User Authorizations

For SAP Cloud Platform - Neo Environment

You use this feature to define a more granular access to SAP Asset Strategy and Performance Management business objects for users within your organization.

You can use the User Authorization app to:

Create an organizational hierarchy.
Assign the following to a node in the organizational hierarchy:
- Users
- Business Objects
- Groups
Edit the organization hierarchy and its assigned objects.
Delete a node from the organizational hierarchy.

All the users assigned to a node in the organizational hierarchy have access to:

The business objects and groups assigned to the relevant node in the hierarchy.
The business objects and groups assigned to the subnodes of a relevant parent node in the organizational hierarchy.

Process Overview

Enable User authorization in Application Settings General Application Settings Organizational Configurations.

Note
User Authorization is an optional feature, which can be used in addition to the existing Network Authorizations. By default the application setting for User Authorization is disabled.

The existing network authorizations remain unchanged and can be used as they are.
Create an organizational hierarchy for your organization in User Authorization app.
Note Currently, you can have only one organizational hierarchy for your organization.
Assign SAP Asset Strategy and Performance Management users to the nodes in your organizational hierarchy in User Authorization app.
Assign business objects to the nodes in your organizational hierarchy in User Authorization app. You can:
- Directly assign business objects to the nodes in your organizational hierarchy in User Authorization app
Create a group in Groups app and assign business objects to this group, and then assign the group to a node in your organizational hierarchy in User Authorization app.

Example

Company B wants to provide a more granular access to business objects for their internal users, so that their users can only access business objects that are assigned to their area of responsibility.

Authorized user at Company B enables user authorization in Application Settings General Application Settings Organizational Configurations.
Authorized user at Company B creates an organizational hierarchy in User Authorization app:
1. Create root node Company B.
2. Create child node Company B Germany.
3. Create 2 child nodes Company B Germany Germany North and Company B Germany Germany South
4. Create a second child node under the root node Company B Switzerland.
5. Create 2 child nodes Company B Switzerland Switzerland North and Company B Switzerland Switzerland South
Authorized user at Company B assigns SAP Asset Strategy and Performance Management users to the respective nodes in the organizational hierarchy:
1. Assign an admin user to the root node Company B and provide respective privileges, which the user is to have on the business objects
  
  Users assigned to the root node can access all of the business objects assigned to the child nodes with the maintained privilege.
  
  Note It is recommended to add at least one admin user as well as substitutes to the root node to ensure that there is always at least one user in the organization who has full access to all objects.
2. Assign other users to the respective nodes in the organizational structure and provide respective privileges the users are to have on the business objects.
  
  Users can be assigned to one or more nodes in the organizational structure. If a user is assigned to a node, which has further child nodes, the user can access the business objects assigned to the current node as well as all of the child nodes with the maintained privilege.
Result: Authorized user of Company B created their organizational hierarchy and assigned SAP Asset Strategy and Performance Management users.
Authorized user at Company B creates groups in Groups app.

Create groups Germany, Germany - North, Germany - South, Switzerland, Switzerland - North, and Switzerland – South.
Note
You can freely define the groups in the Groups app according to your needs.

It is recommended to use group names that can be easily associated with the node names of the organizational hierarchy. This facilitates assigning the groups to the organizational hierarchy.
Authorized user at Company B assigns business objects to the respective groups in Groups app.

Assign business objects to groups Germany, Germany - North, Germany - South, Switzerland, Switzerland - North, and Switzerland - South.
Note Depending on the group type you selected, you can assign one or more business object types to a group.
Authorized user at Company B assigns groups to relevant node in the organizational hierarchy in User Authorization app.
1. Assign group Germany to node Company B Germany.
2. Assign group Germany-North to node Company B Germany Germany North.
3. Assign group Germany-South to node Company B Germany Germany South.
4. Assign group Switzerland to node Company B Switzerland.
5. Assign group Switzerland-North to node Company B Switzerland Switzerland North.
6. Assign group Switzerland-South to node Company B Switzerland Switzerland South.
Result:

Authorized user of Company B assigned all relevant groups to the relevant nodes in the organizational hierarchy.

Example:Equipment 123 is part of group “Germany – North”, so only users who are part of authorization node “Company B- Germany North” can now view, edit, or delete this equipment. Equipment 456 has not been assigned to any group nor directly assigned to a node in the authorization hierarchy, so all users of Company B with EQUIPMENT_READ or EQUIPMENT_EDIT or EQUIPMENT_DELETE role can view, edit, and delete this equipment.

For SAP Cloud Platform - Cloud Foundry Environment

You use this feature to define a more granular access to SAP Asset Strategy and Performance Management business objects for users within your organization.

You can use the User Authorization app to:

Create an organizational hierarchy.
Assign the following to a node in the organizational hierarchy:
- Role Collections
- Business Objects
- Groups
Edit the organization hierarchy and its assigned objects.
Delete a node from the organizational hierarchy.

Role collections get assigned to one or more nodes in the organization hierarchy. Users who are part of a user group that is mapped to a role collection (which is assigned to a node in the organizational hierarchy) have access to:

The business objects and groups assigned to the relevant node in the hierarchy.
The business objects and groups assigned to the sub-nodes of a relevant parent node in the organizational hierarchy.

Prerequisites

The following objects and object relationships have been configured in SAP Cloud Platform Identity and SAP Cloud Platform Cockpit:

In SAP Cloud Platform Identity:
- User groups created
- Users assigned to user groups
  
  Note
  Users can also be added to user groups at a later point in time.
In SAP Cloud Platform Cockpit:
- Role Collections created
- Mapping of User groups to Role Collections done
  
  Note
  All these set-up steps are not specific to User Authorization but should already have been done during the setting up of roles and onboarding of users to your account.
  
  For more details on these steps, refer to https://help.sap.com/ under Administrator’s Guide for SAP Asset Strategy and Performance Management Getting Started Getting Started for SAP Cloud Platform Cloud Foundry Environment Setting up Roles.

Process Overview

Enable User authorization in Application Settings General Application Settings Organizational Configurations.

Note
User Authorization is an optional feature, which can be used in addition to the existing Network Authorizations. By default, the application setting for User Authorization is disabled.

The existing network authorizations remain unchanged and can be used as they are.
Create an organizational hierarchy for your organization in User Authorization app.
Note Currently, you can have only one organizational hierarchy for your organization.
Assign role collections to the nodes in your organizational hierarchy in User Authorization app.
Assign business objects to the nodes in your organizational hierarchy in User Authorization app. You can directly assign business objects to the nodes in your organizational hierarchy in User Authorization app, create a group in Groups app and assign business objects to this group, and then assign the group to a node in your organizational hierarchy in User Authorization app.

Example

Company B wants to provide a more granular access to business objects for their internal users, so that their users can only access business objects that are assigned to their area of responsibility. In the example:

Equipment 2 is to be visible for users assigned to Germany
Equipment 3 is to be visible for users assigned to Germany - North
Equipment 3 and 4 are to be visible for users assigned to Germany - South
Equipment 5 is to be visible for users assigned to Switzerland
Equipment 6 are to be visible for users assigned to Switzerland - North
Equipment 7 are to be visible for users assigned to Switzerland - South
Equipment 1 is to be visible for all areas

Authorized user at Company B enables user authorization in Application Settings General Application Settings Organizational Configurations.
Authorized user at Company B creates an organizational hierarchy in User Authorization app:
1. Create root node Company B.
2. Create child node Company B Germany.
3. Create 2 child nodes Company B Germany Germany North and Company B Germany Germany South
4. Create a second child node under the root node Company B Switzerland.
5. Create 2 child nodes Company B Switzerland Switzerland North and Company B Switzerland Switzerland South
Authorized user at Company B assigns role collections to the respective nodes in the organizational hierarchy:
1. Assign an admin role collection (= role collection to which your admin user group is assigned) to the root node Company B and provide respective privileges, which the user is to have on the business objects
  
  Users assigned to the user group which is mapped to the role collection that is assigned to the root node can access all of the business objects assigned to the child nodes with the maintained privilege.
  
  Note It is recommended to add at least one admin user as well as substitutes to the admin user group assigned to the root node to ensure that there is always at least one user in the organization who has full access to all objects.
2. Assign other role collections to the respective nodes in the organizational structure and provide respective privileges the users in the associated user group are to have on the business objects.
  
  Role collections can be assigned to one or more nodes in the organizational structure. If a role collection is assigned to a node, which has further child nodes, the users in the associated user group can access the business objects assigned to the current node as well as all of the child nodes with the maintained privilege.
Result: Authorized user of Company B created their organizational hierarchy and assigned role collections.
Authorized user at Company B assigns equipment to the relevant nodes in the organizational hierarchy in User Authorization app.
1. Assign Equipment 1, 2, 5, and 8 to node Company B Germany.
2. Assign Equipment 6 and 7 to node Company B Germany Germany South.
3. Assign Equipment 3, 4, and 8 to node Company B Switzerland.
Result:

Authorized user of Company B assigned all relevant business objects to the relevant nodes in the organizational hierarchy.

Example:Equipment 2 was assigned to hierarchy node Company B Germany, so only users who belong to a user group that is mapped to the role collections assigned to hierarchy node Company B Germany and have either EQUIPMENT_READ or EQUIPMENT_EDIT or EQUIPMENT_DELETE privileges can now view, edit, or delete this equipment.

Equipment 10 was not/neither directly assigned to a node in the authorization hierarchy nor belongs to any group which is assigned to a node in the authorization hierarchy, so all users of Company B with EQUIPMENT_READ or EQUIPMENT_EDIT or EQUIPMENT_DELETE privileges can view, edit, or delete this equipment.