Responses to open questions from Tuesday (May 28) ASUG webcast on SAP Analytics Cloud for Administrator. Special thanks to our speaker, harjeet.judge , SAP, for taking the time to respond to open questions.
Links:
Replay
Slides
Join us for our next SAP Analytics Cloud Webcast on June 25: June 25: BI: New Augmented Analytics Uses Cases
Does it support Ping identity management?
We support any SAML 2 provider and from what I’ve read Ping Identity is SAML 2 compliant.
MFA for Admins Only not for Users Available/Supported?
Multi-factor authentication is not just restricted for admins. Any user can authenticate using this option provided your custom IDP support MFA.
if my ERP system is based on Cloud and my other SAP system is on premise then which authentication method I would be using, Cloud identity or SAML?
Not sure if I understand the full context of the question so my answer may be off. SAP Cloud Identity is just one example of SAML identity provider. You could use other 3rd party cloud based IDP or use an on-premise IDP for setting up SAML authentication to SAC. If the objective is to build a connection from SAC to your cloud based ERP system and on-premise system using SAML, you would want to setup a common IDP. This IDP could be in the cloud or on-premise and should be same one that is used by SAC. I didn’t cover connecting to source systems in my webinar.
will this IDP has specific naming convention?
Not really, but I do recall that entityID of the IDP shouldn’t have special characters or spaces. The value for the EntityID should be visible in metadata file you get from your IDP admin.
Could SAC support to apply the client's password policy?
what all those secure Hash Algorithm SAC supports?
We support SHA1, but I have used SHA256 with SAP Cloud Identity as the IDP. SHA256 didn’t work when I tried with ADFS in the past. We are working on providing support for SHA256.
can we use SSO simultaneous with user password?
Not at the moment. As mentioned during the webinar, we are working on allowing the system owners access to SAC using the default authentication mechanism. This will be useful in the event a mistake is made during the SAML setup or if your custom SAML provider is down.
is social sign on used in corporate? I mean individual user will have to share their gmail ID and password with basis and security team, if that is not the case how does system will validate?
Users don’t have to share the gmail IDP and password. In my setup, my gmail account was linked to an existing account(created using my corporate email) in SAP Cloud Identity. The first time I try to authenticate using Social SSO, SAP Cloud Identity will ask me to link my google account to an existing account that’s already in the system. Every IDP will have different implementation and some may not even support social SSO as an option.
Is IDP separate system? is it cloud based or on premise?
Yes, IDP is separate system which can be use for authenticating to SAC. By default SAC will use a shared IDP, and users will authenticate using this shared IDP. To take advantage of some of things I covered during the webinar, it’s required to use a custom IDP. This custom IDP could be Cloud based or on-premise.
I think Kerberos has no SAML support for Cloud Identity to access SAC. Only ADFS Identity Provider.
That’s correct. Kerberos is an intranet protocol and only meant for use within corporate environment and typically used with ADFS. The point I was trying to make was that we could bypass the login screen from the IDP if it is configured for Kerberos or Client Cert authentication. SAP Cloud Identity can work with Client Cert authentication to offer similar SSO experience.
In Dynamic User Creation, How do we manage Roles?
Roles should already be created in the system. As demonstrated during the webinar, dynamic user creation allows mapping certain SAML attributes to roles and teams. This way when the user is first created, they would be assigned roles/team based on those SAML attributes.
In case of dynamic user creation, how are the roles assigned from all the available roles?
As demonstrated during the webinar, dynamic user creation allows mapping certain SAML attributes to roles and teams. This way when the user is first created, they would be assigned roles/team based on the values of those SAML attributes.
is SAML SSO is setup, can I still logon without SSO somehow
Not at the moment. As mentioned during the webinar, we are working on allowing the system owners access to SAC using the default authentication mechanism. This will be useful in the event a mistake is made during the SAML setup or if your custom SAML provider is down
Where can I check the concurrency in the system? In the content usage story we can check how many users were connected to SAC during specific day but not the concurrency we have in the system.
It’s hard to do that today with the Content Usage dashboard. Couple things that prevent us from using the content usage dashboard:
The activity data can be exported to csv file and analyzed using excel. Customer can do the same analysis on their own by filtering on Activity = Login. We can also determine whether the login events are from a Concurrent user or Named User by filtering on Package = bi_concurrent.
can we assign teams during the import users?
This is not possible using the import users from csv option. Use SCIM APIs or dynamic user creation option instead.
What are Business Intelligence - Concurrent licenses?
Customers can purchase either named user or concurrent user licenses for SAC. Please see
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/b51b338827764edc847a6c1d6b8d...
Hi, can you share some details about the relationship between the "Read&Write access" in a model and the "Roles"? For example, will an user's roles overwrite the "Read&Write" access in a model that assign to this user? Thanks.
Roles in SAC control application privileges and can also be used to defined data security on model. When creating the role, I can decide whether to allow the option to Read/Write access on models. This setting will dictate whether user assigned this role can read/write data from any model in the system. Without this application privilege at the role, the user will not be able read/write data from model, even if I explicitly grant data access control to specific models after. The beginning part of this article should explain this:
https://www.sapanalytics.cloud/wp-content/uploads/2019/03/Model-Administration-Scenarios-Customer-Ma...
To create new users, I see in our tenant that we can also use Active Directory to import users. Is this option just to import *ALL* AD users, or can it be refined to a specific AD group that's defined specifically for SAC users?
This option is deprecated. It’s just as easy to do one time export of users to csv file and import the users in SAC from this file. To use the option, customers also have to setup SAP Cloud Connector to open secure tunnel between SAC and on-premise AD system.
using dynamic user creation user may create multiple entries if there is spelling mistake in typing user name, how do we prevent that if we are using dynamic user creation so that there are no duplicate IDs created for same user?
This won’t happen. The users are created based on the nameID field in the SAML assertion – not what they type during login. I have to first authenticate to the IDP using my correct credentials, before the dynamic user creation will happen. If I type the wrong username, I won’t be authenticated to the IDP and the user creation workflow won’t kick in.
Good Morning from Germany, is it possible to customize the message sent to new users after create a new user?
Not yet. Notifications is bigger topic and we are looking at options on how to provide more control to the admin as what notifications are sent to users.
Can we check in the administration part who is connected to our SAC tenant? And what they are running?
Not available in Administration UI. The content usage dashboards have some information about usage activity.
https://www.sapanalytics.cloud/resources-usage-tracking/
If you assign a new user to a team, and assign that team a BI Content Viewer role... should the new user inherit the BI Content Viewer role? Is there any reason why the new user would not get that role?
Yes, this is what I would expect. The users page may not reflect the role assignment done through teams.
For a public dimension, can you upload from a CSV file? Specifically, can you upload the Read or Write users if that option is turned on?
Yes, we can just copy and paste from csv/excel file read/write access to public dimension. As mentioned in my answer to the earlier question, the read/write columns for public dimensions will only be visible in the dimension if “Enable Access Control” is enabled for the dimension from within a model where the dimension is used.
What happens with the public dimension when we do such data controls? Is it possible for public dimensions too?
Yes it’s possible to setup data access control on public dimensions. Any model that uses that dimension will have the access restriction applied. The UI to apply the access control to dimensions is only possible by going through the modeler. “Enable Access Control” should be enabled for the dimension through the modeler. Doing this directly from Browse >> Dimension is not possible directly unless the access control option is enabled in the modeler for the dimension.
How to restrict data access in a story? i.e. each region manager can only be able to see his/her region data.
Covered in slides 12 to 14 in the deck.
Can you map into system an existing window AD authentication group accounts instead creating groups manually
User and teams(groups) can be created using SCIM API’s using a custom application.
can you audit comments ? Can you track changes on comments?
Not today. Comments are not tracked activities. Track changes feature only works for data level changes to models/dimensions and doesn’t track changes to comments.
How to restrict a user to see table cell comment?
Not available today. The user will see the comments if they have access to the context of the cell comment. See
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/b6cd7dfffb9c4ac7bfe6739b22ff...
While using BPC integrated with SAC as a import scenario, how do the SAC roles work? Do they overlap the BPC authorizations?
When importing the data, authorizations of the BPC user running the import will be used. Once the data is inside SAC model, data access controls would have to be set in SAC using users/roles/teams.
will it be possible to group teams, in order to provide some visibility. at our organisation we have something like 50 teams (end users, key users..) . Would be great to have a sort of grouping etc.
The concept of nested teams(hierarchical team) is much asked for requirement from our customers. It’s not available yet, but is in our backlog. Please add your votes to existing enhancement request logged for this:
https://influence.sap.com/sap/ino/#/idea/205482
Its possible to enable SSO?
Yes – SSO possible if using a custom SAML IDP. Will have to setup Kerberos or Client Certificate authentication to bypass the IDP login screen to offer seamless SSO to SAC.
Is there a way to assign users to a Team automatically?
Yes, using SAML attribute mapping to teams. This was covered during the webinar.
It is possible to import users from BO CMC?
Not directly. You could create an application that reads users from BI4 system and writes them to SAC using SCIM API’s.
Can we import Data access profiles from BPC to SAC?
Not possible today to import data level security from any source system, including BPC.
Would you say that these roles will replace the Role Based Permissions for the report center in SAP SuccessFactors?
Not an expert in this area. It’s better to check with member of the SuccessFactors team.
I what session can we learn more about setting-up the live , BPC, and SAP connections to a SAC?
There will be an openSAP course covering this topic in detail. The course will be launched in the coming weeks.
Links:
Replay
Slides
Join us for our next SAP Analytics Cloud Webcast on June 25: June 25: BI: New Augmented Analytics Uses Cases
Question/Answer:
Does it support Ping identity management?
We support any SAML 2 provider and from what I’ve read Ping Identity is SAML 2 compliant.
MFA for Admins Only not for Users Available/Supported?
Multi-factor authentication is not just restricted for admins. Any user can authenticate using this option provided your custom IDP support MFA.
if my ERP system is based on Cloud and my other SAP system is on premise then which authentication method I would be using, Cloud identity or SAML?
Not sure if I understand the full context of the question so my answer may be off. SAP Cloud Identity is just one example of SAML identity provider. You could use other 3rd party cloud based IDP or use an on-premise IDP for setting up SAML authentication to SAC. If the objective is to build a connection from SAC to your cloud based ERP system and on-premise system using SAML, you would want to setup a common IDP. This IDP could be in the cloud or on-premise and should be same one that is used by SAC. I didn’t cover connecting to source systems in my webinar.
will this IDP has specific naming convention?
Not really, but I do recall that entityID of the IDP shouldn’t have special characters or spaces. The value for the EntityID should be visible in metadata file you get from your IDP admin.
Could SAC support to apply the client's password policy?
- Yes. When using your custom IDP for authentication, the password policy will come from whatever is defined in your IDP.
what all those secure Hash Algorithm SAC supports?
We support SHA1, but I have used SHA256 with SAP Cloud Identity as the IDP. SHA256 didn’t work when I tried with ADFS in the past. We are working on providing support for SHA256.
can we use SSO simultaneous with user password?
Not at the moment. As mentioned during the webinar, we are working on allowing the system owners access to SAC using the default authentication mechanism. This will be useful in the event a mistake is made during the SAML setup or if your custom SAML provider is down.
is social sign on used in corporate? I mean individual user will have to share their gmail ID and password with basis and security team, if that is not the case how does system will validate?
Users don’t have to share the gmail IDP and password. In my setup, my gmail account was linked to an existing account(created using my corporate email) in SAP Cloud Identity. The first time I try to authenticate using Social SSO, SAP Cloud Identity will ask me to link my google account to an existing account that’s already in the system. Every IDP will have different implementation and some may not even support social SSO as an option.
Is IDP separate system? is it cloud based or on premise?
Yes, IDP is separate system which can be use for authenticating to SAC. By default SAC will use a shared IDP, and users will authenticate using this shared IDP. To take advantage of some of things I covered during the webinar, it’s required to use a custom IDP. This custom IDP could be Cloud based or on-premise.
I think Kerberos has no SAML support for Cloud Identity to access SAC. Only ADFS Identity Provider.
That’s correct. Kerberos is an intranet protocol and only meant for use within corporate environment and typically used with ADFS. The point I was trying to make was that we could bypass the login screen from the IDP if it is configured for Kerberos or Client Cert authentication. SAP Cloud Identity can work with Client Cert authentication to offer similar SSO experience.
In Dynamic User Creation, How do we manage Roles?
Roles should already be created in the system. As demonstrated during the webinar, dynamic user creation allows mapping certain SAML attributes to roles and teams. This way when the user is first created, they would be assigned roles/team based on those SAML attributes.
In case of dynamic user creation, how are the roles assigned from all the available roles?
As demonstrated during the webinar, dynamic user creation allows mapping certain SAML attributes to roles and teams. This way when the user is first created, they would be assigned roles/team based on the values of those SAML attributes.
is SAML SSO is setup, can I still logon without SSO somehow
Not at the moment. As mentioned during the webinar, we are working on allowing the system owners access to SAC using the default authentication mechanism. This will be useful in the event a mistake is made during the SAML setup or if your custom SAML provider is down
Where can I check the concurrency in the system? In the content usage story we can check how many users were connected to SAC during specific day but not the concurrency we have in the system.
It’s hard to do that today with the Content Usage dashboard. Couple things that prevent us from using the content usage dashboard:
- The TimeStamp field in SAC is too granular so if you plot a Time Series chart, the numbers will be aggregated at milliseconds level. Using the Date field only allows drill down to the day level.
- The activity models doesn’t expose the “Package” dimension which can be used to determine whether the login is from Named or Concurrent User.
The activity data can be exported to csv file and analyzed using excel. Customer can do the same analysis on their own by filtering on Activity = Login. We can also determine whether the login events are from a Concurrent user or Named User by filtering on Package = bi_concurrent.
can we assign teams during the import users?
This is not possible using the import users from csv option. Use SCIM APIs or dynamic user creation option instead.
What are Business Intelligence - Concurrent licenses?
Customers can purchase either named user or concurrent user licenses for SAC. Please see
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/b51b338827764edc847a6c1d6b8d...
Hi, can you share some details about the relationship between the "Read&Write access" in a model and the "Roles"? For example, will an user's roles overwrite the "Read&Write" access in a model that assign to this user? Thanks.
Roles in SAC control application privileges and can also be used to defined data security on model. When creating the role, I can decide whether to allow the option to Read/Write access on models. This setting will dictate whether user assigned this role can read/write data from any model in the system. Without this application privilege at the role, the user will not be able read/write data from model, even if I explicitly grant data access control to specific models after. The beginning part of this article should explain this:
https://www.sapanalytics.cloud/wp-content/uploads/2019/03/Model-Administration-Scenarios-Customer-Ma...
To create new users, I see in our tenant that we can also use Active Directory to import users. Is this option just to import *ALL* AD users, or can it be refined to a specific AD group that's defined specifically for SAC users?
This option is deprecated. It’s just as easy to do one time export of users to csv file and import the users in SAC from this file. To use the option, customers also have to setup SAP Cloud Connector to open secure tunnel between SAC and on-premise AD system.
using dynamic user creation user may create multiple entries if there is spelling mistake in typing user name, how do we prevent that if we are using dynamic user creation so that there are no duplicate IDs created for same user?
This won’t happen. The users are created based on the nameID field in the SAML assertion – not what they type during login. I have to first authenticate to the IDP using my correct credentials, before the dynamic user creation will happen. If I type the wrong username, I won’t be authenticated to the IDP and the user creation workflow won’t kick in.
Good Morning from Germany, is it possible to customize the message sent to new users after create a new user?
Not yet. Notifications is bigger topic and we are looking at options on how to provide more control to the admin as what notifications are sent to users.
Can we check in the administration part who is connected to our SAC tenant? And what they are running?
Not available in Administration UI. The content usage dashboards have some information about usage activity.
https://www.sapanalytics.cloud/resources-usage-tracking/
If you assign a new user to a team, and assign that team a BI Content Viewer role... should the new user inherit the BI Content Viewer role? Is there any reason why the new user would not get that role?
Yes, this is what I would expect. The users page may not reflect the role assignment done through teams.
For a public dimension, can you upload from a CSV file? Specifically, can you upload the Read or Write users if that option is turned on?
Yes, we can just copy and paste from csv/excel file read/write access to public dimension. As mentioned in my answer to the earlier question, the read/write columns for public dimensions will only be visible in the dimension if “Enable Access Control” is enabled for the dimension from within a model where the dimension is used.
What happens with the public dimension when we do such data controls? Is it possible for public dimensions too?
Yes it’s possible to setup data access control on public dimensions. Any model that uses that dimension will have the access restriction applied. The UI to apply the access control to dimensions is only possible by going through the modeler. “Enable Access Control” should be enabled for the dimension through the modeler. Doing this directly from Browse >> Dimension is not possible directly unless the access control option is enabled in the modeler for the dimension.
How to restrict data access in a story? i.e. each region manager can only be able to see his/her region data.
Covered in slides 12 to 14 in the deck.
Can you map into system an existing window AD authentication group accounts instead creating groups manually
User and teams(groups) can be created using SCIM API’s using a custom application.
can you audit comments ? Can you track changes on comments?
Not today. Comments are not tracked activities. Track changes feature only works for data level changes to models/dimensions and doesn’t track changes to comments.
How to restrict a user to see table cell comment?
Not available today. The user will see the comments if they have access to the context of the cell comment. See
https://help.sap.com/doc/00f68c2e08b941f081002fd3691d86a7/release/en-US/b6cd7dfffb9c4ac7bfe6739b22ff...
While using BPC integrated with SAC as a import scenario, how do the SAC roles work? Do they overlap the BPC authorizations?
When importing the data, authorizations of the BPC user running the import will be used. Once the data is inside SAC model, data access controls would have to be set in SAC using users/roles/teams.
will it be possible to group teams, in order to provide some visibility. at our organisation we have something like 50 teams (end users, key users..) . Would be great to have a sort of grouping etc.
The concept of nested teams(hierarchical team) is much asked for requirement from our customers. It’s not available yet, but is in our backlog. Please add your votes to existing enhancement request logged for this:
https://influence.sap.com/sap/ino/#/idea/205482
Its possible to enable SSO?
Yes – SSO possible if using a custom SAML IDP. Will have to setup Kerberos or Client Certificate authentication to bypass the IDP login screen to offer seamless SSO to SAC.
Is there a way to assign users to a Team automatically?
Yes, using SAML attribute mapping to teams. This was covered during the webinar.
It is possible to import users from BO CMC?
Not directly. You could create an application that reads users from BI4 system and writes them to SAC using SCIM API’s.
Can we import Data access profiles from BPC to SAC?
Not possible today to import data level security from any source system, including BPC.
Would you say that these roles will replace the Role Based Permissions for the report center in SAP SuccessFactors?
Not an expert in this area. It’s better to check with member of the SuccessFactors team.
I what session can we learn more about setting-up the live , BPC, and SAP connections to a SAC?
There will be an openSAP course covering this topic in detail. The course will be launched in the coming weeks.
- SAP Managed Tags:
