Day 3: Setting Up Role Requesting and a Default Role

As discussed in the last blog, we will be covering the role requesting functionality in SAP Analytics Cloud (SAC). This will include how to enable a role to be requestable by a user, to setup the users that will be responsible for role request management, and to respond to role requests. Additionally, we will discuss the setup a default role and it’s value in a least privileges environment.

Bridging to the previous blog’s content, lets begin by covering role requesting. In SAC, role requesting gives users a self-service option to request access to additional functionality, as defined by the administrators. Jumping into the setup of this feature, navigate to the roles page. From there, select the Analytic_Modelling role that was created in the last blog, or select another role which you would like to setup for self-service. Once in the permissions page for the role, click the settings icon in the upper right corner. In the settings dialogue window, there is an Enable Self-Service option; click the check-box to enable it. Additionally, there is the Approver options listed. For now, select Other User, open the Select Approver option, and select your Admin users. This is allowing us to specify which users are able to approve role requests. For now, save the role and we can explore how users access this functionality.

Navigating back to the home screen, lets see how other users will be able to use the role requesting feature. In this next section, I will be explaining this functionality through the perspective of an admin user, so the Role Requests approval page that our user will be navigating through is not accessible to a user with a standard non-admin role. In the upper right corner, click your user’s profile picture. This will open a dropdown menu, exposing the Request Roles option. Select this to open a new dialogue window. The first option that is displayed is to make a selection on either Default Roles or Self Service Roles. For now, select Self Service Roles to display the list of roles that have been enabled for self-service. Select the role that was enabled, create an example comment so that the admin will understand why the request is being made, and send the request. The approver for this role will receive an email as well as a notification in the tenant to inform them that a user has requested a new role.

Now we will take the perspective of the approver by navigating to Security >> Requests from the main menu. In this page, admin users will be able to see a list of all the role requests that have been submitted, with details on who made the request, for which role, and why they requested it. To respond to a request, select the checkbox to the left of the request and select either approve or reject from the upper right corner. If approve is selected, the user that submitted the request will have the new role added to their list of roles in the user page, and they will receive a notification informing them that their role has been updated. If reject is selected, a new dialogue will open for the admin, allowing them to comment on why the request has been rejected. The user that submitted the request will also receive a notification of the rejection. That encapsulates the entirety of the role requesting process, which can be enabled for any number of roles.

Moving on to the next topic, we will quickly explore how to use a default role. Navigating back to the roles page, open the Basic_Story_Creator role that was created in the previous blog. Next, click on the setting icon in the upper right corner. In this menu, there is a Use as Default Role option. Turn this on, save the role, and then navigate back to the roles page. Notice that a Default tag is now displayed beside the role. Now that this has been enabled for a role, any new users that are created, who are not manually assigned a role, will automatically be assigned the Default Role. This allows the admins to ensure that new users will always receive the correct role.

In this blog, we explored the role requesting functionality, from the activation of this feature within a role to its consumption by the end user. Additionally, we discussed how a default role can be used to more easily manage the role that new users are assigned. In the next blog post, we’ll look at setting up SAML SSO and importing users into the tenant. Hopefully you found this content to be useful, please leave any questions or feedback that you may have in the comments, and make sure to look out for the next blog in the JF Tech SAC Administration series.

< Day 2