=Maintain, S=Share, M=Manage)
Object Type Permissions Notes
Dimension CRUD-M-- Set the Maintain permission to permit adding members to a dimension without being able to change the actual definition. Set Update to allow changing the dimension definition itself.
Note
On the Roles page, when you expand Dimension to list individual dimensions, they are shown by dimension Description, not dimension Name.

Learn About Dimensions and Measures

Currency CRUD---- Lets users see and work with currency conversion tables.

Learn About Currency Conversion Tables

Planning Model CRUDEM-- Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges). Set Execute to enable planning features.

Learn About Models

Analytic Model CRUD-M-- Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges).

Learn About Models

SAP Business Technology Platform (BTP) Data Source ----E--- Set the Execute permission to permit users to connect to and create models based on live SAP HANA data sources.

We recommend that you enable this permission and the Execute permission for SAP BTP if you want to use both live data connections and import data connections.

Data Connections

Other Data Sources ----E--- Set the Execute permission for users to see the Connections menu and import-data connections in the Connections list, and to permit users to create connections to on-premise, cloud, and live data sources. This permission is used together with the Connection permissions.

We recommend that you enable this permission and the Execute permission for Other Data Sources if you want to use both live data connections and import data connections.

Data Connections

Translation CR-D---- To access the Translation dashboard, you must have at least one of the permissions Create, Read, or Delete:

Create: Lets you upload translations via XLIFF files, or review/edit from the translation dashboard.

Read: Lets you download the source XLIFF files from the Translation dashboard in SAP Analytics Cloud.

Delete: Lets you delete the translations.

Learn About the Translation Process

Role CRUD---- Lets users access roles.

Standard Application Roles

User CRUD---M

The Read permission lets you see a list of users in a dialog; for example, when choosing which users to share a story with, or when choosing users to add to a team.

To see the user list in Start of the navigation pathSecurity Next navigation step UsersEnd of the navigation path, you need the Read permission, plus one of the Create, Update, or Delete permissions. If you have only the Read permission, you won't be able to view that user list.

Set the Manage permission to permit assigning users to roles, and approving role assignment requests from users.

Security Administration

Standard Application Roles

Team CRUD---M

Set the Read permission to let users see the Start of the navigation pathSecurity Next navigation step TeamsEnd of the navigation path area.

The Update permission lets you make changes to the Teams area.

Set the Manage permission to permit assigning teams to roles.

Create Teams

Standard Application Roles

Activity Log -R-D---- Lets users access activity logs.

Track User Activities

Data Change Log -R-D---- Provides access to the Start of the navigation pathSecurity Next navigation step Data ChangesEnd of the navigation path area. Set the Read permission to permit displaying the audit report. Set the Read and Delete permissions for the appropriate model to permit downloading and deleting log entries.

Track Data Changes

Lifecycle -R---MS-

The Maintain permission allows you to access and import packages from the Content Network, and the Share permission allows you to export and manage packages in the Content Network.

The Read permission provides access to the Start of the navigation pathTransport Next navigation step ExportEnd of the navigation path and Start of the navigation pathTransport Next navigation step ImportEnd of the navigation path areas.

Content Administration

Connection CRUD-M-M These permissions let users create, read, update, delete and share individual connections.

You must also set the Execute permission on Other Data Sources for users to have access to the Connections area.

The Maintain permission is required to make the Start of the navigation pathConnections Next navigation step ConnectionsEnd of the navigation path and Start of the navigation pathConnections Next navigation step Schedule StatusEnd of the navigation path pages visible.

Note that the Connections page shows only the connection objects that the user has permission for, or that have been shared with the user. On the Schedule Status page, the Refresh Now button and the Open Data Model link will only be accessible if the user has permission for the model.

Data Connections

The Manage permission should only be assigned to a user with an administrator role. This permission allows a user to read, update, delete, and share all import data connections except SAP ERP, Concur, Fieldglass and Salesforce connections.
Note

A connection may only be shared if sharing credentials is enabled when the connection is created.

Public Files CR-D---M Permits access to public folders and files.

For example, to be able to create stories, users need to have the Create permission.

Set the Manage right for Public Files to let users access the System content folder on the left side of the Files page.

In the System folder, users have full control over Public folders, Samples, and Input Forms on that tenant.

Users also have the right to change the sharing permissions on the Public folder.

Manage Files and Folders

Private Files CR-D---M

Permits access to a user's private folders and files.

For example, to be able to create stories, users need to have the Create permission.

Set the Manage right for Private Files to let users access the System content folder on the left side of the Files page.

In the System folder, users have full control over all private content on that tenant.

For example, if someone leaves your organization, and has left behind some private content that you don't want to lose, a user with the Manage permission could access the private content, and move it or change ownership of it.

Manage Files and Folders

Deleted Files -------M Set the Manage permission to give users the right to read and restore all deleted files from all users in the tenant.

Manage Files and Folders

Ownership of Content ----E--- Users with the Execute permission can transfer the ownership of content to another user when a user is deleted or when using the Change Owner action from the Files page.

Modify Users

System Information -RU-----

Users with the Read permission can access the About area in the System menu.

Users with the Update permission can access the Monitor, Administration, Synonym Definitions, and About areas in the System menu.

System Administration

Allocation Step CRUDE--- Users with the Execute permission can execute an allocation step in an allocation process. For more information, see the description for Allocation Process.

Learn About Allocations

Allocation Process CRUDE--- Users with the Execute permission can execute an allocation process in a story.

To execute an allocation process, you need the Execute permission for the process and all its steps.

  • If you don't have the permission to execute an allocation process, you can't execute the process, whether or not you have the Execute permission for the allocation steps included in that process.
  • If you have the permission to execute an allocation process, but don't have permission to execute one of the allocation steps that is part of this process, that step is not executed, and the execution of the allocation process is rolled back.
  • If you have Execute permission for an allocation step, you can execute it within a data action.

Learn About Allocations

Explorer ----E--- Set Execute to provide access to the Data Exploration mode in a story.

Accessing the Explorer

Personal Data Acquisition ----E--- Users with the Execute permission can upload data to a story, and create points of interest based on that data.

Creating Points of Interest

Automated Discoveries ----E--- The Automated Discoveries permissions are deprecated, and have no effect.
Digital Boardroom CRUD--S- Lets users access digital boardroom presentations.

Digital Boardroom Presentation

Analytics Hub Assets CRUDE--- Lets users access Analytics Hub assets. Users with the Execute permission can validate or reject draft assets sent for review.

Create Roles

Analytics Hub Structures CRUD---- Lets users access Analytics Hub structures.

Create Roles

Data Locking CRUD-M-- For users that need to configure driving dimensions and data locking ownership, set the Create, Read, Update, and Delete permissions. To change the state of a lock as a data lock owner, a user must have the Read and Maintain permissions.

Configuring Data Locking

Data Action CRUDE--- Lets users create, read, update, and delete data actions. Users with the Execute permission can run data actions (for example, in stories).

Get Started with Data Actions for Planning

Predictive Scenario CRUD---- Lets users create, read, update, and delete predictive models to find the best one to bring the best predictions to address the business question.

Smart Predict – Using Predictive Scenarios

Multi Action CRUDE--- Lets users create, read, update, and delete multi actions. The Read permission lets users open the multi actions start page and open multi actions in the designer. It’s also required to add a multi action to a planning trigger and to run a multi action. The Execute permission let users run multi actions.

For the Create, Update, and Delete permissions, you can create a custom role based on the following standard application roles: Admin or Modeler. Also, for these permissions, note the license requirement: SAP Analytics Cloud for Planning, professional edition.

For Read and Execute, you can create a custom role based on the following standard application roles: Admin, Modeler, Planner, Reporter, or Viewer. Also, for these permissions, note the license requirement: SAP Analytics Cloud for Planning, professional edition or standard edition.

Understand Licenses, Roles, and Permissions

Standard Application Roles

Automate a Workflow Using Multi Actions

Applications CRUD---- Lets users access analytic applications.

Analytic Application Design (Analytics Designer)

Dataset CR------ Users with Read permission can read dataset content. Users with Create permission can create, read, edit, and delete datasets.

About Securing Datasets

Point of Interest CRUD-M-- Lets users access points of interest. The Maintain permission is included in some roles, but is currently not used.

Creating Points of Interest

Calendar Admin -------M Lets users view and edit all calendar events of this SAP Analytics Cloud tenant, except publications.

Work with Calendar Events as Calendar Admin

Schedule Publication C------M Lets users create schedules for publishing content.
The Manage permission on Schedule Publication allows you to become the manager of the schedules available in the tenant. This means you can view or modify the schedules created for publishing stories and analytical applications. However, you cannot delete the schedule or modify the Distribution section and the File Type, and the option Include link to story.
Note
As a prerequisite, you should have the Manage permission on Public and Private files to view the schedules of public or private content.

Schedule a Publication

Theme CRUD---- Lets users access themes for analytic applications.

Define Themes for Your Analytic Applications

Data Analyzer ----E--- Lets users work with the data analyzer.

Launch Classic Data Analyzer and Start Ad-Hoc Analysis

Global Bookmark CRUD--S- Lets users access global bookmarks.
Private Bookmark (Personal) CRUD--S- Lets users access private bookmarks.
Private Bookmark (Others) C------- Lets users copy private bookmarks created by others with the analytic application or optimized story.
Discussion CR------

Users with the Read permission can view and contribute to discussions that they are a part of. Also, they can remove attachments, add participants (users or teams) to the discussions, or leave the discussions.

When you select the Create permission, the Read permission is automatically selected as well. With the Create permission, users can create discussions. For discussions that users create (or own), they can change the name, remove participants, and archive or delete the discussions.

Tip

To allow users to attach files to a discussion, set the Create permission for Uploaded Files.

Collaborate by Having Group Discussions

Comment CR-D----

Users with Read permission can only read existing comments and like them.

When you set the Create permission, the Read permission is automatically set as well. With the Create permission, users can start new comment threads or add comments to existing comment threads.

When you set the Delete permission, the Read permission is automatically set as well. With the Delete permission, users can delete comments.

If all these permissions are selected, the access to the commenting actions for adding, viewing, and deleting comments is given to a user at the time content is shared. If none of these permissions are selected, users will not have any access to the commenting actions for adding, viewing, and deleting comments when content is shared. For more information, see About Comment Permissions and Options.

Collaborate by Having Group Discussions

Custom Widget CRUD---- Lets users access custom widgets in analytic applications.

Use Custom Widgets in Analytic Applications

Validation Rule CRUD---- For users who need to configure validation rules, set the Create, Read, Update, and Delete permissions. This privilege requires the Planning Professional license.

Define Valid Member Combinations for Planning Using Validation Rules

Publish Content ----E--- Users with the Execute permission can publish content to the Catalog on the Home page.

Enable Content Discoverability with the Analytics Catalog

Catalog Administration -------M Set the Manage permission to let users enable and disable the Catalog on the Home page. By default, all administrators have this permission.

Enable Content Discoverability with the Analytics Catalog

Content Link CRUD---- Lets users access content outside of SAP Analytics Cloud.

Share Links to Additional Analytics Content

Workspace -R-----M Set the Read permission to let users see the workspaces they are assigned to. Users who are workspace members can select the workspace from the list view on the Files page. Users who are assigned as workspace administrators on the Workspace Management page can select the workspace from the System view.

When you set the Manage permission, the Read permission is automatically set as well. With the Manage permission, users can open the Workspace Management page to create and delete workspaces. Also for any workspace, they can edit the workspace name and description, assign teams as workspace members, and assign users or teams as workspace administrators.

Configure Workspaces

Share and Collaborate Within Workspaces

Synonym Dictionary CRUD---- Lets users create, read, update, and delete synonyms for their terms.

Defining and Working with Synonyms

Private Insight C------- Lets users create insights. However, users can't edit or rename the insight in the file repository.

Open Classic Insights

Remote Repository Snapshot C------- Lets users save data change insights snapshots of analytic applications in the data repository configured via Start of the navigation pathSystem Next navigation step Administration Next navigation step Data Source ConfigurationEnd of the navigation path.
Runtime Notification C------- Lets users send notifications at analytic application runtime.

Use sendNotification API

Private Insight C------- Lets users that are not allowed to create public or private files create private insights.

Open Classic Insights

Uploaded Files C------- Set the Create permission to give users the right to upload local files to the tenant. This permission on its own allows users to attach files to discussions.

When used with Private Files and Public files object-type permissions, users can upload files from the Files page:

  • When Create is selected for Private Files, users can upload files to their private folder.

  • When Create is selected for Public Files, users can upload files to the Public folder.

For custom roles created from standard application roles, review this permission and adjust as needed.

Manage Files and Folders

Collaborate by Having Group Discussions

Individual object permissions

For some SAP Analytics Cloud objects, permissions can be applied to all objects of a particular type, or only to specific objects. For example, if you grant users the Delete permission for Dimension objects, those users can delete any dimensions they own.

To grant permissions only on specific dimensions, expand the Dimension row, and then use the check boxes on the individual dimension rows.

Note
  • Private dimension (also called embedded dimension) permissions are not inherited from the model. For example, if you create a model, and grant User A only the Read permission for that model, but User A has been granted the BI Content Creator role, User A will, by default, be able to edit and maintain the private dimensions within the model.

    The Read permission affects only the actions on the model itself. So for example, with Read permission, User A wouldn't be able to add new dimensions to the model or rename the model.

  • If the object type allows individual object permissions, for example Dimension objects, then users need both of the following:

    • The object-type permission for the object
    • The individual object permission for the object; OR, the user is the owner of the object

    If the object type doesn't allow individual object permissions, for example Digital Boardroom objects, then users need just the object-type permission for the object.

  • On the Roles page, when you expand Dimension to list individual dimensions, they are shown by dimension Description, not dimension Name.

Assigning object permissions to users or teams, not roles

You can also assign individual object permissions to users or teams, instead of to roles. For details, see Share Files or Folders.