SAP Analytics Cloud – Managing Licenses with Roles and Teams
What is the best way to manage license assignment with SAP Analytics Cloud? And how exactly do you assign an Analytics Hub ‘named user’ license with a Business Intelligence ‘concurrent session’ license to the same user?
These questions and many more are addressed in my article ‘Managing Licenses with Roles and Teams’. My article is key to eliminating misconceptions, such as incorrectly believing a role or team has a license type. They don’t and there’s no such thing as a ‘named user role’, or a ‘concurrent session team’.
I detail 3 workflows for assigning licenses of which the last enables an automated means of assigning concurrent session licenses, so no manual or repetitive steps are needed.
There are, sadly, multiple ‘gotchas’ and I explain these in detail so you can avoid them. For you to start off on the right foot and avoid any re-work, I’ve summarised my recommendations in a list of ‘Best Practices’.
My article is packed full of handy information that any SAP Analytics Cloud administrator would want to know, and I’ve answered many FAQs directly in the article. I’ve also added a few tips!
You can access my article in the wiki. (version 1.2.2)
Your feedback is most welcome. Before posting a question, please do read the article carefully and take note of any replies I’ve made to others. Please hit the ‘like’ button on this article or comments to indicate its usefulness.
Matthew Shaw @MattShaw_on_BI
December 2021: The article has been updated to version 1.2 and the updates are summarised in a new blog post this includes details of a temporary problem related to the removal of concurrent session licenses and how to workaround the problem.
When will we see when users last logged in or used a license? The removal of obsolete users or capabilities is not manageable
Top notch material as always! Must read for anyone looking to administer SAC system.
What a great article! Lots of very useful information.
Will the assignment of Named and Concurrent session licenses ever be moved into the Menu - Security - User section rather than Roles? It seems confusing that this assignment is a user level property but must be assigned through an (optional) role assignment.
Hello Chris, This feedback echo's what I've already passed on to our development team. Its fully understood that its not ideal and we need to make improvements. I think first to come will be improvements with team membership in that 'menu-security-users' section. Nothing yet decided I understand, but I hope we see some improvements in this area soon. Keep the feedback coming! Thanks again Matthew
Thanks a lot for your response to my question on the blog https://blogs.sap.com/2019/06/21/sap-analytics-cloud-security-concepts-and-best-practice/comment-page-1/#comment-527414
We would be implementing a concept where only the IT gets Named licenses and all the users work with concurrent session licenses. We don't plan to use Planning and Analytics Hub as of now.
Coming back to my second question and your answer:
Q2 “Assign a Role to the User directly as an inheritance via TEAMS is not possible in an “Only Concurrent” scenario”
A2: Incorrect. Inheritance via a team makes no difference to the type of license a user consumes. You can have teams with members that are concurrent and also named. But watch out for gotchas!
For me the missing link still is the assignment of a Role to a Team of only "BI Concurrent Sessions License" Users. As you yourself mention in Workflow 2 - Point 7, this is not possible as of today. SAP suggested a very time-consuming workaround here - https://launchpad.support.sap.com/#/notes/2963404
Given this gap, how can it ensured that a set of Application Rights(Roles) are assigned to a specific Team where all users will be consuming a BI Concurrent Session license?
Question: how can it ensured that a set of Application Rights(Roles) are assigned to a specific Team where all users will be consuming a BI Concurrent Session license?
Answer: I guess it depends on what you mean by 'ensure'. Perhaps the answer for you is 'no, you can't setup the environment in a way that always guarantees that members of a particular team are concurrent'. There's no such thing as a 'concurrent team'. It has to be a two step process, firstly determine who is in the team, then for each member of that team determine their license type. It requires a 'check' or a 'monitor'. There's no harm using the SCIM API to check and perform this function for you, but you'd need to develop and write that yourself, SAP doesn't provide a solution here. I guess this is what you're after? Perhaps another handy thing, would be for the 'SAC Usage Content' to expose, for each user, the license type (I don't think it does today).
Thanks for the reply. I get your point that there is nothing like a "Concurrent Team". I will try to frame my question differently.
In the section "Best practices in SAC when having BI Concurrent Session licenses), you mention the following:
Use Teams to group roles together
That means BI concurrent sessions users cannot inherit their roles via Team(s). This consequently means Teams cannot be used as an aggregator of Roles as you mention here below.
Is there a way that I can use Teams to aggregate roles for Users consuming Concurrent Session licenses? According to me, this is exactly the product limitation described in https://launchpad.support.sap.com/#/notes/2791129
I think I see your question now.
So the section of the article you're referring to is the 'Best Practice' section. Here I'm saying that its best practice to have a 'default' role defined and that 'default' role would be set so that users (as they added to it) are set the 'concurrent' license. Its only this role that 'needs' to be assigned directly for users of type 'User G'. Other users don't need to inherit any role directly, they can inherit roles via teams. Even users of type 'User G' can inherit roles via teams.
Don't read "Only Business Intelligence ‘concurrent sessions’ users need to be assigned a role directly." as an overall rule. Its just in the context of the best practice when setting up a 'default' role which assigns 'concurrent' to users as they are granted that role. Its the way in which the 'default' role and the license assignment makes this role assignment necessary. Its not necessary from other point of view.
No users, even users assigned (or to be assigned) a 'concurrent' license, need to inherit any role directly. i.e. Users with a concurrent license do NOT need to inherit any role directly, its just necessary (needed) if you're following the best practice of using a 'default' role. Using a default' role saves administrators from having to manually edit or add the license type for the 'masses'. Administrators only need to add 'named users' to teams (typically granting them more 'expert' rights/roles) and this (depending upon the workflow) change their license to named.
So a team can most certainly contain users that are assigned both 'concurrent' and 'named' and that same team can be a member of many roles.
Complicated stuff! Does this help?
thanks again for your reply and effort to clarify the context. I do understand the need and application of Default role. My question is specific to Workflow 2 - Step 7. I will try to illustrate it with an example:
Lets assume User G has been created with a Default Role G.
I add the user manually or with the API to TEAM G. Now I wish to assign a newly created BI Role Z to TEAM G so that User G and other concurrent session users in TEAM G inherit Role Z automatically.
I would proceed as you mentioned in Workflow 2 - Step 7 by selecting Role Z.
7. Select the ‘Concurrent Session license’ radio button
But due to the product limitation, I cannot assign Role Z to TEAM G. This is a limitation and am just wondering whether there is a workaround I am missing.
Thanks for your effort once again!
We're getting there. So you need this FAQ https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Managing+Licenses+with+Roles+and+Teams#SAPAnalyticsCloudManagingLicenseswithRolesandTeams-Q.ForBusinessIntelligenceRoles,whyarenoTeamslistedunderthe%E2%80%98ConcurrentSessionLicense%E2%80%99tab?
Where I say
somehow missed the FAQs in my conquest to decrypt the SAC Security concepts! Thanks a lot for your valuable input.
I hereby rest my case.
Thanks for this blog, very interesting
This may not be the correct place to ask the question, however i'm keen understand how we can accurately report on the number if licences currently assigned. I can see a number of options within SAC that show usage, etc but what I really need (and it may be out there somewhere) is something that shows we how many Concurrent & Named licences have been assigned and how many of these have been used on a day by day basis.
We need to understand how close we are to reaching our current limit of 60 Named Licences but I can't find anything that shows this
If there is anything you could share it would be appreciated
Thank you for your feedback.
The tips section has this for a list of which users are assigned which Business Intelligence license:
Tip: Filter BI license type
You can determine who is using the service most frequently by generate a list of user logon events with 'Menu-Security-Activities'. Filter on 'Activity-Login' and a time frame (say last 30 days) and export the list. The more login events per user would suggest they use the Service more frequently than others. The users that login most frequently would probably be worthy of a 'named user' license, whilst perhaps the others (using it less frequently) could be assigned a 'concurrent' license.
I'll add this to my FAQ list at some point in time.
Hope this helps?
Thank for this thorough writeup.
I'd like to create a dashboard that has a list and count of the concurrent licenses. I am aware that it can be manually downloaded. However, the information must be stored somewhere on the backend. I'd like to take the manual process out.
Do you know of a way to include the information within the story or in the Admin Cockpit?
The admin Cockpit is pulling the concurrent users using IS_CONCURRENT. Do you happen to know where is this IS_CONCURRENT field/dimension from the Security > Users report stored? Where does it come from? Am I able to access it through a story?
Thank you for your feedback.
Probably best to ask your question on the Admin Cockpit blog https://blogs.sap.com/2021/11/19/sap-analytics-cloud-administration-cockpit/
You could also use the SCIM API to determine this. Depends how you want to 'report' on it. My AdminToolKit https://blogs.sap.com/2021/11/08/sap-analytics-cloud-user-and-team-provisioning-scim-api-sample-scripts-update-v0.6-whats-new/ creates teams of users that have 'concurrent user license' and many other things. Once you run it with the related sample data file provided, you could see the team and how many users in it easily enough. If you want to use SAC to report on it, then you're back to the Admin Cockpit blog.
Hope this helps, Matthew
Now that SAP is no longer offering the 'concurrent' license and only 'named' license going forward, what are the best practices for ongoing license management? We are trying to put together a good process but have some questions. We are rolling out SAC based on business need across the organization, users are identified based on each business case. However, we are also trying to reduce the workload of requests to our security team. We need to make sure that licenses are available when needed but obviously we do not want to assign a bunch of licenses that go unused. Some questions:
Many thanks for your questions.
As of today here are the answers. However SAP does make a habit of changing licence terms so this may change by 2023.
No, in short. Keep asking your SAP representative for this.
The license is assigned the moment the user is created. A user can have no roles, nor any team assigned, but they still consume a license. See my FAQ answer to the FAQ question Is it possible to de-activate (suspend or disable) a user for a bit more
You can use my sample scripts to disable or delete a user.
Check-out the 'Scenario's' that combine multiple scripts together and there's a few for managing licenses such as:
Look for 'Scenarios' in my blog for more
You can easily create your own, for example you can use my sample scripts to create a team of users that don't have any team or any role. (This will be the script 665 'AdminToolKit', introduced here, with this sample data file that you can run with that script to do just that). Then use sample script 851 to delete all the users of that team, without deleting the team itself. This means you can easily delete all users that have no role and aren't in a team. You can do this by running 2 scripts and best to do that via the command line to automate it.
What's missing, though, is information about the users last logon date. The API doesn't expose that users last logon date, so we can't automate a process to disable or delete users based on the time they've not used SAP Analytics Cloud. (time to visit the influence portal ;-))
I don't know the answer to this question, sorry. But you are not technically restricted to create users over your license entitlement This means you can have more users consuming a license than you are entitled to (hence your question, but I just put that here for others to clarify things). There's a chance this might change at some point, but I don't have any more details.
I hope this helps.
All the best
Thanks for your quick reply, these responses are helpful!
I have a big question;
We have SAP Analytics cloud tenant with some Business intelligence, Planning professional and Planning Standard licensed users.
Entering the "system" , under "security" i see that there is the possibility to create custom roles , but i don't understand how the SAP
system differentiates what features are permitted for Business intelligence license and what features are permitted for Planning Standard license; i mean how can i be sure that the feature that i select in custom role is avalaible only on Business intelligence license or only for Planning Standard license ?
I only see that Planning professional features are selectable only for Planning professional license, but the other feature are all avalyble so how can SAP distinguish beetwen Business intelligence feature and Planning Standard feature ... i mean if i create a custom role under Business intelligence license and i select all feature ( also planning ), who determine what license is really used ?
Good question, I should add this to my list of FAQs as its not entirely obvious.
Q. When a custom role is assigned and that role don't necessarily grant any rights associated to that roles' license type, what license will the user consume?
A. Even if there are no rights granted in the custom role, the user will still consume the license type associated with that custom role. When creating a custom role, you create it 'under a license type' and it is this license type the user will inherit, even if that custom role doesn't grant any rights.
As an example, this user has a custom role called 'BlankPlanningPro' assigned to them directly (best practice would be to assign the role via a Team, but handy here so you can see it more obviously). There are NO rights granted within this custom role, so the role doesn't really do much! The user, though, still consumes a Planning Professional license because the custom role was created 'under' the Planning Professional Role.
BlankPlanningPro custom role has NO rights granted within it. User still consumes a Planning Pro license
Hope this helps
All the best, Matthew