This week’s blog will teach SAP Analytics Cloud (SAC) users how to create content creator and modeler role in a least privileges environment. In addition, we will be creating these roles in the context of leveraging SAC’s role requesting feature. Once again, it is important to note that the features are all related to specific License Types, so be diligent when reviewing and assigning a custom role (to ensure that it does not breach your licensing agreement).
Picking up where the first blog left off, we will once again explore the Roles functionality in SAC. With the power user role created and assigned, the next thing to do is create the content creator and modeler roles to support the power users. Starting off with the content creator, navigate to Security >> Roles from the main menu. Create a new role and assign it a name; we decided on Basic_Story_Creator for our tenant. Instead of starting with a template, we will work from scratch to assign permissions to this role. Starting from the top of the page, turn on read privileges for Dimensions. This row allows admins to define which public Dimensions a role can view, as well as how else they can interact with them. Unlike for the power user role created in the first blog, leave all of the permissions for the Analytic Model row turned off. Create is toggled off in this case since this role should not be given modelling rights, and having the rest of the model permissions toggled off will allow admins to manage model specific rights more easily in the future.
It is important to remember to turn on read permissions for Users as this will allow users to leverage the collaboration functionality within SAC. If it is turned off, they will be unable to search for users to start a discussion. The next privileges to enable are read privileges for Event Category and Event Process. This will allow users to consume the events functionality, but will not allow them to create new events or tasks. Also, turn on read privileges for public files and all privileges for private files. The reason for limiting privileges for public files is to ensure that the admins, and other specifically defined users, can manage the public repository and only have key information shared there. Turning on all privileges for private files will simply allow users with this role to create and manage their own stories. The last final rows to enable for this role are Explorer and Personal Data Acquisition. By turning on execute for these functionalities, this role will be able to access the data exploration view in stories and upload personal data files, such as .csv and .xlsx. This is a good starting point for this role, so save it and we can get started on creating the modeler role.
Once again, navigate to the Roles page from the main menu and create a new role. Select an appropriate name for it, we decided on Analytics_Modelling, and click OK. Just like for the content creator role, there’s no need to leverage an existing template since there are only a few permissions to toggle on. Beginning with the Dimensions row, turn on all of the permissions, except for delete. This will allow the role to create and maintain any public dimensions, but keeps the deletion rights with the administrators. Next, turn on the create permission for Analytic Model, as well as execute permission for HANA Cloud Platform Datasource and Other Datasources. This role will now be able to leverage data connections that have been established by the administrators and power users to create analytic models. Finally, toggle on all privileges for Private Files, and save this role. Since we want to leverage the self-service functionality for this role, it is best to keep the number of permissions to a minimum so that it can function additively with the content creator role.
In this blog, the second around the topic of role creation, we further explored role permissions through the creation of two new roles: Basic_Story_Creator and Analytics_Modelling. In the next blog post, we’ll explore how these roles can be leveraged through the self-service functionality in SAC. Hopefully you found this content to be useful, and make sure to look out for the next blog in the JF Tech SAC Administration series.