Assign Roles to Users and Teams

There are multiple ways to assign roles to users and teams.

You can assign or update a user's role using the Users page. You can assign roles directly to muitiple users or teams. You can use a SAML mapping to assign roles to users. You can also assign SAP Analytics Hub roles dynamically. You can assign roles when importing users from a CSV file. You can also assign roles programatically.

Note

As a best practice for security, users should be assigned roles via teams, rather than individually.
If no role is assigned when users are created or imported, the default role is applied. For more information, see Set the Default Role.

Who Does This Apply To?

System adminstrators

Assigning a Role to Multiple Users and Teams

You can assign roles to multiple users and teams.

Procedure

From the side navigation, go to Security Roles.
Find the role that you want to assign.
At the bottom of the role box, click the link to change which users and teams the role will be assigned to.
(Optional) To assign a Concurrent Session License to the selected users and teams, select Concurrent Session License. A Concurrent Session License can be assigned to many users and teams, but only a limited number of users can be logged on at a time.

This option will only appear if you have purchased Concurrent Session Licenses. By default, User License is selected. For more information on license types, see Features by License Type for Analytic Models.
Note

A Concurrent Session License gives you a set number of user sessions. The license can be assigned to many users, but the number of simultaneous user sessions cannot exceed the number purchased.

Multiple browser windows consume multiple concurrent sessions, but multiple tabs in one browser window consume one concurrent session.

License threshold changes are enforced once a day. For example, if an administrator changes the concurrent user threshold count from 5 to 10, the number of concurrent users allowed in the system will still be 5, until the next day, when it is updated to 10 users.

Administrators can see the number of concurrent licenses being consumed in the System Monitor area.
Select one or more users and teams from the Available Members list.
Select OK.

Assigning or Updating an Individual User's Role

You can assign or update a user's role on the Users page.

Procedure

From the side navigation, go to Security Users.
Find the required user's row, and select the icon in the Roles column. A list of Available Roles will appear.
(Optional) To assign a Concurrent Session License to the selected user, select Concurrent Session License. A Concurrent Session License can be assigned to many users and teams, but only a limited number of users can be logged on at a time.

This option will only appear if you have purchased Concurrent Session Licenses. By default, User License is selected. For more information on license types, see Features by License Type for Analytic Models.
Note

A Concurrent Session License gives you a set number of user sessions. The license can be assigned to many users, but the number of simultaneous user sessions cannot exceed the number purchased.

Multiple browser windows consume multiple concurrent sessions, but multiple tabs in one browser window consume one concurrent session.

License threshold changes are enforced once a day. For example, if an administrator changes the concurrent user threshold count from 5 to 10, the number of concurrent users allowed in the system will still be 5, until the next day, when it is updated to 10 users.

Administrators can see the number of concurrent licenses being consumed in the System Monitor area.
Select one or more roles.
Select OK.

Mapping Roles Using SAML Attributes

You can create a SAML role mapping to automatically assign roles to users based on their SAML attributes.

Prerequisites

SAML needs to be enabled in SAP Analytics Cloud.
Your custom SAML Identity Provider (IdP) must be configured, and you should be able to log in to your tenant without problems.
Step 6 in Enable a Custom SAML Identity Provider must be completed.

Procedure

From the side navigation, go to Security Roles, and select a role to open it.
Select (Open SAML Role Mapping).

The Create SAML Mapping dialog appears.
Under Conditions, select a SAML Attribute, select a Condition, and enter a Value if required.
(Optional) Select (New mapping definition) to add additional mappings to the role assignment.
1. For each additional mapping, under Conditions, select a SAML Attribute, select a Condition, and enter a Value if required.
2. Under Conditions Logic, select AND or OR.
  If AND is selected, the conditions for all attributes must be met for the mapping to be applied. If OR is selected, the conditions for only one of the attributes must be met for the mapping to be applied.

Results

The selected role will be applied to all users who meet the specified conditions when logging onto SAP Analytics Cloud via SAML authentication. If the selected role was previously assigned to a user, but the user does not meet the specified conditions, the role will be revoked when the user logs in.

Assign SAP Analytics Hub Roles Dynamically

You can dynamically assign SAP Analytics Hub authorizations to roles in your system.

Prerequisites

You must have an SAP Analytics Hub license to grant SAP Analytics Hub authorizations to new and existing roles.

Your current system must also be subscribed to an SAP Analytics Hub system; to verify, check whether Analytics Hub is available from the product switch in the upper-right corner: .

Context

When creating a new role or using an existing role, you want to assign authorizations to read assets, at the very least. This role is typically assigned to a user who needs to work with content in SAP Analytics Hub.

Procedure

Dynamically assigning SAP Analytics Hub authorizations to an existing role

From the side navigation, go to Security Roles, and open an existing custom role.
Choose the Read authorization for Analytics Hub in the Analytics Hub Assets row.

Note
You cannot assign read authorization to Standard SAP Analytics Cloud roles.

Choose

(Settings) to define the following option in the Settings dialog:

Option	Description
Use as Default Role	The default role is assigned to new users if no role is specified when users are imported or created. You must select this option.

Save your changes.
Go back to the Roles page, and confirm that the role is set as a default role.

Dynamically assigning SAP Analytics Hub authorizations to a new role

From the side navigation, go to Security Roles, and choose (Add Role).
In the Create a New Role dialog, enter the role name.

Note
Blanks are not allowed in the role name.
Also select a License Type, and optionally, enter a description.
Click Create.

Define the permissions for your new role for every activity. Check the permissions for the Analytics Hub Assets for the new role:

Name	Minimal Required Permission
Analytics Hub Assets	Read

Choose

(Settings) to define the following option in the Settings dialog:

Option	Description
Use as Default Role	The default role is assigned to new users if no role is specified when users are imported or created. You must select this option.

Go back to the Roles page, and confirm that the role is set as a default role.

Assigning Roles When Importing Users

You can also assign roles during the import procedure from a CSV. For more information, see Create Users.

Assigning Roles Programmatically

You can assign roles programmatically using the User and Team Provisioning API. For more information, see SAP Analytics Cloud User and Team Provisioning API.