Permissions
An administrator can select the individual permissions included in a custom role, including permissions for individual objects, such as specific dimensions.
You can assign permissions based on standard user roles, for example Admin or Viewer, but if some of your users don't fit any of the included standard roles, you can create custom roles with the exact permissions you choose.
If you want to assign permissions based on standard roles, see Standard Application Roles. To create custom roles, see Create Roles.
This help topic explains the permissions in detail.
Object-type permissions
For most SAP Analytics Cloud objects, permissions apply to all objects of a particular type. For example, if you grant a user the Read permission for Digital Boardroom objects, that user can open and view any Digital Boardroom presentations that have been shared with them.
- When assigning permissions for a custom role, permissions that belong to different license types may not be available to select. For example, if you chose the Planning Standard license type, the Planning Model permissions are not available, because those permissions are available only with the Planning Professional license type.
- The Business Intelligence Standard license permissions are a subset of the Planning Standard license permissions, which are a subset of the Planning Professional license permissions. For more information, see Features by License Type for Planning Models.
Permission | Meaning |
---|---|
Create | Permits creating new objects of this item type. Users need this permission to create stories and folders, upload data into a story, or upload other local files. If you grant users the Create object-type permission, be sure to also grant the Read object-type permission, so that users can access the objects they create. |
Read | Permits opening and viewing an item and its content. |
Update | Permits editing and updating existing items, including the structure of models and dimensions. Compare this permission with the Maintain permission, which doesn't allow changes to the data structure. Note: some object types need the Maintain permission to update data. See the Maintain entry. |
Delete | Permits deletion of the item. |
Execute | Permits executing the item to run a process. For example, running a simulation using a legacy Value Driver Tree, or acquiring data from a data source. |
Maintain | Permits the maintenance of data values, for example adding
records to a model, without allowing changes to the actual data
structure. Compare this permission with the Update permission, which
does allow changes to the data structure. When granted on Dimension objects, permits updating of dimension members. When granted on Planning Model and Analytic Model objects, permits updating of both fact data and members of embedded (private) dimensions. When granted on Lifecycle objects, permits importing and exporting objects. When granted on Connection, the and pages are visible. When granted on Data Locking, permits the changing of a lock state for data slices. |
Share | Permits the sharing of the selected item type. |
Manage |
Caution This permission lets users manage
content; for example, deleting content for any users, and
resharing, copying, and moving content. It should therefore
be granted only to system administrators.When granted on the User and Team objects, permits assigning users or teams to roles, and approving role assignment requests from users. When granted on Public Files and Private Files, permits full control over those files and folders. When granted on Deleted Files, permits reading and restoring of deleted files, including those that you don't own or did not delete. When granted on Catalog Administration, permits enabling and disabling of the Catalog tab on the Home page. By default, all administrators have this permission. Note If a user has the Manage permission for a content space, and
the user opens a file from that space, the user's rights are
upgraded to full privileges.Example: Let's say a user shares a story with you with only read rights. However, this story is stored in the Public folder, and you have Manage rights on Public Files. If you open the story, your rights are automatically updated to full privileges. |
The following table lists the permissions that can be set for each object type.
Object Type | Permissions | Notes |
---|---|---|
Dimension | CRUD-M-- | Set the Maintain permission to permit adding members to a
dimension without being able to change the actual definition. Set
Update to allow changing the dimension definition itself. Note On
the Roles page, when you expand
Dimension to list individual
dimensions, they are shown by dimension Description, not
dimension Name. |
Currency | CRUD---- | Lets users see and work with currency conversion tables. |
Planning Model | CRUDEM-- | Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges). Set Execute to enable planning features. |
Analytic Model | CRUD-M-- | Set the Maintain permission to permit adding records of data to a model without being able to change the actual structure. Set Update to allow changing the model structure itself; that is, changing the actual definition of the dimensions (like adding new members or extending date ranges). |
SAP Business Technology Platform (BTP) Data Source | ----E--- | Set the Execute permission to permit users to connect to and create models based on
live SAP HANA data sources. We recommend that you enable this permission and the Execute permission for SAP BTP if you want to use both live data connections and import data connections. |
Other Data Sources | ----E--- | Set the Execute permission for users to see the Connections
menu and import-data connections in the Connections list, and to
permit users to create connections to on-premise, cloud, and live
data sources. This permission is used together with the Connection
permissions. We recommend that you enable this permission and the Execute permission for Other Data Sources if you want to use both live data connections and import data connections. |
Translation | CR-D---- | To access the Translation dashboard, you must have at least one
of the permissions Create, Read, or Delete: Create: Lets you upload translations via XLIFF files, or review/edit from the translation dashboard. Read: Lets you download the source XLIFF files from the Translation dashboard in SAP Analytics Cloud. Delete: Lets you delete the translations. |
KPI | CRUDE-S- | The KPI object is deprecated. Permissions for KPI objects have no effect. |
Role | CRUD---- | Lets users access roles. |
User | CRUD---M |
The Read permission lets you see a list of users in a dialog; for example, when choosing which users to share a story with, or when choosing users to add to a team. To see the user list in , you need the Read permission, plus one of the Create, Update, or Delete permissions. If you have only the Read permission, you won't be able to view that user list.Set the Manage permission to permit assigning users to roles, and approving role assignment requests from users. |
Team | CRUD---M |
Set the Read permission to let users see the area.The Update permission lets you make changes to the Teams area. Set the Manage permission to permit assigning teams to roles. |
Activity Log | -R-D---- | Lets users access activity logs. |
Data Change Log | -R-D---- | Provides access to the | area. Set the Read permission to permit displaying the audit report. Set the Read and Delete permissions for the appropriate model to permit downloading and deleting log entries.
Lifecycle | -R---MS- |
The Maintain permission allows you to access and import packages from the Content Network, and the Share permission allows you to export and manage packages in the Content Network. The Read permission provides access to the and areas. |
Connection | CRUD-M-- | These permissions let users create, read, update, and delete individual
connections. You must also set the Execute permission on Other Data Sources for users to have access to the Connections area. The Maintain permission is required to make the and pages visible.Note that the Connections page shows only the connection objects that the user has permission for, or that have been shared with the user. On the Schedule Status page, the Refresh Now button and the Open Data Model link will only be accessible if the user has permission for the model. |
Public Files | CR-D---M | Permits access to public folders and files. For example, to be able to create stories, users need to have the Create permission. Set the Manage right for Public Files to let users access the System content folder on the left side of the Files page. In the System folder, users have full control over Public folders, Samples, and Input Forms on that tenant. Users also have the right to change the sharing permissions on the Public folder. |
Private Files | CR-D---M |
Permits access to a user's private folders and files. For example, to be able to create stories, users need to have the Create permission. Set the Manage right for Private Files to let users access the System content folder on the left side of the Files page. In the System folder, users have full control over all private content on that tenant. For example, if someone leaves your organization, and has left behind some private content that you don't want to lose, a user with the Manage permission could access the private content, and move it or change ownership of it. |
Deleted Files | -------M | Set the Manage permission to give users the right to read and restore all deleted files from all users in the tenant. |
Ownership of Content | ----E--- | Users with the Execute permission can transfer the ownership of content to another user when a user is deleted or when using the Change Owner action from the Files page. |
System Information | -RU----- |
Users with the Read permission can access the About area in the System menu. Users with the Update permission can access the Monitor, Administration, Synonym Definitions, and About areas in the System menu. |
Allocation Step | CRUDE--- | Users with the Execute permission can execute an allocation step in an allocation process. For more information, see the description for Allocation Process. |
Allocation Process | CRUDE--- | Users with the Execute permission can execute an allocation process in a story. To execute an allocation process, you need the Execute permission for the process and all its steps.
|
Explorer | ----E--- | Set Execute to provide access to the Data Exploration mode in a story. |
Personal Data Acquisition | ----E--- | Users with the Execute permission can upload data from Excel or CSV files, and create point of interest data from imported Excel or CSV files. |
Legacy Value Driver Tree | CRUDE--- | Users with the Execute permission can run simulations using legacy value driver trees. |
Automated Discoveries | ----E--- | The Automated Discoveries permissions are deprecated, and have no effect. |
Digital Boardroom | CRUD--S- | Lets users access digital boardroom presentations. |
Analytics Hub Assets | CRUDE--- | Lets users access Analytics Hub assets. Users with the Execute permission can validate or reject draft assets sent for review. |
Analytics Hub Structures | CRUD---- | Lets users access Analytics Hub structures. |
Data Locking | CRUD-M-- | For users that need to configure driving dimensions and data locking ownership, set the Create, Read, Update, and Delete permissions. To change the state of a lock as a data lock owner, a user must have the Read and Maintain permissions. |
Data Action | CRUDE--- | Users with the Execute permission can run data actions; for example, in stories. |
Predictive Scenario | CRUD---- | Lets users create, read, update, and delete predictive models to find the best one to bring the best predictions to address the business question. |
Multi Action | CRUDE--- | Lets users work with and run multi actions. The Read permission lets users access the multi action start page and the Execute permission let users run multi actions. Automate a Planning and Predictive Workflow Using Multi Actions |
Applications | CRUD---- | Lets users access analytic applications. |
Dataset | CR------ | Users with Read permission can read dataset content. Users with Create permission can create, read, edit, and delete datasets. |
Point of Interest | CRUD-M-- | Lets users access points of interest. The Maintain permission is included in some roles, but is currently not used. |
Schedule Publication | C------M | Lets users create schedules for publishing content. The
Manage permission on
Schedule Publication allows you to
become the manager of the schedules available in the tenant.
This means you can view or modify the schedules created for
publishing stories and analytical applications. However, you
cannot delete the schedule or modify the
Distribution section and the
File Type, and the option
Include link to story.
Note As a
prerequisite, you should have the Manage permission on
Public and
Private files to view the
schedules of public or private content. |
Theme | CRUD---- | Lets users access themes for analytic applications. |
Data Analyzer | ----E--- | Lets users work with the data analyzer. |
Global Application Bookmark | CRUD--S- | Lets users access global bookmarks. |
Private Application Bookmark (Personal) | CRUD--S- | Lets users access private bookmarks. |
Private Application Bookmark (Others) | C------- | Lets users copy private bookmarks created by others with the analytic application. |
Discussion | CR------ | Users with Read permission can view and contribute to an existing discussion, and only the users with Create permission can start a new discussion. |
Comment | CR-D---- | Users with Read permission can only read the existing comments and like them. They should have Create permission to start a new thread or to add a comment to an existing thread, and Delete permission to delete a comment. |
Custom Widget | CRUD---- | Lets users access custom widgets in analytic applications. |
Validation Rule | CRUD---- | For users who need to configure validation rules, set the Create,
Read, Update, and Delete permissions. This privilege requires the
Planning Professional license. Define Valid Member Combinations for Planning Using Validation Rules |
Publish Content | ----E--- | Users with the Execute permission can publish content to the Catalog on the Home page. |
Catalog Administration | -------M | Set the Manage permission to let users enable and disable the Catalog on the Home page. By default, all administrators have this permission. |
Content Link | CRUD---- | Lets users access content outside of SAP Analytics Cloud. |
Workspace | -R-----M | Users with the Read permission can view workspaces they are assigned to. Set the Manage permission to let users manage a workspace. This means a user can manage the content in a workspace, assign teams to the workspace, and manage which users are assigned as workspace admins. |
Synonym Dictionary | CRUD---- | Lets users create, read, update, and delete synonyms for their terms. |
Private Insight | C------- | Lets users create insights. However, users can't edit or rename the insight in the file repository. |
Remote Repository Snapshot | C------- | Lets users save data change insights snapshots of analytic applications in the data repository configured via | .
Runtime Notification | C------- | Lets users send notifications at analytic application runtime. |
Private Insight | C------- | Lets users that are not allowed to create public or private files create private insights. |
Individual object permissions
For some SAP Analytics Cloud objects, permissions can be applied to all objects of a particular type, or only to specific objects. For example, if you grant users the Delete permission for Dimension objects, those users can delete any dimensions they own.
To grant permissions only on specific dimensions, expand the Dimension row, and then use the check boxes on the individual dimension rows.
-
Private dimension (also called embedded dimension) permissions are not inherited from the model. For example, if you create a model, and grant User A only the Read permission for that model, but User A has been granted the BI Content Creator role, User A will, by default, be able to edit and maintain the private dimensions within the model.
The Read permission affects only the actions on the model itself. So for example, with Read permission, User A wouldn't be able to add new dimensions to the model or rename the model.
-
If the object type allows individual object permissions, for example Dimension objects, then users need both of the following:
- The object-type permission for the object
- The individual object permission for the object; OR, the user is the owner of the object
If the object type doesn't allow individual object permissions, for example Digital Boardroom objects, then users need just the object-type permission for the object.
- On the Roles page, when you expand Dimension to list individual dimensions, they are shown by dimension Description, not dimension Name.
Assigning object permissions to users or teams, not roles
You can also assign individual object permissions to users or teams, instead of to roles. For details, see Share Files or Folders.