Skip to Content
Technical Articles
Author's profile photo Matthew Shaw

SAP Analytics Cloud – Managing Licenses with Roles and Teams

What is the best way to manage license assignment with SAP Analytics Cloud? And how exactly do you assign an Analytics Hub ‘named user’ license with a Business Intelligence ‘concurrent session’ license to the same user?

These questions and many more are addressed in my article ‘Managing Licenses with Roles and Teams’. My article is key to eliminating misconceptions, such as incorrectly believing a role or team has a license type. They don’t and there’s no such thing as a ‘named user role’, or a ‘concurrent session team’.

I detail 3 workflows for assigning licenses of which the last enables an automated means of assigning concurrent session licenses, so no manual or repetitive steps are needed.

There are, sadly, multiple ‘gotchas’ and I explain these in detail so you can avoid them. For you to start off on the right foot and avoid any re-work, I’ve summarised my recommendations in a list of ‘Best Practices’.

My article is packed full of handy information that any SAP Analytics Cloud administrator would want to know, and I’ve answered many FAQs directly in the article. I’ve also added a few tips!

You can access my article in the wiki.

Your feedback is most welcome. Before posting a question, please do read the article carefully and take note of any replies I’ve made to others. Please hit the ‘like’ button on this article or comments to indicate its usefulness.

Many thanks

Matthew Shaw @MattShaw_on_BI

Assigned tags

      13 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Martin Grob
      Martin Grob

      When will we see when users last logged in or used a license? The removal of obsolete users or capabilities is not manageable

      Author's profile photo Harjeet Judge
      Harjeet Judge

      Top notch material as always!  Must read for anyone looking to administer SAC system.

      Author's profile photo Chris Hickman
      Chris Hickman

      What a great article!  Lots of very useful information.

      Will the assignment of Named and Concurrent session licenses ever be moved into the Menu - Security - User section rather than Roles?  It seems confusing that this assignment is a user level property but must be assigned through an (optional) role assignment.

      Author's profile photo Matthew Shaw
      Matthew Shaw
      Blog Post Author

      Hello Chris, This feedback echo's what I've already passed on to our development team. Its fully understood that its not ideal and we need to make improvements. I think first to come will be improvements with team membership in that 'menu-security-users' section. Nothing yet decided I understand, but I hope we see some improvements in this area soon. Keep the feedback coming! Thanks again Matthew

      Author's profile photo Anirudh Srinivasa Varadhan
      Anirudh Srinivasa Varadhan

      Hi Matthew,

      Thanks a lot for your response to my question on the blog https://blogs.sap.com/2019/06/21/sap-analytics-cloud-security-concepts-and-best-practice/comment-page-1/#comment-527414

      We would be implementing a concept where only the IT gets Named licenses and all the users work with concurrent session licenses. We don't plan to use Planning and Analytics Hub as of now.

      Coming back to my second question and your answer:

      Q2 “Assign a Role to the User directly as an inheritance via TEAMS is not possible in                                 an “Only Concurrent” scenario”

      A2: Incorrect. Inheritance via a team makes no difference to the type of license a user                              consumes. You can have teams with members that are concurrent and also                                        named. But watch out for gotchas!

      For me the missing link still is the assignment of a Role to a Team of only "BI Concurrent Sessions License" Users. As you yourself mention in Workflow 2 - Point 7, this is not possible as of today. SAP suggested a very time-consuming workaround here - https://launchpad.support.sap.com/#/notes/2963404

      Given this gap, how can it ensured that a set of Application Rights(Roles) are assigned to a specific Team where all users will be consuming a BI Concurrent Session license?

      Best Regards,

      Anirudh

      Author's profile photo Matthew Shaw
      Matthew Shaw
      Blog Post Author

      Hello Anirudh

      Question: how can it ensured that a set of Application Rights(Roles) are assigned to a specific Team where all users will be consuming a BI Concurrent Session license?

      Answer: I guess it depends on what you mean by 'ensure'. Perhaps the answer for you is 'no, you can't setup the environment in a way that always guarantees that members of a particular team are concurrent'. There's no such thing as a 'concurrent team'. It has to be a two step process, firstly determine who is in the team, then for each member of that team determine their license type. It requires a 'check' or a 'monitor'.  There's no harm using the SCIM API to check and perform this function for you, but you'd need to develop and write that yourself, SAP doesn't provide a solution here. I guess this is what you're after?  Perhaps another handy thing, would be for the 'SAC Usage Content' to expose, for each user, the license type (I don't think it does today).

      Regards, Matthew

      Author's profile photo Anirudh Srinivasa Varadhan
      Anirudh Srinivasa Varadhan

      Hi Matthew,

      Thanks for the reply. I get your point that there is nothing like a "Concurrent Team". I will try to frame my question differently.

      In the section "Best practices in SAC when having BI Concurrent Session licenses), you mention the following:

      Use Teams to group roles together

      • Only Business Intelligence ‘concurrent sessions’ users need to be assigned a role directly. All others can inherit their roles via Team(s)

      https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Managing+Licenses+with+Roles+and+Teams#SAPAnalyticsCloudManagingLicenseswithRolesandTeams-BestPracticeswhenyourSAPAnalyticsCloudService,inparticular,hasBusinessIntelligence%E2%80%98concurrentsession%E2%80%99licenses

      That means BI concurrent sessions users cannot inherit their roles via Team(s). This consequently means Teams cannot be used as an aggregator of Roles as you mention here below.

      Currently a Team cannot be assigned to a Role defined as ‘Concurrent session’
      • You’ll need to add each user individually to the role
      • Or use the ‘User & Team Provisioning API’ to do the same

      https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Security+Concepts+and+Best+Practice#SAPAnalyticsCloudSecurityConceptsandBestPractice-TeamsasAggregator

      Is there a way that I can use Teams to aggregate roles for Users consuming Concurrent Session licenses? According to me, this is exactly the product limitation described in https://launchpad.support.sap.com/#/notes/2791129

      Best Regards,

      Anirudh

       

      Author's profile photo Matthew Shaw
      Matthew Shaw
      Blog Post Author

      Hello Anirudh

      I think I see your question now.

      So the section of the article you're referring to is the 'Best Practice' section. Here I'm saying that its best practice to have a 'default' role defined and that 'default' role would be set so that users (as they added to it) are set the 'concurrent' license. Its only this role that 'needs' to be assigned directly for users of type 'User G'. Other users don't need to inherit any role directly, they can inherit roles via teams. Even users of type 'User G' can inherit roles via teams.

      Don't read "Only Business Intelligence ‘concurrent sessions’ users need to be assigned a role directly." as an overall rule. Its just in the context of the best practice when setting up a 'default' role which assigns 'concurrent' to users as they are granted that role. Its the way in which the 'default' role and the license assignment makes this role assignment necessary. Its not necessary from other point of view.

      No users, even users assigned (or to be assigned) a 'concurrent' license, need to inherit any role directly. i.e. Users with a concurrent license do NOT need to inherit any role directly, its just necessary (needed) if you're following the best practice of using a 'default' role. Using a default' role saves administrators from having to manually edit or add the license type for the 'masses'. Administrators only need to add 'named users' to teams (typically granting them more 'expert' rights/roles) and this (depending upon the workflow) change their license to named.

      So a team can most certainly contain users that are assigned both 'concurrent' and 'named' and that same team can be a member of many roles.

      Complicated stuff! Does this help?

      Regards, Matthew

      Author's profile photo Anirudh Srinivasa Varadhan
      Anirudh Srinivasa Varadhan

      Hi Matthew,

      thanks again for your reply and effort to clarify the context. I do understand the need and application of Default role. My question is specific to Workflow 2 - Step 7. I will try to illustrate it with an example:

      Lets assume User G has been created with a Default Role G.

      I add the user manually or with the API to TEAM G. Now I wish to assign a newly created BI Role Z to TEAM G so that User G and other concurrent session users in TEAM G inherit Role Z automatically.

      I would proceed as you mentioned in Workflow 2 - Step 7 by selecting Role Z.

      https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Managing+Licenses+with+Roles+and+Teams#SAPAnalyticsCloudManagingLicenseswithRolesandTeams-Workflow2%E2%80%93Security-Roles

      7. Select the ‘Concurrent Session license’ radio button

      • Only a list of users will be shown
      • Teams will not be shown once ‘Concurrent Session License’ has been selected

      But due to the product limitation, I cannot assign Role Z to TEAM G. This is a limitation and am just wondering whether there is a workaround I am missing.

      Thanks for your effort once again!

      Best Regards,

      Anirudh

      Author's profile photo Matthew Shaw
      Matthew Shaw
      Blog Post Author

      Hello Anirudh

      We're getting there. So you need this FAQ https://wiki.scn.sap.com/wiki/display/BOC/SAP+Analytics+Cloud+-+Managing+Licenses+with+Roles+and+Teams#SAPAnalyticsCloudManagingLicenseswithRolesandTeams-Q.ForBusinessIntelligenceRoles,whyarenoTeamslistedunderthe%E2%80%98ConcurrentSessionLicense%E2%80%99tab?

      Where I say

      • The Teams are listed under the ‘User License’
      • Simply select the Team under the ‘User License’ tab instead
      • The Business Intelligence license type will not change for Users of those Teams you select (even though it is under the ‘User License’ tab), unless the user is directly selected
      • You can still assign a Team to a Business Intelligence Role and keep the users ‘concurrent session’ license setting  unchanged

      ok now?

      Regards, Matthew

      Author's profile photo Anirudh Srinivasa Varadhan
      Anirudh Srinivasa Varadhan

      Hi Matthew,

      somehow missed the FAQs in my conquest to decrypt the SAC Security concepts! Thanks a lot for your valuable input.

      I hereby rest my case.

      Best Regards,

      Anirudh

      Author's profile photo Edward Fitzgerald
      Edward Fitzgerald

      Hi Matthew

       

      Thanks for this blog, very interesting

      This may not be the correct place to ask the question, however i'm keen understand how we can accurately report on the number if licences currently assigned. I can see a number of options within SAC that show usage, etc but what I really need (and it may be out there somewhere) is something that shows we how many Concurrent & Named licences have been assigned and how many of these have been used on a day by day basis.

       

      We need to understand how close we are to reaching our current limit of 60 Named Licences but I can't find anything that shows this

      If there is anything you could share it would be appreciated

       

      Ed

       

      Author's profile photo Matthew Shaw
      Matthew Shaw
      Blog Post Author

      Hello Edward

      Thank you for your feedback.

      The tips section has this for a list of which users are assigned which Business Intelligence license:

      Tip: Filter BI license type

      • To list users of ‘named user’ or ‘concurrent sessions’ use the drop-down option (in Security-Users)
      • Or export the list and filter on IS_CONCURRENT

       

      You can determine who is using the service most frequently by generate a list of user logon events with 'Menu-Security-Activities'. Filter on 'Activity-Login' and a time frame (say last 30 days) and export the list. The more login events per user would suggest they use the Service more frequently than others. The users that login most frequently would probably be worthy of a 'named user' license, whilst perhaps the others (using it less frequently) could be assigned a 'concurrent' license.

       

      I'll add this to my FAQ list at some point in time.

      Hope this helps?

      Regards, Matthew