Day 1: Creating Admins and Power Users
This week’s blog will cover how to create a new role and assign it to a user. Roles are how tenant administrators can define which product features specific user types will be able to access in SAP Analytics Cloud (SAC). It is important to note that the features are all related to specific license types, so be diligent when reviewing and assigning a custom role (to ensure that it does not breach your licensing agreement).
When your new tenant has been provisioned, you will receive an email with activation content for SAC; the first line reads “Welcome to SAP Analytics Cloud”. Click on the SAP SAC URL, complete the SAML setup, and login to the tenant. The first thing that we will do is create another admin user. The rationale for creating a second admin user as our first action is to ensure that we have a safety net in place. This way, if either Adrian Westmoreland or I happen to be unavailable for any reason, at least one of us will still be able to access all of the admin level privileges.
From the main menu, navigate to Security >> Users and click the add users icon in the top right corner. Since this user will be for Adrian, we’ll populate the First name, Last name, Display name, and Email fields with his information. The User ID field is just a unique identifier for the user within the tenant, so we’ll make it ADRIAN for consistency sake. Finally, the new user needs to be assigned an Admin role. From the Roles cell, click the pop-up icon to open the role selection window. The BI_Admin role is listed near the top of the list, which we’ll select and then hit OK. After doing a double check to ensure the information is filled out correctly, save the changes, which will automatically send an activation email to Adrian.
The next thing that we’ll be doing for our deployment is creating a new role for our power users that are looking to get started with SAC. Power User #1 and Power User #2 are management level employees who to want to be able to manage their team in SAC and create content for them to consume. While the pre-packaged roles could be used when assigning a role to a user, we would recommend that admins create custom roles based on their landscape’s security requirements. Since the requirements for our deployment adhere to least privileges, we must create new roles as the pre-packaged content does not meet this need.
With these requirements in mind, navigate into the Security >> Roles section to begin defining a new role. Click on the “create a new role” icon, enter BI_Power_User as the name, and navigated into the permissions section for the new role. Selecting the template icon in the upper right corner brings up a dialogue window listing all of the pre-packaged SAC roles. BI Content Creator is probably a good starting point as we know that we want these users to be creating content for others to consume. Make the selection and watch as permissions get enabled for the new role.
Notice that there are administration permissions that are toggled on for this template. For team permissions, these users will need more than just read privileges since they want to create and manage their own teams. With this in mind, turn on the ability for this role to create, update, and delete teams, along with keeping read privileges on.
The next admin level functionality to turn off for this role is under the connections row. The users should have the ability to create connections to data sources, but they should not be able to delete already established connections so we’ll turn off that functionality. Finally, their model level permissions must be limited. This user should be able to create and maintain their own analytic models, but they should only be able to read and edit other users’ models if it has been approved by an Admin. To achieve this, toggle off read, update, and delete privileges for analytic models. This means that any new models that are created will not be automatically shared with this role, allowing Adrian and I to manage which models are publicly accessible within the tenant. Now that we’re happy with the permissions for this role, we’ll save it and assign it to the new power users knowing that we can return and update the permissions at any time. Below you can see an image of the final version of the custom role permissions. Note that we could also assign this role to users by clicking the key icon in the upper right hand corner. This will bring up a role assignment dialogue window where we can assign this specific role to users that have already been created.
In this first blog on administration in SAC, we covered topics around creating a new role, such as leveraging templates to quickly assign permissions and beginning to read the permissions page in a role. In addition, we discussed how to assign a role to a user, both from the users page and from the roles page. Hopefully you found this content to be useful, and make sure to look out for the next blog in the JF Tech SAC Administration series.