Create Roles

You can create custom roles if the standard application roles included with SAP Analytics Cloud do not fit your needs.

Custom roles are created by modifying standard application roles.
Note

You can't delete or save changes to the predefined standard roles.

Who Does This Apply To?

  • System adminstrators

Create Custom Roles

To create custom roles, you must modify an existing standard application role.

Context

Note
In this procedure, we use the Roles page to assign roles to users, but you can also assign roles on the Users page. Whether you create users first or roles first does not matter.

Procedure

  1. From the side navigation, go to Start of the navigation path Security Next navigation step  RolesEnd of the navigation path, and choose (Add Role) to add a new row to the roles management table.
  2. In the Create a New Role dialog, enter a unique name for the role.
    Note
    Blanks are not allowed in the name.
  3. Select a license.

    The selected license will be given to all users assigned the role you create.

  4. Click Create.

    The role is created and a new page is displayed.

  5. Select a role template.
    The role templates are predefined standard roles associated with the license you selected. You can also start with a blank template, but using a standard application role is reccomended, because they are updated automatically when new features are added.
    After you select a template, the Permissions page appears, showing you the individual permissions defined for the role template you chose. If you chose a blank template, then all available permissions are unselected.
    Note

    To change the role template, select (Select Template), and choose a new role.

  6. Define the permissions for your new role for every activity – either for all objects of a business object type, or individually for every existing business object.

    For example, to define a user who is allowed to read all data change logs, select the check box in the Read column of the Data Change Log row. The permission is automatically passed on to all existing logs.

    For more information about permissions, see Permissions. For information about what permissions are included in a particular role, see Standard Application Roles.

    For information about creating Custom SAP Analytics Hub roles, see below.

  7. If you have already created users that should be assigned the new role, choose (Assign Role), select one or more users in the Assign Role to User dialog, and choose OK.

    All users that are currently assigned to the role appear in the Selected Users list along with any new users you select.

  8. Choose (Settings) to define the following options in the Settings dialog:
    Option Description
    Enable Self-Service If you activate this option, any business user can request this role for himself in the Request Roles dialog.
    Use as Default Role The default role is assigned to new users if no role is specified when users are imported or created.
    Full Data Access
    If you activate this option, any user who is assigned this role can see all the data of any model regardless of how the data access for the model is defined.
    Recommendation
    Grant full data access carefully and only to selected users.
  9. Decide which type of user should approve the role request:
    • Manager: The user assigned as a manager to the user requesting the role must approve the request.
      Note
      The manager is assigned to a user on the User page in the user management area.
    • Other Users: A specific user that you select from the dialog must approve the request.
  10. Save your new custom role.
    Note

    Custom roles will have IDs in the following format:

    PROFILE:<t.#>:<role_name> where t.# is the Content Namespace listed in Start of the navigation path System Next navigation step  Administration Next navigation step System ConfigurationEnd of the navigation path. You must use the role ID when importing role assignments from CSV or assigning roles via the User & Team Provisioning API.

    For more information, see Create Users or SAP Analytics Cloud User and Team Provisioning API.

Create Custom SAP Analytics Hub Roles

You can ensure that there’s more control over the content’s lifecycle in SAP Analytics Hub. Instead of assigning the role of Content Creator to your users, which grants all content management authorizations, you can define two custom variants of this role. These two roles give different privileges, but they are interrelated.

You must have an SAP Analytics Hub license in order to grant the roles listed below.

Content Editor

Includes all authorizations to read, create, and update assets. Usually assigned to the user who provides content in SAP Analytics Hub.

When you create this custom role, set the permissions for the Analytics Hub Assets and Analytics Hub Structure rows as described below:

Name

Permissions
Analytics Hub Assets
  • Read
  • Create
  • Update
Analytics Hub Structure
  • Read
Team
  • Read
User
  • Read

Content Validator

Includes all authorizations to read assets, and to validate or reject draft assets sent for review that are created by Content Editors. Usually assigned to the user who has to check the quality of the content displayed in SAP Analytics Hub.

When you create this custom role, set the permissions for the Analytics Hub Assets and Analytics Hub Structure rows as described below:

Name

Permissions
Analytics Hub Assets
  • Read
  • Delete
  • Execute
Team
  • Read
User
  • Read
Note
To define the Content Validator permissions, you don’t need to check any permission related to the Analytics Hub row. For any role created (User or Team), Read access is mandatory.