Page tree
Skip to end of metadata
Go to start of metadata

Webinar Recording

Webinar recording 25 Sept 2019

(warning) Warning - I present a slide in this webinar that is not entirely accurate and you should skips this part of the webinar.

To highlight the aspects that are incorrect please see this image:

The topic of assigning licenses is now thoroughly explained in a related wiki page

Users and Roles

  • A Role can contain many Users and a User can be in many Roles
  • Need to have multiple roles, because a single role can only consume:
    • 1 license type by application (Analytics Hub, BI, Planning Pro, Planning Standard)
    • 1 license type by user license (named user, concurrent session)

  • Roles are the only place where you can define ‘Application level rights’
  • Do NOT use the default roles. Always create custom roles (based on a copy of the default ones)
    • Default roles will get updated with new rights and the right may be enabled when this occurs
    • Using custom roles give you control over these new rights and it allows you to decide when they should be enabled, unlike using a default role.


  • A Team can contain multiple users and a user can belong to multiple Teams
  • Teams can have their own folder, but generally more problematic than beneficial

  • Top Tip – Use normal Public Folders, avoid Team Folders!
    • De-select the ‘Create Team Folder’ option when creating Teams
    • Teams cannot be exported or imported from one SAP Analytics Cloud Service to another (planned to be resolved with wave 2020.11. This wave will be included in the 2020 Q3 Quarterly Release)
    • The ‘root’ Team folder can only be shared by users within the team and not with anyone outside of the Team (resolved with wave 2020.07)

    • Team folders cannot be re-named, unlike normal Public Folders
      • (Teams can now be renamed from wave 2020.07. This wave will be included in the 2020 Q2 Quarterly Release Cycle Update)

Teams as Aggregator

  • Teams can ‘aggregate’ roles together!
  • If a Team or User is a member of multiple roles, they inherit the ‘Union’ of the roles rights
  • Top Tip - Use Teams to group your Roles

  • Top Tip - Include the team name in the teams description. Currently team names are not shown when sharing content, only the description is!
  • Currently a Team cannot be assigned to a Role defined as ‘Concurrent session’
    • You’ll need to add each user individually to the role
    • Or use the ‘User & Team Provisioning API’ to do the same

Rights Assignment

  • Rights are assigned to objects (folder/file) by: Teams and/or Users (not Roles)
  • The 'User A' will not inherit the rights to the folder because
    • folders can not be secured by roles
    • the user isn’t in the team
  • Just because a team is assigned to the role, doesn’t mean all users of the role (the team is a member of) inherit the teams’ rights to the folder

Mapping IdP User Attributes to Teams and Assigning Rights to Folders based off Teams

  • Map a User Attribute (within the Identify Provider (IdP)) to the Teams in SAP Analytics Cloud
    • This means the IdP defines who is a member of which Team
    • In general the number of teams, defined as user attributes in the IdP, is small and certainly much smaller than the number of SAP Analytics Cloud Roles
  • ŸTop Tip – Use your own IdP, you’ll need it for SSO to ‘Live’ data sources (see later)

  • Assign the Team to multiple roles

  • Assign the Folder rights to the team
  • Place rights on folders to benefit from inheritance (rather than on every file)

Use IdP for Seamless Single-Sign-On (SSO) for data sources

  • ŸSAML2 IdP ensures Seamless Single-Sign-On for connections to data sources (typically on-premise)
    • Typically needs to be the same IdP (or a federated IdP) for SAP Analytics Cloud as the Database
      • Exceptions: SAP S/4 Cloud, BI Platform
    • SAML is not the only option
      • X509 certificate and Kerberos or SAP Logon tokens are also possible if the database supports it
      • OAuth also supported for Cloud sources
  • Top Tip: ŸEnable “Dynamic User Creation” so users are automatically created in SAP Analytics Cloud!
    • No automatic deletion of users to keep their personal content safe

Public Folders

  • Organise Public Folders so to take advantage of inheritance rights
    • Not too deep! Users experience the structure!
    • Need to avoid too many clicks for the user
  • A folder per Project (or Line of Business)
    • The generic ‘Models’ folder generally isn’t suitable, as different models need to be secured differently. Storing all models in one folder means managing the security on every model individually
    • Models are best placed in each Projects folder so to benefit from folder security inheritance
    • Users will also be less confused. Makes more sense that Stories and Models are in the same place
  • Top Tip - Delete the system generated ‘Models’ folder
  • From wave 2019.13 (and the 2019 Q3 Quarterly Release) you can limit who can create content in the Public root \

Project Folder Setup

  • A typical Project will contain
    • 'Standard' content that everyone within the Project will need access too. This content is 'static' in general and 'approved' by 'IT' for standards, layout and performance etc.
    • Ad-hoc content. This is content the Business Users create and use. Once content here is identified as 'business critical', it should be managed by 'IT', brought up to standards (for layout and performance etc.) and then moved into the 'Standard' content area (potentially via a development environment beforehand)
    • Secure content. This is content that only a selected number of users within the Project have access too
  • Assign the rights as shown between Teams and Folders
  • Store the ‘standard’ models/stories/applications in the Project ‘root’ folder so to keep the number of clicks reduced
    • The 'Standard' sub-folder could be used, but using such a folder is unnecessary and just forces the user to have an additional click. So, best to collapse it into the 'root' of the Project Folder.
  • Use inheritance to your advantage
    • Avoid assigning rights on individual files or individuals
    • Assign rights to Teams and Folders only
  • ŸDenying rights
    • You can not explicitly ‘deny’ a right
    • Can only grant rights
    • So, remove the right to ‘All Users’ as required
  • Content, including models, can be searched on by name
  • So, a good naming convention is essential
    • For models, content (stories, applications) & folders
    • Users like ‘codes’ to ease searching (and it eases much confusion when dealing with 'IT')
    • Avoid long names as it clutters the interface

  • ŸTop tip
    • Filter the file types to exclude Models
    • It prevents users from seeing Models listed alongside other content, like Stories and Digital Boardrooms

In general, please  post your comments to the blog post that introduces this wiki page rather than directly here. Thank you

  • No labels