Standard Application Roles

SAP Analytics Cloud includes several standard application roles. The roles that you will see depend on the licenses included in your subscription. As a best practice, you can use these roles as templates for creating custom roles for different departments within your organization.

Roles and Permissions

A role represents the main tasks that a user performs in SAP Analytics Cloud. For example, if the CEO of your organization wants to be able to open stories and digital boardroom presentations, but doesn't need to create them, you could assign them to the Viewer role. The system administrator would need the Admin role though, because they manage users and content.

A role comes with a collection of permissions. the CEO and system administrator shouldn't be assigned the same permissions. You probably don't want to grant the CEO the "Manage" permission, but the system administrator should get the maximum level of permissions.

The standard application roles provide a set of permissions that are appropriate for each particular job role. For more information, see Permissions. For example, the BI Admin role includes the Create and Delete permissions, while the BI Content Viewer role doesn't:

Note

The existing standard roles can't be deleted or edited and are updated automatically when new features are added. Instead of assigning the standard application roles to users and teams, create custom roles that are based on the standard application roles and assign the custom roles. For more information, see Create Roles.

Licenses and Roles

To access the Roles page, from the side navigation, go to Start of the navigation path Security Next navigation step  RolesEnd of the navigation path.

Roles are grouped by the license type they consume. This example shows some of the predefined standard roles and custom roles associated with the Business Intelligence license type:

Each user's license consumption is determined solely by the roles that they've been assigned. For example, a user who has been assigned only the BI Admin standard role consumes only a Business Intelligence license.

On the Roles page, you can search for roles by keyword. Begin typing a keyword into the Search field, and the page will display only those roles that match your keyword.

Standard Roles

You can use the standard application roles as templates for creating custom roles and then assign the custom roles to users. For more information, see Create Roles.

When you import role assignments from a CSV file or assign roles via the SAP Analytics Cloud REST API, you must use the following role IDs. For more information, see SAP Analytics Cloud REST API.

Role Role ID Description

System Owner

PROFILE:sap.epm:System_Owner

Full Privileges

Includes all user privileges to allow unrestricted access to all areas of the application. Only one user in the system can be assigned to this role, and it must always be assigned to a user.

Grants authorizations to create, view, update or delete analytic applications, and use the data analyzer. Can create, view, update or delete custom widgets.

Admin

PROFILE:sap.epm:Admin

Planning Administrator: Full Privileges

Includes all task authorizations available in SAP Analytics Cloud. Usually assigned to the system administrator to set up users and roles and to perform system transports.

Grants authorizations to create, view, update or delete analytic applications, and use the data analyzer. Can create, view, update or delete custom widgets.

Modeler

PROFILE:sap.epm:Modeler

Planning Modeler: Modeling Privileges

Includes all authorizations that are required to manage models and dimensions. Usually assigned to the user who creates and changes models and dimensions.

Grants authorizations for viewing analytic applications and using the data analyzer. It also grants authorization to view custom widgets.

Planner Reporter

PROFILE:sap.epm:Planner_Reporter

Planner Reporter: Planning and Reporting Privileges

Includes all authorizations that are required to perform planning activities, such as revenue planning and automated discoveries. This role also grants authorizations for updating currency tables. Usually assigned to the user who does the planning and budgeting.

This role also grants authorizations for viewing analytic applications and using the data analyzer. It also grants authorization to view custom widgets.

Viewer

PROFILE:sap.epm:Viewer

Planning Viewer: Read Privileges

Includes read-only privileges. Usually assigned to the user who is allowed only to read the data.

This role also grants authorizations for viewing analytic applications and using the data analyzer. It also grants authorization to view custom widgets.

BI Admin

PROFILE:sap.epm:BI_Admin

Business Intelligence Administrator: Full Privileges

Includes all task authorizations including predictive. It excludes task authorizations related to planning. Usually assigned to the BI system administrator to set up users and roles.

Grants authorizations to create, view, update or delete analytic applications, and use the data analyzer. This role also grants authorization to view custom widgets.

Note

Users with this role have access to content even if Data Access Control settings have been applied to that content.

BI Content Creator

PROFILE:sap.epm:BI_Content_Creator

Business Intelligence Content Creator: Create and Update Privileges

Includes all authorizations that are required to manage models and dimensions not related to planning. Usually assigned to the user who creates and changes non-planning models and dimensions.

This role also grants authorizations for viewing analytic applications and use the data analyzer. It also grants authorization to view custom widgets.

BI Content Viewer

PROFILE:sap.epm:BI_Content_Viewer

Business Intelligence Viewer: Read Privileges

Includes read-only privileges for non-planning data. Usually assigned to the user who is allowed only to read the data. By default, this role does not include private files permissions.

This role also grants authorizations for viewing analytic applications and use the data analyzer. It also grants authorization to view custom widgets.

Application Creator

PROFILE:sap.epm:Application_Creator

Application Creator: Analytics Designer Privileges

Includes all authorizations that are required to manage analytic applications. Usually assigned to the user who creates and changes analytic applications.

Grants authorizations to create, view, update or delete analytic applications, and use the data analyzer. This role also grants authorization to view custom widgets.

BTP Content Creator

PROFILE:sap.epm:HCP_Content_Creator

SAP Business Technology Platform Creator: Create and Update Privileges

Includes all authorizations that are required to manage models and dimensions not related to planning. Usually assigned to the user who creates and changes non-planning models and dimensions.

Note
The BTP roles allow access only to SAP Business Technology Platform (BTP) as a data source.

BTP Content Viewer

PROFILE:sap.epm:BI_Content_Viewer

SAP Business Technology Platform Viewer: Read Privileges

Includes read-only privileges for non-planning data. Usually assigned to the user who is allowed only to read the data. By default, this role does not include private files permissions.

Note
The BTP roles allow access only to SAP Business Technology Platform (BTP) as a data source.

Digital Boardroom Viewer

PROFILE:sap.epm:Boardroom_Viewer

Includes the read-only privilege for the Digital Boardroom area. Usually assigned to the user who is allowed only to view boardroom agendas.

Digital Boardroom Creator

PROFILE:sap.epm:Boardroom_Creator

Includes all authorizations to create, edit, share, delete, and view boardroom agendas in the Digital Boardroom area.

Predictive Content Creator PROFILE:sap.epm:Predictive_Content_Creator Includes all authorizations to create, update, delete, and view predictive scenarios in the Predictive Scenarios area. You must grant both Create and Read privileges to ensure that the user can create predictive scenarios.

For more information about the role, see Roles and Permissions for Predictive Scenarios.

Predictive Admin PROFILE:sap.epm:Predictive_Admin Among all task authorizations available in SAP Analytics Cloud, it includes all authorizations to create, update, delete, and view predictive scenarios in the Predictive Scenarios area. You need this role to add and configure Data Repositories.

For more information about the role, see Roles and Permissions for Predictive Scenarios.

Translator PROFILE:sap.epm:Translator

Includes all authorizations to create, update, read, and delete an artifact with regards to translation.

BI Restricted Content Creator PROFILE:sap.epm:BI_RESTRICTED_CONTENT_CREATOR

Business Intelligence Restricted Content Creator: Create and Update Privileges

Includes all authorizations that are required to manage models and dimensions not related to planning. Usually assigned to the user who creates and changes non-planning models and dimensions.

This role also grants authorizations for viewing analytic applications and use the data analyzer. It also grants authorization to view custom widgets.

Note
This role is only available for SAP Datasphere embedded customers.
BI Restricted Content Viewer PROFILE:sap.epm:BI_RESTRICTED_CONTENT_VIEWER

Business Intelligence Restricted Content Viewer: Read Privileges

Includes read-only privileges for non-planning data. Usually assigned to the user who is allowed only to read the data. By default, this role does not include private files permissions.

This role also grants authorizations for viewing analytic applications and use the data analyzer. It also grants authorization to view custom widgets.

Note
This role is only available for SAP Datasphere embedded customers.
BI Restricted Tenant Admin PROFILE:sap.epm:BI_RESTRICTED_TENANT_ADMIN

Business Intelligence Restricted Tenant Administrator: Full Privileges

Includes all task authorizations including predictive. It excludes task authorizations related to planning. Usually assigned to the BI system administrator to set up users and roles.

Grants authorizations to create, view, update or delete analytic applications, and use the data analyzer. This role also grants authorization to view custom widgets.

Users with this role have access to content even if Data Access Control settings have been applied to that content.

Note
This role is only available for SAP Datasphere embedded customers.

SAP Analytics Hub Roles

You can use the following SAP Analytics Cloud roles as templates for creating custom roles and then assign the custom roles to users. For more information, see Create Roles.

When you import role assignments from a CSV file or assign roles via the SAP Analytics Cloud REST API, you must use the following role IDs. For more information, see SAP Analytics Cloud REST API.

Role Role ID Description

Analytics Hub Admin

PROFILE:sap.epm:Analytics_Hub_Admin

Includes full assets and structure privileges. Usually assigned to the user who sets up the SAP Analytics Hub application. In addition, this user can perform all content management actions.

Analytics Hub Content Creator

PROFILE:sap.epm:HCP_Content_Creator

Includes all authorizations to read, create, update, delete, hide, validate, and reject assets in SAP Analytics Hub. Usually assigned to the user who creates and modifies assets.

Note
We recommend that you use the SAP Analytics Hub Content Creator role as a template to define two more specific roles for the content management. For more information about this recommendation, see Create Roles.

Analytics Hub Viewer

PROFILE:sap.epm:Analytics_Hub_Content_Viewer

Includes read-only privileges. Usually assigned to the user who is allowed only to read the assets.