Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Analytics Cloud - Managing Licenses with Roles and Teams

Matthew_Shaw
Product and Topic Expert
Product and Topic Expert
‎03-10-2020 5:31 PM
This blog introduces an article focused on managing licenses with the use of roles and teams. It means the article is suitable for any SAP Analytics Cloud administrator or those that wish to adopt best practices. All the hard work and thinking has been done for you, as the article presents the theory and what it means in practice.

The article has recently received a significant update to reflect the many changes that are now enforced for all customers worldwide. There are no exceptions.

There have also been updates to the SCIM API, in Q1 2023, and this article has been updated to reflect these changes too.

In summary, the article covers the following topics:

  • Licenses available

  • How licenses are assigned to users and how some licenses may consume a ‘higher’ license

  • What the default license is and how it is consumed when no roles are assigned

  • How licenses are calculated and examples of consuming ‘higher’ licenses

  • License assignment examples include the ‘deactivate’ users’ feature.

  • Examples of user creation failure and suggested solutions due to lack of licenses

  • Examples of team and user update failure including suggested solutions related to Analytics Hub roles

  • How to work with concurrent-session licenses and the various means and ways to automate the assignment of such licenses.

  • Best practices, including user provisioning best practices.

  • A great long list of FAQs


 

A blog introducing the changes planned for the end of Q3 or early Q4 2023 which can also help admini...

 

Please preview or download this article (version 2.3.2 - November 2023). The download is a Microsoft PowerPoint presentation.

An older version of this article remains in the wiki. This will soon be retired and replaced with new technology where the article will then be stored. Until then, I’ve copied the article below so it's easier to access via your web browser!

Your feedback is most welcome. Before posting a question, please read the article carefully and take note of any replies I’ve made to others. Please hit the ‘like’ button on this article or comments to indicate its usefulness.

Many thanks

Matthew Shaw @MattShaw_on_BI

How the license is assigned to a user – the rules


License types, capabilities, users, roles, teams, default license


Licenses currently available *:






























License Named or Concurrent
Analytics Hub Named user *
Business Intelligence Named user
Business Intelligence Concurrent session *
Planning Standard Named user
Planning Professional Named user


  • * Concurrent session licenses are no longer available to purchase

    • Existing customers can continue to enjoy their concurrent session licenses for their existing SAP Analytics Cloud Services (tenants)

    • However, even existing customers can no longer purchase these licenses for new SAP Analytics Cloud Services (tenants)



  • * Analytic Hub licenses are no longer available to purchase

  • There is also a ‘Digital Boardroom’ license, but this isn’t limited by the number of users


 

  • Only the “Business Intelligence” license offers concurrent session licenses; all others are named-user licenses

    • Combining ‘concurrent-session’ licenses with named-user licenses is discussed in detail within this article




 

  • Named-user license assignment now enforced from early November 2023:

    • What this means is discussed in detail in this article





Capabilities:




  • a Professional Planning license includes the capabilities of a Planning Standard license

  • a Planning Standard license includes the capabilities of a Business Intelligence license


 

  • This means a user consuming a ‘Planning Standard’ license doesn’t consume a ‘Business Intelligence’ license but still enjoys all the capabilities of the ‘Business Intelligence’ license provides

    • This works similarly with a ‘Planning Professional’ license, it doesn’t consume either a ‘Planning Standard’ or a ‘Business Intelligence’ license





Roles are associated with a license type:

  • Roles must be associated with a ‘license type’ and only one

    • It’s not possible to have a role that is not assigned to any license type

    • A license type is a license, but without the ‘named-user’ or ‘concurrent-session’ aspect



  • Multiple roles can be assigned to the same license type

  • The license type associated with the role is then assigned to any user inheriting the role

    • For ‘Business Intelligence’ licenses, there are both ‘named-user’ and ‘concurrent-session’ based. However, perhaps confusingly, there is no concept of a ‘named-user’ role or a ‘concurrent-session’ role. The role only relates to the license type, irrespective of whether that license is ‘named’ or ‘concurrent’





Roles are assigned either:

  • directly to the user

    • not considered best practice



  • or, indirectly via team inheritance, where the user is a member of a team, and the team is assigned to a role

    • this is the best practice

    • this means all your users should not have any roles directly assigned to them, except the System Owner, as the ‘System Owner’ role can’t be assigned to a team





Licenses are, thus, assigned to users via role assignment

  • Users inherit roles via team membership or direct role-to-user assignment

  • The actual license consumed by the user is determined by a calculation that is described below



Almost all users consume a license:

  • Users, without any roles assigned to them, are assigned a default ‘Business Intelligence’ license, which they will then consume

    • Since roles grant application rights, such users will have dramatically limited functionality, but they will still consume a license



  • ‘Deactivated’ users do not consume a license

    • Users that consume a ‘named-user’ license and a ‘concurrent-session’ license can be deactivated

    • Unlike named-user licenses, Business Intelligence concurrent-session licenses are only consumed upon logon

    • It, therefore, doesn’t make sense, from a licensing perspective, to de-activate users assigned a concurrent-session license



  • Some other users also don’t consume a license, regardless of the roles they inherit, and they are:

    • The user with the ‘System Owner’ role

    • SAP Support Users





The highest license type is taken from the union of all roles:

  • A user can be a member of multiple roles, and each role can be from different license types:

  • The ‘highest’ in terms of the license is taken from the union of all roles assigned to the user. For example:

    • if a user is assigned ‘Business Intelligence’ and ‘Planning Standard’, then the license assigned is ‘Planning Standard’

    • if a user is assigned ‘Business Intelligence’ and ‘Planning Professional’, then the license assigned is ‘Planning Professional’

    • if a user is assigned ‘Planning Standard’ and ‘Planning Professional’, then the license assigned is ‘Planning Professional’



  • This does not apply to

    • Analytic Hub roles/licenses

    • Business Intelligence ‘concurrent-session’ licenses





Example:

  • User is a member of a team. The team is a member of two roles. The ‘highest’ license type is taken from the union of the roles inherited, which is a ‘Planning Standard’ role

    • This means the user consumes a ‘Planning Standard’ license

    • The user does not consume a ‘Business Intelligence’ license




Assigned licenses may consume ‘higher’ licenses






  • If there are not enough licenses available, a ‘higher’ license will be used instead

    • This assumes there are ‘higher’ licenses available

    • Otherwise, the operation will fail (user creation, user, or team updates will fail)




Example:

  • 11 users that are assigned a ‘Business Intelligence’ license

  • However, there are only 10 ‘Business Intelligence’ licenses, all of which have been consumed

  • 1 license needs to be carried over to a higher license type

  • There are 5 ‘Planning Standard’ licenses, of which

    • 2 are already assigned

    • leaving 3 available that can be used if there are not enough ‘Business Intelligence’ licenses available



  • So, 1 of these 11 users will consume a ‘Planning Standard’ license instead of a ‘Business Intelligence’ license

    • It could be considered that this user is unnecessarily consuming a more expensive licence

    • But this has to be preferred over:

      • denying user or team updates because there are insufficient licenses of the ones assigned

      • denying new user creation just because a role has not been assigned directly to the user. A very technical thing happens at the time of user creation: Only directly assigned roles are considered for the license assignment at the time of user creation, even if that user creation process involves adding the user to a team and thus inheriting a role and being assigned a different license! It would mean a new ‘Planning’ user could not be created in this example, even though there are planning licenses available (unless, at the time of user creation, the user is directly assigned a planning role which is generally against the best practice)






License assignment examples


License assignment examples 1 - de-active users


Example 1.1





  • User is not assigned any roles directly and is not a member of a team

  • The user is ‘de-activated’, so it does not consume any license

  • You can have as many of these types of users registered in SAP Analytics Cloud as you please

    • (You can also have as many activated Business Intelligence concurrent session users as you please, if you have this license type)




Example 1.2





  • User is a member of a team, which is itself a member of a ‘Business Intelligence’ role

  • The user has a directly assigned ‘Planning Professional’ role

  • The user is ‘de-activated’, so it does not consume any license

  • You can have as many of these types of users registered in SAP Analytics Cloud as you please

    • (You can also have as many activated Business Intelligence concurrent session users as you please, if you have this license type)




 

License assignment examples 2 - Business Intelligence license





  • Example 2.1:

    • User is not assigned any roles directly and is not a member of any teams

    • The user is ‘activated’, and so it must be assigned a license

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 2.2:

    • User is not assigned any roles directly, but the user is a member of a team

    • The team, though, is not a member of any roles

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 2.3:

    • User is assigned a ‘Business Intelligence’ role via team inheritance



  • License calculation:

    • There are ‘Business Intelligence’ licenses available

    • This means the user consumes a ‘Business Intelligence’ license




 

License assignment examples 3 - Insufficient Business Intelligence licenses, the user consumes Planning Standard license





  • Example 3.1:

    • User is not assigned any roles directly and is not a member of any teams

    • The user is ‘activated’, and so it must be assigned a license

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 3.2:

    • User is not assigned any roles directly, but the user is a member of a team

    • The team, though, is not a member of any roles

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 3.3:

    • User is assigned a ‘Business Intelligence’ role via team inheritance



  • License calculation:

    • There are only 10 ‘Business Intelligence’ licenses, all of which have been consumed

    • 1 license needs to be carried over to a higher license type

    • There are 5 ‘Planning Standard’ licenses, of which

      • 2 are already consumed

      • leaving 3 available



    • So, 1 of these 11 users will consume a ‘Planning Standard’ license instead of a ‘Business Intelligence’ license




 

License assignment examples 4 - Insufficient Business Intelligence and Planning Standard licenses, the user consumes Planning Standard license





  • Example 4.1:

    • User is not assigned any roles directly and is not a member of any teams

    • The user is ‘activated’, and so it must be assigned a license

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 4.2:

    • User is not assigned any roles directly, but the user is a member of a team

    • The team, though, is not a member of any roles

    • Users without an assigned role will be assigned a ‘Business Intelligence’ license



  • Example 4.3:

    • User is assigned a ‘Business Intelligence’ role via team inheritance



  • License calculation:

    • There are only 10 ‘Business Intelligence’ licenses, all of which have been consumed

    • 1 license needs to be carried over to a higher license type

    • There are 5 ‘Planning Standard’ licenses:

      • However, all 5 are already consumed



    • There are 2 ‘Planning Professional’ licenses, of which

      • 0 are already consumed

      • leaving 2 available



    • So, 1 of these 11 users will consume a ‘Planning Professional’ license instead of a ‘Business Intelligence’ license




 

License assignment examples 5 - Planning Standard license



 

  • Example 5.1:

    • User is assigned a ‘Planning Standard’ role directly



  • Example 5.2:

    • User is not assigned any roles directly, but the user is a member of a team

    • The team is a member of a ‘Business Intelligence’ and a ‘Planning Standard’ role



  • Example 5.3:

    • User is not assigned any roles, but the user is a member of 2 teams

    • One team is a member of a ‘Business Intelligence’ role and a ‘Planning Standard’ role. The other team isn’t a member of any roles



  • License calculation:

    • The ‘highest’ license type is taken from the union of the roles assigned, which is a ‘Planning Standard’ role. The user does not consume a Business Intelligence license

    • There are ‘Planning Standard’ licenses available

    • So the user consumes a ‘Planning Standard’ license




License assignment examples 6 - Test and Test Preview Services (tenants) only have Planning Professional licenses




 

  • Example 6.1:

    • User is assigned a ‘Business Intelligence’ role directly



  • Example 6.2:

    • User is not assigned any roles directly, but the user is a member of a team

    • The team is a member of a ‘Business Intelligence’ and a ‘Planning Standard’ role



  • Example 6.3:

    • User is not assigned any roles, but the user is a member of 2 teams

    • One team is a member of a ‘Business Intelligence’ role and a ‘Planning Standard’ role. The other team isn’t a member of any roles





  • License calculation 6.1:

    • User is assigned a ‘Business Intelligence’ role directly



  • License calculation 6.2/6.3:

    • The ‘highest’ license type is taken from the union of the roles assigned, which is a ‘Planning Standard’ role. The user does not consume a Business Intelligence license



  • License calculation 6.1/6.2/6.3:

    • This is a Test or Test Preview Service (tenant), and so there are only ‘Planning Professional’ licenses available

    • All licenses assigned need to be carried over to a ‘Planning Professional’ license

    • So the user consumes a ‘Planning Professional’ license even though they are assigned ‘lower’ licenses




 

Failures to users and teams due to lack of license


Example 1 – user creation failure





  • Creating this user will fail

    • because there are no ‘Business Intelligence’ licenses available, all are consumed by other named-users

    • and, there are no ‘higher’ licenses that could be used due to the lack of ‘Business Intelligence’ licenses



  • Applicable for all forms of user creation

    • manually with the user interface, SCIM API, dynamic user creation, import file option



  • Users can be created when all licenses are already fully consumed but only by

    • Creating ‘deactivated users’ by using the Menu-Security-Users-Import Users option and the file column ‘IS_USER_DEACTIVATED’ is TRUE. Such de-activated users do not consume a license and so even when there are no available licenses, the user is still created successfully

    • Creating users that are set to consume a ‘Business Intelligence concurrent session’ license, if you have that license type

      • Concurrent session licenses are enforced at the time of log-on, unlike named-user licenses





  • When user creation fails due to a lack of license, an error is captured in the activities log


Example 2 – Analytics Hub role removed, no default licenses




 

  • Performing any of the actions mentioned will fail, it will not be complete, an error will be shown, and that error be captured in the activities log

  • The configuration will remain unchanged, the user will still be assigned an ‘Analytics Hub’ role and still consume an ‘Analytics Hub’ license

  • It will fail because:

    • There is an attempt to remove the ‘Analytics Hub’ role from the user, thus the user would no longer be able to consume an ‘Analytics Hub’ license

    • But, the user would then have no roles assigned (either directly or via team inheritance), so the user would be assigned a default ‘Business Intelligence’ license

    • Assuming the user does not have the ‘concurrent-session’ license set as a property of the user, the user would be assigned a ‘Business Intelligence named-user’ license

    • There are no ‘Business Intelligence’ named-user licenses available, and there are no ‘higher’ licenses that could be used due to the lack of ‘Business Intelligence’ licenses



  • To resolve this, do any of the following before performing the action:

    • De-activate or delete users consuming the ‘Business Intelligence’ named-user license

    • Purchase additional Business Intelligence named-user licenses

    • Or, if you have concurrent-session licenses, change the ‘Business Intelligence’ license for the user from ‘named’ to ‘concurrent-session’







  • For the f2.3 and f24 examples, the attempt to update/delete the team will show this error:

    • The selected teams cannot be deleted. The maximum number of licenses have been reached. Please check your current license usage limits. Then deactivate users, delete inactive users, or consider an upgrade to your plan



  • Similar errors will be shown for f2.1 and f2.2


Example 3 – Lack of Planning license






  • Performing any of the actions mentioned will fail, it will not complete, an error will be shown, and that error be captured in the activities log:

    • f3.1: Adding Planning Standard Role to a user that currently consumes only a BI license

    • f3.2: Add team to Planning Standard role, where at least 1 user of that team currently consumes only a BI license

    • f3.3: Add user(s) to a team inheriting Planning Standard Role, where at least 1 user of that team currently consumes only a BI license



  • The configuration will remain unchanged:

    • The whole operation will fail. For example, if adding 100 users to a team where only 1 user needed to consume a license that has exceeded its limit, then all 100 users will not be added to the team. In this instance, you could then add the other users to the team successfully, but this would need to be a separate operation or task



  • It will fail because:

    • There is an attempt to consume licenses that are not available. The ‘Planning Standard’ and ‘Planning Professional’ licenses are already fully consumed, preventing these ‘higher’ licenses from being consumed by a lower license type



  • To resolve this, do any of the following before performing the action:

    • De-activate or delete users consuming the ‘Planning Standard’ (or Planning Professional) named-user license

    • Purchase additional Planning Standard named-user licenses



  • This applies similarly to Planning Professional licenses


 

Example 4 – Lack of license when reactivating user or transferring system ownership






  • Performing any of the actions mentioned will fail, it will not be completed, an error will be shown, and that error be captured in the activities log:

    • f4.1: Reactivating a user that is currently de-activated

    • f4.2: Transferring the System Owner to another user



  • The configuration will remain unchanged

  • It will fail because:

    • There is an attempt to consume licenses that are not available

    • When transferring the System Owner role to another user, the existing System Owner user must be assigned a new role before the transfer occurs. However, since there are no free licenses, this step fails and so the whole operation fails, even though the net license entitlement will not change



  • To resolve this, do any of the following before performing the action:

    • De-activate or delete users consuming named-user licenses

    • Purchase additional named-user licenses




Working with concurrent-session licenses


License combinations


 

  • A single user can consume more than 1 license type, however, some licenses include others:

    • A Planning Professional license includes a Planning Standard license

    • A Planning Standard license includes a Business Intelligence ‘named user’ license

    • And a user can only consume one of the Business Intelligence licenses: ‘named user’ or ‘concurrent session’





 

  • It means the possible combinations are as shown:

    • A Planning license (Standard or Professional) cannot consume a Business Intelligence concurrent session license

    • Or, if you like, a Business Intelligence concurrent session license cannot consume a Planning license



  • Typically it is ‘User G’ we need to consider, as it is only this user that combines both named-user with concurrent session


Roles (re-cap)





  • A single role can consume only 1 of these license types:

    • Analytics Hub

    • Business Intelligence

    • Planning Standard

    • Planning Professional




 

  • Importantly! The role does NOT define if the license is ‘concurrent session’ or ‘named user’

    • There is no concept of a ‘concurrent session role’ or ‘named user role’

    • (though Planning Roles will enforce a ‘named user’ license)







  • Licenses are assigned to users by the roles they are a member of

  • This means if a user wishes to consume more than 1 license then either:

    • They directly consume more than 1 role (like User J)

    • Or they consume roles indirectly through a team, as a team can be a member of one or multiple roles, even roles that consume different license types (like User K)



  • Users J and K both enjoy Analytics Hub and Business Intelligence licenses

  • Importantly! Like a role, a team does NOT define if the license is ‘concurrent-session’ or ‘named-user’

    • There is no concept of a ‘concurrent session team’ or ‘named user team’




How to apply Business Intelligence concurrent session licenses






  • How can a user consume a ‘concurrent session’ or a mix of Analytics Hub ‘named user’ and BI ‘concurrent session’ licenses (like User C and User G)?

  • The property that defines if the ‘Business Intelligence’ license is ‘named-user’ or ‘concurrent session’ is a user property

    • Access this user property on the ‘Security / Users’ screen, via the ‘Roles’ dialogue

    • This setting is only applicable for the ‘Business Intelligence’ license



  • Simply change this property and press ok

    • There don’t even need to be any roles selected, since roles can be inherited via a team the user is a member of



  • With the user interface, changing this property can only be performed on a user-by-user basis

    • The SCIM API enables an automated means to update multiple users

    • The menu-security-users-file import option also enables a non-API method to update multiple users






 

Before SAP Analytics Cloud August Q3 2023 release:

  • The ‘Concurrent Session License’ setting is only remembered (respected) when:

    • There are no roles directly applied to the user (roles may be inherited instead via team membership)

    • Or, when any roles directly applied to the user are either Business Intelligence roles or Analytics Hub roles

    • Or, when using the SCIM API to update users or teams




 

  • The ‘Concurrent Session License’ setting is not remembered (not respected) when:

    • The user only has Analytic Hub roles assigned without any other roles assigned

    • The user has any Planning role assigned (Planning Standard or Planning Professional)




 

  • Means for the setting to be remembered, you will need to remove any Planning roles that are directly assigned to the user, if the user has such roles directly assigned

    • After making changes to a users role, you can check the license type that is accepted and assigned by re-opened the dialogue shown, it will show either ‘user license’ or ‘concurrent session license’



  • The property only changes the ‘Business Intelligence’ license between ‘named user’ and ‘concurrent session’, it has no impact on any other license


 

  • Can also use an API to change this user property programmatically :

    • See

    • Or use sample scripts 401, or 451 to update users or teams of users with a different Business Intelligence license type




 

After SAP Analytics Cloud August Q3 2023 release:

  • Consider the ‘Concurrent Session license’ as a property ‘requesting’ a concurrent-session license if and only if a Business Intelligence license is assigned to the user.

  • If a Planning license is assigned because the user has a planning role, then the user will not be able to consume a ‘Business Intelligence’ license

    • In such cases, this property could be ‘true’, but the user would consume a Planning named-user license.  The same is equally applicable to Analytics Hub roles and licenses.




 

  • The significant benefit of this release update is that this property is always remembered when best practices are adopted by assigning roles to users via team inheritance


 

  • The ‘Concurrent Session License’ setting is not remembered (not respected) when:

    • A Planning or an Analytics Hub role is directly assigned to the user via the user interface (unlike when a user already has a Planning or Analytics Hub directly assigned role, and the ‘concurrent session’ setting is then selected)




 

  • The ‘Concurrent Session License’ setting is thus remembered (respected) when:

    • There are no roles directly applied to the user, instead any role of any license type is inherited via team membership (this is the best practice)

    • Or, when the setting is changed to ‘concurrent session’ after a Planning or an Analytics Hub role has been directly assigned to a user

    • Or, when using the SCIM API to update users or teams



  • It means that for the setting to be remembered and, you will need to directly assign any Planning or Analytics Hub then update this property after making changes to roles directly assigned to users

  • The property only changes the ‘Business Intelligence’ license between ‘named user’ and ‘concurrent session’; it has no impact on any other license

  • Can also use an API to change this user property programmatically:

    • See

    • Or use sample scripts 401, or 451 to update users or teams of users with a different Business Intelligence license type





 

There are 3 primary workflows to assign licenses:

 

  • Workflow 1: Selecting a user and assigning roles directly to the user (via Menu-Security-Users)

    • Repeat the workflow for each user of type User J



  • Workflow 2: Selecting a role and assigning a role to 1 or many users/teams (via Menu-Security-Roles)

    • Applicable for Users J and K, then using workflow 1 to set the users’ concurrent setting



  • Workflow 3: Assign a default role and set it as ‘default’ (Via Menu-Security-Roles-Role Configuration)

    • Applicable for new users of type Users J

    • No repetitive steps are required




Workflow 1 – Security-Users





  • 1. Select Menu-Security-Users

  • 2. Click to open the ‘Select User Roles’ dialogue

  • 3. Select any Analytics Hub Role(s) and/or BI Role(s)

  • 4. Once you select the option ‘Concurrent Session License’ the dialogue will show a message: “An Analytics Hub role cannot be assigned as a Concurrent Session License. It will be assigned as a User License



  • This means

    • if any Analytics Hub role is assigned to the user, the user will consume an Analytics Hub ‘named user’ license

    • if any Business Intelligence role is assigned to the user, the user will consume a Business Intelligence ‘concurrent session’ license

      • The roles could be assigned directly to the user (as we are doing here), or indirectly via a team since a team can be a member of a role (see Best Practice later)





  • The user will consume an ‘Analytics Hub named user’ AND/OR a ‘Business Intelligence concurrent session’ license

  • You could incorrectly think, any role you select here is a ‘Concurrent Session’ role. This is not the case. All you are doing is changing a user property, so the ‘Business Intelligence’ license is a ‘concurrent session’ for that user.


Workflow 2 – Security-Roles





  • Assign ‘Analytics Hub Roles’ (if required):

  • 1. For the ‘Analytics Hub’ role, click ‘Assign Users’ to open the ‘Assign Role to User’ dialogue

    • The dialogue enables you to assign both users and teams







  • 2. Select the Teams and Users you wish to grant ‘Analytics Hub Named User’ licenses to

    • If assigning Users directly (User J) to an Analytics Hub Role any Business Intelligence license will be set as ‘named user’ but this is resolved in subsequent steps

      • i.e. the Business Intelligence license will be set to ‘named user’ even for those users that are already set as ‘concurrent’





  • 3. Press OK

    • At this point the users will be assigned the Analytics Hub ‘named user’ license







  • Assign ‘Business Intelligence Roles’:

  • 4. For the ‘Business Intelligence’ role, click ‘Assign Users’ to open the ‘Assign Role to User’ dialogue

    • The dialogue (with ‘User License’ selected by default) enables you to select both users and teams

    • The information “This role will be assigned to the selected members from both the User License and Concurrent Session License tabs.” is saying you can assign, to this role, both ‘Named User’ and ‘Concurrent Session License’ at the same time.









    • It means User F could be assigned ‘Named User’ and User G could be assigned ‘Concurrent Session’ using this dialogue (and switching between the two radio buttons ‘user license’ and ‘concurrent session license’ as we shall see next) and following these steps 4, 5, 6 and 7



  • 5. Optionally, select Users you wish to have a Business Intelligence ‘Named User’ licenses (like for User F)

    • Users listed/selected will have/be assigned the role and assigned a Business Intelligence ‘Named User’ license

    • The users listed will be users that already have a ‘Business Intelligence named user’ license assigned. You can still search for other users (that have a concurrent session license) and add them to the ‘Selected Users’. All ‘Selected Users’ will be assigned a ‘Business Intelligence named user’ license





 

  • 6. (Whilst still on the ‘User License tab’) Select the Teams you’d like to assign the ‘Business Intelligence’ role to:

    • Any Teams listed/selected do not change the Team memberships’ Business Intelligence licence type

    • i.e. it does not mean, Team members will be assigned a ‘Business Intelligence named user’ license

    • Team members could still be assigned a ‘Business Intelligence Concurrent Session’ license even though the ‘User License’ tab is selected after you press OK

    • You could incorrectly think, any Teams you select are ‘named user’ teams. This is not the case. All you are doing on this tab is specifying which users, by being a member of a Team, should consume a Business Intelligence role. The teams you pick here do not impact the license type of users within those Teams unless the users are directly selected as in step 5

    • At the end of this step, the users of the Team will not yet be assigned any particular Business Intelligence license. Their license is assigned in later steps, 9 to 12







  • 7. Select the ‘Concurrent Session license’ radio button

    • Only a list of users will be shown (and any users listed will be ones already assigned a concurrent license)

    • Teams will not be shown once the ‘Concurrent Session License’ has been selected



  • 8. Select Users to be assigned a ‘Business Intelligence Concurrent Session’ license (like User J)

    • If you selected a user (under the ‘Concurrent Session License’) and a team (under ‘User License’) where the user is also in the team, the user will be assigned a ‘Concurrent Session’ License. i.e. it requires the User to be specifically selected under the ‘Concurrent Session License’ tab for them to be assigned the ‘Business Intelligence Concurrent Session’ license







  • Steps 9 to 12 are to set the Business Intelligence license to ‘concurrent session’ for the following users:

    • Users in a team, where the team is a member of a Business Intelligence role

    • Users not explicitly and directly assigned the Business Intelligence role

    • i.e. Users like User K






  • 9. Select Menu-Security-Users

  • 10. For each user edit the ‘Roles’ to open the ‘Select User Roles’ dialogue

  • 11. Change the ‘Assign as:’ to ‘Concurrent Session License’

    • This changes only the ‘Business Intelligence’ license to a concurrent session

    • There is no need to change the roles selected

    • There don’t even need to be any roles selected



  • 12. Press OK


Workflow 3 – Default Roles





  • 1. Select Menu-Security-Roles

  • Steps 2 to 5 are optional and only needed if you wish to assign Analytics Hub licenses

  • 2. Open the appropriate Analytics Hub role

  • 3. Click on Role Configuration

  • 4. Optionally select ‘Use as Default Role’

    • This will means that when a new user is created, they will be assigned this Analytics Hub role



  • 5. Optionally select ‘Enable Self-Service’

    • This means users who do not currently enjoy this Role can request it and obtain it once approved







  • These steps are needed to assign Business Intelligence ‘concurrent session’ licenses

  • 1. Open the appropriate Business Intelligence Role

  • 2. Click on Role Configuration

  • 3. Select ‘Use as Default Role’

    • This will means when a new user is created they will be assigned this Business Intelligence Role



  • 4. For ‘Assign as:’ select ‘Concurrent Session License’

    • This will means when a new user is created they will be assigned the Business Intelligence ‘concurrent session’ license



  • 5. Optionally select ‘Enable Self-Service’

    • This means users who do not currently enjoy this Role, can request it and obtain it once approved. However this will not change the Business Intelligence license type for that user, their Business Intelligence license type will remain unchanged




Changing Business Intelligence license type



 

Using SCIM API

  • Sample scripts, written in Postman, provide a means to automate the update of users' license type

  • These scripts are freely available with comprehensive user instructions and introduced via this blog which also shows a demonstration of sample script 451:



  • Sample script 401 reads a very simple .csv file and updates the users’ BI license type according to the ‘true’ or ‘false’ value as shown





  • Sample script 451 reads a very simple .csv file and updates all the users of a team with the BI license type according to the entry in the file:





  • For example, all members of Team1 will be assigned a ‘concurrent’ license type, whilst Team2 will be assigned a named user


 

Using the Menu-Security-Users-Export and Import from file option (changing to concurrent)





  • Step 1: Select Menu-Security-Users

  • Step 2: Select ‘Export’ and open the csv file that is downloaded (doc link)

  • Step 3: Remove rows for users that you don’t wish to update

  • Step 4: Change the column ‘IS_CONCURRENT’ value from 0 to 1

    • for those users that you wish to assign a concurrent session license to users

    • You can update other columns, for example, ‘ROLES’ to update which roles are directly assigned to the user



  • Step 5: Save the csv file you’ve just updated

    • It’s important not to remove any columns from the file as these hold properties about the users’ profile

    • If these are lost, the user may find it a little annoying



  • Step 6: Select Import Users (doc link)

  • Step 7: Select Source File and select the csv file you saved in step 5

  • Step 8: Select Create Mapping and press OK

  • Step 9: Select Import


 

  • Best Practices with the file import option (step 6):

    • Update no more than around 1,000 users at a time

    • If you have 10,000 users, then split the file into 10 ‘chunks’ each of 1,000 users

    • Import each file, of 1,000 users, at a time

    • If you import more than ~3,000 users at a time, some users may not be updated

      • Continuous re-attempts of the import will eventually update all users



    • This best practice only applies to updating users, not creating new users (where the best chunk size is ~10,000)




Using the Menu-Security-Users-Export and Import from file option (changing to named user)




  • Step 1: Select Menu-Security-Users

  • Step 2: Select ‘Export’ and open the csv file that is downloaded (doc link)

  • Step 3: Remove rows for users that you don’t wish to update

  • Step 4: Change the column ‘IS_CONCURRENT’ value from 1 to 0

    • for those users that you wish to assign a concurrent session license to users

    • You can update other columns, for example, ‘ROLES’ to update which roles are directly assigned to the user



  • Step 5: Save the csv file you’ve just updated

    • It’s important not to remove any columns from the file as these hold properties about the users’ profile

    • If these are lost, the user may find it a little annoying



  • Step 6: Select Import Users (doc link)

  • Step 7: Select Source File and select the csv file you saved in step 5

  • Step 8: Select Create Mapping and press OK

  • Step 9: Select Import


 

  • Best Practices with the file import option (step 6):

    • Update no more than around 1,000 users at a time

    • If you have 10,000 users, then split the file into 10 ‘chunks’ each of 1,000 users

    • Import each file, of 1,000 users, at a time

    • If you import more than ~3,000 users at a time, some users may not be updated

      • Continuous re-attempts of the import will eventually update all users



    • This best practice only applies to updating users, not creating new users (where the best chunk size is ~10,000)




 

 

Managing license gotcha’s


Managing Licenses Gotchas for Workflow 2 (Menu-Security-Roles)!



Before SAP Analytics Cloud August Q3 2023 release:

  • Assigning an Analytics Hub role directly to a user changes the Business Intelligence license type (‘Named user’ or ‘Concurrent Session’), if the user has one, to ‘Named user’

    • Unlike assigning an Analytics Hub role indirectly to a user via a Team

    • Or, if you like, assigning an Analytics Hub Role to a Team will not change any of the Teams’ members’ Business Intelligence license type (if they have one)



  • Removing all the Business Intelligence Roles changes the license to ‘named user’:

    • If you remove all the Business Intelligence Roles from a user (either directly or indirectly by removing the Team(s) they are a member of) from the Business Intelligence Role(s), then the user property about their ‘Business Intelligence’ license type (‘named’ or ‘concurrent’) will be changed to ‘named user’

    • There is no warning or indication of when this occurs




 

After SAP Analytics Cloud August Q3 2023 release:

  • Assigning an Analytics Hub role directly to a user changes the Business Intelligence license type (‘Named user’ or ‘Concurrent Session’), if the user has one, to ‘Named user’

    • Unlike assigning an Analytics Hub role indirectly to a user via a Team

    • Or, if you like, assigning an Analytics Hub Role to a Team will not change any of the Teams’ members’ Business Intelligence license type (if they have one)



  • Removing all the Business Intelligence Roles no longer changes the license to ‘named user’:

    • If you remove all the Business Intelligence Roles from a user (either directly or indirectly by removing the Team(s) they are a member of) from the Business Intelligence Role(s), then the user property about their ‘Business Intelligence’ license type (‘named’ or ‘concurrent’) will no longer be changed, instead it will keep its setting unlike before this release update




 


Before SAP Analytics Cloud August Q3 2023 release:

  • Assigning a Planning role (standard or professional) directly to a user changes the Business Intelligence license type (‘Named user’ or ‘Concurrent Session’), if the user has one, to ‘Named user’

    • There is no warning or indication of when this occurs

    • The user will be shown as consuming a ‘Planning Standard’ or a ‘Planning Professional’ license

      • This makes sense since a Planning license can not be of type ‘concurrent session’, only Business Intelligence licenses can be





  • Removing all Planning Roles changes the license to ‘named user’:

    • If you remove all the Planning Roles from a user (either directly, or indirectly by removing the Team(s) they are a member of), then the user property about their ‘Business Intelligence’ license type (‘named’ or ‘concurrent’) will be set to ‘named user’ and not ‘concurrent’

    • Any default role, regardless of how it is configured, does not change this.




 

After SAP Analytics Cloud August Q3 2023 release:

  • Assigning a Planning role (standard or professional) directly to a user changes the Business Intelligence license type (‘Named user’ or ‘Concurrent Session’), if the user has one, to ‘Named user’

    • There is no warning or indication of when this occurs

    • The user will be shown as consuming a ‘Planning Standard’ or a ‘Planning Professional’ license

      • This makes sense since a Planning license can not be of type ‘concurrent session’, only Business Intelligence licenses can be





  • Removing all Planning Roles no longer changes the license to ‘named user’:

    • If you remove all the Planning Roles from a user (either directly, or indirectly by removing the Team(s) they are a member of), then the user property about their ‘Business Intelligence’ license type (‘named’ or ‘concurrent’) will no longer be changed, instead it will keep its setting unlike before this release update

    • Any default role, regardless of how it is configured, does not change this.




 

  • Analytic Hub Roles will not list users with a Business Intelligence ‘concurrent session’ license under ‘Selected Users’, even when they are granted the role!

    • The list will not list yourself as you cannot assign yourself a role

    • The number of users and teams will be correct but the number of users will exclude those users in Teams




 

Summary – Switching Business Intelligence licenses



  • Actions that change a Business Intelligence license from ‘concurrent session’ to ‘named user’:

    1. Changing the user property via Security-Users-Roles-Assign As (Workflow 1)

    2. Adding the user directly to an Analytic Hub Role, via the user interface.

    3. Removing all Business Intelligence roles directly from a user, via the user interface.

    4. Granting the user any Planning Role (by any means – including via a request role)

      • All Planning Roles consume a named-user license

      • After the August Q3 2023 update, removing all planning roles will return the Business Intelligence concurrent-session license if it was previously set before assigning the planning role(s). Before this update, the Business Intelligence license would always be ‘named-user’ regardless of its previous setting



    5. Using the SCIM API

    6. Using the Menu-Security-Users-Export and Import from file option




 

  • Actions that change a Business Intelligence license from ‘named user’ to ‘concurrent session

    1. Changing the user property via Security-Users-Roles-Assign As (Workflow 1)

    2. Assigning the user directly to a Business Intelligence role under the ‘Concurrent Session’ tab (Workflow 2)

    3. Defining a Business Intelligence Role as a default role and setting the ‘Assign As’ as ‘concurrent session’ (only for new users) (Workflow 3)

    4. Using the SCIM API

    5. Using the Menu-Security-Users-Export and Import from file option




 

  • Other than the means above, there is no way to define a group of users to consume a Business Intelligence ‘concurrent session’ license

  • For those not using a user provisioning solution but require an automated means of assigning ‘concurrent session’ licenses use Workflow 3


 

General Best Practices for Managing Role Assignment



For those not using a User Provisioning Solution:

  • Use a SAML2 Identity Provider (IdP) to declare which teams a user should be a member of

  • Consider enabling ‘dynamic user creation’ on SAP Analytics Cloud setup with the IdP

    • It is highly recommended to map the user on the USERID and not on the e-mail or custom property



  • Map SAML2 User Attributes to SAP Analytics Cloud teams, not roles

    • Use teams to group roles together and thus allow users to inherit roles via teams

    • The users’ membership to teams and roles will be updated upon their next logon

      • Means changing the IdP users attribute for their team/role membership will only take effect upon the users’ next logon and not before

      • In turn, this means any change to the license consumption is delayed until that point

        • Unlike using the SCIM API, when updating the teams/roles, assignment is immediate

        • If a user is deleted (or denied the SAP Analytics Cloud application) in the IdP, then the team assignment in SAP Analytics Cloud remains unchanged









If you need to assign Business Intelligence ‘concurrent session’ licenses then

  • Define a default role (workflow 3) and set it to switch the users’ license type to ‘concurrent’ at the time of user creation

  • The default role will then be assigned directly to a user

  • This is only needed to enable the ‘default’ role to switch the license type at the time of user creation

  • Once the license type has been set correctly, there’s no reason to maintain this directly assigned role

  • The direct role assignment (dotted in the diagram) can optionally be removed after the user has been created

  • Assign users to ‘other’ roles via team membership and do not directly assign other roles to the user


 

  • As all new users will be assigned a Business Intelligence ‘concurrent session’ license, you need to use workflow 1 for each user that should be assigned Business Intelligence ‘named user’:

    • In workflow 1, select ‘user license’ instead of ‘concurrent session’









    • However, there is no need to do this if any of these users are assigned a Planning Role since Planning Roles include a Business Intelligence ‘named user’ role automatically overriding any ‘concurrent session’ license setting.

    • Planning roles directly assigned to a user should be avoided because removing that role would not revert the user to a ‘concurrent session’ license as most would expect. Instead, follow best practices and assign roles indirectly via a Team (this revert to ‘concurrent session’ license is only applicable from the Quarterly release update in August 2023)

      • The planning role could be assigned via a ‘request role’, and if the request is approved, the license type for the user will change to ‘named’







 

  • Analytic Hub Roles:

    • Do not add Users directly into Analytic Hub Roles as this will change their Business Intelligence ‘concurrent session’ license to ‘named user’ (User J)

    • Only add Teams into Analytic Hub Roles (User K)

      • It makes no difference if you add the User to the Team first, or the Team to the Role first



    • Team membership can be the same for ‘named user’ and ‘concurrent session’




Related User Provisioning Best Practices



  • SAP Analytics Cloud SCIM API

    • There are two versions of the SCIM API, both are SCIM v2 compliant:

      • Version 1 has the endpoint /api/v1

      • Version 2 has the endpoint /api/v1/scim2



    • Version 2 was made available in Q1 2023 and supports the PATCH method, unlike the earlier version

    • Both versions are supported, and there are no plans to retire version 1







  • Default roles and request roles

    • Any role assignment made to a user or a team that occurs without the knowledge of the Provisioning Solution means the source isn’t aware of those changes

    • Default roles and request roles are good examples where role assignment may occur without the knowledge of the Provisioning Solution

    • To avoid such role assignment being ‘dropped’, the SCIM API PATCH method should be used over a PUT method when the Provisioning solution updates users and teams

    • This means version 2 of the API should be used in preference to version 1 in such cases, but some caution may be needed with version 2 for huge user volumes




 

  • If using SAP IPS, then you can update your configuration to use the new version 2 API (see what’s new)

    • The v1 API currently remains the default until performance concerns with version 2 are lifted




 

  • Usual best practices apply:

    • Create users with the right ‘Business Intelligence’ license type to start with

      • Avoid creating users to then only update each users ‘Business Intelligence’ license type



    • Use Teams to group roles together

      • Assign users to teams, and assign teams to roles

      • There should be no need to assign roles directly to a user






 

Frequently Asked Questions






  • Q. For Business Intelligence Roles, why are no Teams listed under the ‘Concurrent Session License’ tab


  • A. In short, there is no need to list them

    • The Teams are listed under the ‘User License’

    • Simply select the Team under the ‘User License’ tab instead

    • The Business Intelligence license type will not change for Users of those Teams you select (even though it is under the ‘User License’ tab), unless the user is directly selected

    • You can still assign a Team to a Business Intelligence Role and keep the users ‘concurrent session’ license setting  unchanged








  • Q. What Business Intelligence license will new users be assigned when defining Default Roles for Analytics Hub Role AND a Business Intelligence Role (and assigning the ‘concurrent session’)


  • A. They will be assigned the Business Intelligence ‘concurrent session’ license

    • It is using the actual interface, within the Analytics Hub Role assignment, that causes an update of the Business Intelligence license type to change to ‘named user’, not the combination of the two roles








  • Q. Is there any difference, from a license perspective, between the different roles of the same License Type


  • A. No

    • The ‘BI Admin’ role consumes the same license as a ‘BI Content Viewer’ role

    • The same applies to all other license types

    • A user assigned a ‘BI Admin’ role, like any other Business Intelligence role can be assigned ‘concurrent session’ license type




 


  • Q. Is there something special about the ‘Admin’ Roles provided by the Service


  • A. No

    • Custom roles with all rights granted are the same as the ‘Admin’ Roles provided by SAP Analytics Cloud. There’s nothing special about them




 

 


  • Q. What license type will be consumed by the ‘System Owner’


  • A. None

    • The license for this user is ‘free’ and they will not consume any particular license

    • It has no impact on the number of named or concurrent session licenses consumed

    • They will be granted all rights across all available license types

    • The System Owner is also the only user that can edit the SAML configuration








  • Q. Why is the Business Intelligence User (Concurrent Session License) Count at 0


  • A. This is the real-time value and shows the number of concurrent users using the Service right now

    • It is not showing the number of users assigned a ‘concurrent session’ license, unlike all the other ‘named user’ licenses shown





 


  • Q. Can you assign more named-user licenses that you actually are entitled to


  • A. From the August Q3 QRC release update, the answer is no. Before this release, you could consume more licenses there you were entitled

    • When you assign named-user licenses to users you are not allowed to exceed your license entitlement. The operation to create or update a user or team will fail if that license entitlement would be exceeded. You can create/add as many named users, that are ‘deactivated’, as you please, because deactivated users do not consume a license

    • You can also add, and assign, as many Business Intelligence concurrent licenses as you please, because Business Intelligence concurrent licenses are enforced at the time of login, unlike named user licenses. These Business Intelligence ‘concurrent session licensed’ users can be activated or deactivated




 


  • Q. How can I see which users are members of which Teams and Roles


  • A. There are two ways to achieve this

    • Option 1) use SAC Usage Content
      Option 2) use the Administration Cockpit
      Option 3) use the User and Team Provisioning API









    • Option 1: SAC Usage Content

      • Files-Content Network-Samples-SAC Usage ContentUser Information Page

      • Can see user per team, roles per team

      • Create your own widget for Teams per user:












  • Option 3: User and Team Provisioning API

    • The API can be called via the browser returning a json response

    • Use a JSON viewer chrome extension to make the json more readable
      See next slide for examples




 

  • API conforms to System for Cross-domain Identity Management (SCIM 2.0) specification

  • Please refer to the documentation for more information

  • Please refer to this blog that introduces Sample Scripts and Best Practices


 



 

 


  • Q. What happens when the concurrent session license limit is reached


  • A. When a user, that is defined with a ‘Business Intelligence concurrent session’ license, ties to log-on but when all available concurrent sessions have been consumed, the user will experience an error saying "No Sessions Available. All concurrent session licences on this system are in use. Please try to log on again later, or contact your system administrator to increase the number of available sessions."






  • Q. How do you un-assign licenses


  • A. Licenses are derived from the roles assigned to users. These roles can be assigned either directly or indirectly via a team since a team can be a member of a role

    • So, if you want to unassign the Analytics Hub license, you must stop the user from being assigned all Analytics Hub roles. The same applies similarly to Business Intelligence and Planning licenses.  You may also deactivate a user; doing so will mean they do not consume any license, but they won’t be able to log in.

    • Sample scripts:

      • 403 – updates a user’s team members and can be used to remove users from all teams (just use an empty array [] with the action ‘replace’) –see FAQ

      • 1x2, 2x2, 4x9 – updates users and can be used to remove all roles directly assigned to a user (just use an empty array [] with the action ‘replace’)






 


  • Q. The SCIM API used to be able to write/update the ‘active’ property, but it doesn’t any more, why is this


  • A. The SCIM API previously allowed the users' ‘active’ property to be changed, say from true to false   This property change was never officially supported. It wasn’t mentioned in any of the official documentation for example, though it worked. Once the property was set to false, any existing user sessions were immediately terminated and the user was unable to log in again until the setting was changed back to true.

    • In 2022 this property was set to ‘read-only’. The property, though, does accurately reflect if the user is activated or deactivated. A ‘true’ value for ‘isActive’ means the user is activated. A ‘false’ value for ‘isActive means the user is deactivated and thus not consuming a license.

    • There is no API or supported automated means to programmatically activate or deactivate users, it requires a manual intervention to go to the Menu-Security-Users screen, select the user(s) and then press the ‘activate’ or ‘deactivate’ button.

    • For more details on managing dormant users please visit this blog post

    • Related sample scripts:

      • Scenario L01 Managers with BIconcurrent to BInamed license

      • Scenario L02 Disabled users to BIconcurrent license

      • Scenario D02 to D07 Dormant Users A to F






 

 

 


  • Q. How can I easily see which users are assigned which licence


  • A. To see a list of all your users and if they have a Business Intelligence ‘named user’ or ‘concurrent user’ assigned use the drop down in Menu-Security-Users

  • The export to csv does not limit the users to the license type selected, it only limits the users that are displayed

  • The exported csv file does not list the column ‘Licenses’ so the only means to see which user is consuming which license is using the user interface



 


  • Q. How do you determine who uses SAP Analytics Cloud more frequently than others


  • A1. Generate a list of user login events with 'Menu-Security-Activities'. Filter on 'Activity-Login' and a time frame and export the list. The more login events per user mean they use the Service more frequently than others. The users that log in most frequently would probably be worthy of a 'named user' license, whilst perhaps the others (using it less frequently) could be assigned a 'concurrent' license.







  • Q. Can you use SAML attribute mapping to define which user license should be used


  • A. No. The SAML attribute mapping does not support the Business Intelligence license type the user should consume, it only supports the mapping of roles and/or teams (in addition to the user id, email or custom attribute you’re using to identify the user)
    You can still use SAML attribute mapping with a default role (and have this default role configured so that when the user is created, it sets the Business Intelligence license as ‘concurrent-session’)


 


  • Q. Is it possible to create a user, without any roles and without being a member of any teams, and still set the ‘Business Intelligence’ license type to ‘concurrent’


  • A. Yes. This is possible with both the user interface and the SCIM API

  • For those who wish to use the sample scripts, then all the sample scripts that create users can do this for you


 


  • Q. Can I have 2 ‘default’ roles


  • A. Yes. You can have as many default roles as you would like. It means when a new user is created, they will automatically be assigned all the default roles. If any one of those default roles is set to be of type ‘concurrent session’, then the users Business Intelligence license will be set as a ‘concurrent session’
    In turn, this means you can’t have a default role for one type of user and a different default role for a different type of user


 


  • Q. Are Concurrent Session licenses available


  • Concurrent session licenses are no longer available to purchase.

    • Please contact your SAP account representative for further information




 


  • Q. Is it possible to set the users’ ‘Business Intelligence’ license type to ‘concurrent’ even when the SAP Analytics Cloud Service doesn’t have any ‘concurrent session’ licenses


  • A. Yes, but only via the API and even then the user won’t be able to log in, of course. Such a workflow isn’t officially supported and so caution should be used if such a workflow was needed for any business purpose

    • The user interface prevents the ‘concurrent session’ from being shown in such cases so the user interface options will not enable you to make any changes to the users’ license type. This equally applies to default roles. The concurrent session option, in such cases, will not be available as an option to change the license type of the user when defining default roles




 


  • Q. Can a request role be set to switch the license type to concurrent


  • A. No. A request role, once approved, will mean the role is directly assigned to the user. There is no option, as part of the request role setup, to change the Business Intelligence license type

    • However, should the role be approved, and that request role is a planning role, then the user will consume a named-user license since all Planning roles are named-user

    • It means a Planning request role can be used to switch the license type from ‘concurrent session’ to ‘named’. Even if the Planning request role doesn’t actually need to have any rights assigned within it, the user will still be assigned and consume a planning named-user license

    • Even after the Q3 QRC update in August 2023, the Business Intelligence license type will have changed to ‘named’ in such cases. It means if the planning role is later removed, the user will not revert back to consuming a Business Intelligence ‘concurrent-session’ license




 


  • Q. What happens when Concurrent User licenses are removed from the Service


  • A. All users that have a ‘concurrent session’ license will be updated to have a ‘named’ license at the time the license is removed

    • It means you don’t need to make any changes beforehand

    • Concurrent User Licenses are only removed by agreement between SAP and the customer




 


  • Q. Can I export a list of users that have a Business Intelligence license type set to ‘concurrent’


  • A, Yes.

    • Select Menu-Security-Users

    • To list users of ‘named user’ or ‘concurrent sessions’ use the drop-down option

    • Export the complete list and filter on IS_CONCURRENT, 1 means concurrent, 0 means named

    • With the Q3 QRC update in August 2023:

      • This property can no longer be used to guarantee which license is actually consumed by the user. The property is basically just ‘requesting’ a concurrent-session license if and only if a Business Intelligence license is assigned to the user. If a Planning license is also assigned because the user has a planning role, then the user will not be able to consume a ‘Business Intelligence’ license. In such cases, this property could be ‘true’, but the user is actually consuming a Planning license. This equally applies to the SCIM API for ‘isConcurrent’






 


 


  • Q. When using the SAP Analytics Cloud SCIM API, can I rely on the ‘isConcurrent’ property in the same way I did before


  • A. No, not with the Q3 QRC update in August 2023:

    • This property can no longer be used to guarantee which license is actually consumed by the user. The property is basically just ‘requesting’ a concurrent-session license if and only if a Business Intelligence license is assigned to the user. If a Planning license is also assigned because the user has a planning role, then the user will not be able to consume a ‘Business Intelligence’ license. In such cases, this property could be ‘true’, but the user is actually consuming a Planning license.

    • This means that some sample scripts, for example, the ‘665 AdminToolKit’ sample script can use the isConcurrent property to identify ‘concurrent-session’ licensed users. This sample will now not necessarily identify the correct intended target users as it did before.

      • It means the semantics of any users identified changes from “users assigned a Business Intelligence concurrent session license” to “users requested a Business Intelligence concurrent session license if they don’t also consume any Planning or Analytics Hub license






 


  • Q. Why can’t I change the licenses assigned


  • A. The column ‘Licenses’ isn’t editable, it is derived from the role(s) the user is a member of

    • Roles can be assigned directly or indirectly via a team through inheritance

    • A user inherits roles through teams as well as roles

    • A team can be a member of multiple roles

    • The roles shown in the Security-Users interface are roles directly assigned, not ones inherited via a team

      • Its typical for a user to only be assigned roles via team membership, leaving this column blank







 


  • Q. What is a concurrent session


  • A. Any session a user creates where that user is consuming a Business Intelligence concurrent license

    • A new session will be established when the user logs on, regardless if the user has already logged on or not

    • For each occasion, the (concurrent session) user logs on, a new session will be established and each occasion will consume a concurrent session license. That new session could be created via a web browser or via a mobile application. Regardless, each time a new session is established a concurrent session will be consumed

    • This means a single user could, in theory, consume all the concurrent session licenses available, though they would need to log on, without logging out, a lot of times in order to do so!

    • A user will not consume an additional concurrent session if they just duplicate the ‘browser tab’, as that maintains the session. This is unlike using an ‘incognito window’ when a new session is always created, even when the same browser on the same device is used.

    • A user session (including concurrent sessions) is terminated at the time of logout (sign out/log off), or once the ‘Session Timeout’ has been reached (see guide for more on this admin setting and KBA 2654196)

    • A session is not terminated just by closing the browser window or closing the mobile application

    • A user without a concurrent license (i.e. a named user) is not restricted by the number of sessions they can create (SAP KBA 3064543) which means no matter how many sessions they do create, it has no impact on available sessions for anyone else

    • A concurrent session license limits the number of sessions and doesn’t limit the number of users; unlike a named user licence which limits the number of users, not sessions. In both cases, you need to define the user and set the license type each user should consume. It’s not possible to define a user to use ‘named’ on some occasions, and ‘concurrent’ on others (unless you change the license type between)




 


  • Q. Are named users limited by the number of sessions


  • A. No

    • A user, assigned a named-user license, can have as many sessions as they like, there is no limit

    • A single user account, used by more than one human being, would most likely breach the license agreement. A single-user account is for a named individual, hence ‘named-user’. It can only be used by a single human being and not multiple humans at the same, or at different times. If a single user account was used by multiple humans it would almost certainly not be compliant with license terms and conditions




 


  • Q. What is the best practice when there is a mismatch between Production and non-Production licenses


  • A. ‘Test’ SAP Analytics Cloud Services (tenants) only come with Planning Professional licenses, unlike regular, productive SAP Analytics Cloud Services (tenants) that come with a different mixture of licenses and don’t necessarily have any Planning licenses at all

    • In such cases, your ‘Test’ SAP Analytics Cloud Services (tenants) will have more capabilities than your productive SAP Analytics Cloud Services (tenants). There’s a ‘mismatch’ of licenses between these two types of SAP Analytics Cloud Services (tenants)

    • This isn’t a problem so long as you only assign users in your ‘Test’ SAP Analytics Cloud Services (tenants) with roles associated with the licenses available in your SAP Analytics Cloud Production Service. This will ensure that your ‘Test’ users can’t do things in ‘Test’ that aren’t possible in ‘Production’ due to the license mismatch

    • If you created a custom role in ‘Test’ associated with a license type not available in ‘Prod’, it would fail if you tried to import that role into ‘Production’. Thus it’s essential only to use roles that are associated with licenses that are common across the entire landscape

    • Please refer to this article which explains the use of ‘Test’ and ‘non-Test’ Services (tenants) within the landscape




 


  • Q. Are any Business Intelligence roles removed due to a contract change that means only Planning licenses will remain?


  • A.

    • No.

    • All Business Intelligence standard roles (ones provided out-of-the-box) and custom roles will remain even if your SAP Analytics Cloud Service doesn’t have any Business Intelligence licenses




 


  • Q. When a custom role is assigned and doesn’t necessarily grant any rights associated with that role's license type, what license will the user consume


  • A. Even if no rights are granted in the custom role, the user will still consume the license type associated with that custom role. When creating a custom role, you create it ‘under a license type’, and it is this license type the user will inherit, even if that custom role doesn't grant any rights.







    • For example, this user has a custom role called 'BlankPlanningPro' assigned to them directly (best practice would be to assign the role via a Team, but handy here so you can see it more obviously). No rights are granted within this custom role, so the role doesn't do much! The user still consumes a Planning Professional license because the custom role was created 'under' the Planning Professional Role. It means a role is always associated with a license, even if it’s a ‘blank’ role and doesn’t grant any rights within it

    • As an example, this user has a custom role called 'BlankPlanningPro' assigned to them directly (best practice would be to assign the role via a Team, but handy here so you can see it more obviously). There are no rights granted within this custom role, so the role doesn't really do much! The user though, still consumes a Planning Professional license because the custom role was created 'under' the Planning Professional Role. It means a role is always associated with a license, even if it’s a ‘blank’ role and doesn’t grant any rights within it




 


  • Q. When the named-user license enforcement comes into effect, what grace period does SAP provide to allow organisations to become compliant


  • A. The enforcement of named user licenses is effective in early November 2023.

    • There is no grace period, which is why warning notifications started in the Q2 2023 update in May 2023 to allow organisations to take appropriate action

    • However, if your SAP Analytics Cloud Service has over-provisioned users as they are consuming more named-user licenses than they are licensed for, these users can still log on and use the Service as they did before. Any existing schedules will continue to run as they did before. There is no time limit to this which means, in some way, there is an endless grace period

    • Remember that whilst the license consumption has exceeded the license entitlement, then updates to users consuming the exceeded license type will fail. The list of example failures is provided in this article and includes creating users and updates to users and teams




 


  • Q. When licenses are carried over to a higher license type, can I see which user was assigned a higher license, and how can I change the user


  • A. This isn’t possible. The calculation is just a calculation to prevent workflows within the service from exceeding the license entitlement.







    • In the example, there are not enough Business Intelligence licenses available, so 1 license needs to be carried over to a ‘higher’ license type. This is just a number and not any particular user.
      There are no easy means to determine if a license has been carried over to a higher license type and that you are potentially consuming a more expensive license than desired. This can only happen if a license allocation is full. Monitoring the allocation of licenses compared to your planned allocation. Deactivating a user consuming a ‘Business Intelligence’ license should drop the number of users allocated such a license. If it does not, then licenses have been carried over to a higher license






  • Q. How do you deactivate and activate users


  • A. One or multiple users can be selected on the ‘Menu-Security-Users’ screen and the selected users can then be either activated or de-activated






  • Q. Can you deactivate and activate a whole team of users






  • A. No. Although multiple users can be selected, users can only be deactivated and activated on the Menu-Security-Users screen by selecting the user(s) and pressing the appropriate button.





  • There is also the option to deactivate and activate more than one user at a time by exporting the users as a file Menu-Security-Users-Export, changing the column IS_USER_DEACTIVATED to be ‘TRUE’ or ‘FALSE’ and then re-importing the same file. This is the only ‘mass’ way of changing more than 1 user’s active status, there is no other option available and this includes the API



  • Q. Is it possible to create a new user who is deactivated

  • A. New users can be created as ‘deactivated’ but only via the file-import option. A column called ‘IS_USER_DEACTIVATED’ can be used to create new users ‘deactivated’, set this value to ‘TRUE’. It is not possible any other way and this includes the API




 

  • Q. Is it possible to deactivate and activate a user via an API, such as the SCIM API

  • A. No

    • Although it used to be possible prior in 2022. However, even then, the user still consumed a license



30 Comments
Labels in this area
Popular Blog Posts