What permissions do you need for SAP for Me?
When I look back at my blogs of the last 2 years, one blog aroused particular interest. It was about the authorizations a user needs in SAP for Me.
In the meantime, so much has happened in SAP for Me that I decided to write another blog about this topic. Of course, it will again be about what authorizations are available and how they can be used. But I also want to use this blog to give some insights into what thoughts have led us to where we are today with SAP for Me and where we want to go from here.
Side note 1: If you don’t have an S-User yet, don’t miss my blog “How do I get access to SAP for Me?”
Side note 2: If you are an SAP partner, don’t miss the blog “What permissions do you need for SAP for Me for Partners?” from my colleague Aine O’Flynn.
All current SAP for Me authorizations at a glance
For those who want to get right to the point, however, I’ll start right away with the overview of authorizations. The following table shows an overview about
- the capability areas in SAP for Me
- the available authorizations
- which additional information is made available
- and where you can find this information in SAP for Me.
All permissions can be assigned directly in the SAP ONE Support Launchpad.
|Portfolio & Products||No permissions required|
|Knowledge & Learning||No permissions required|
|Systems & Provisioning||
Edit Cloud Data
Trigger system provisioning
|Finance & Legal||
Display Order Information in SAP for Me
View all orders assigned to customer account
View list of license materials related to order
View CPEA Balance Statements
Manage Invoices and Payments
Trigger purchase of additional licenses
Access License Utilization for Cloud
View consumption of cloud
|Support & Maintenance||
Display All Incidents and/or Display Incidents
View all incidents or just the incidents of the S-User
Report an Incident and/or Send Incidents to SAP
Report and incident and send incident to SAP
|Users & Contacts||
Edit Contact-Role Assignment in SAP for Me
Change the assignment of a person on customer side to a customer contact role related to a product.
As the table shows, the necessary authorizations have been kept very low so far. And obviously there is no need for permissions in some areas. I would like to address this below with some background information.
Why is SAP for Me somewhat different from other SAP tools?
In SAP for Me, we identify a user in the same way as SAP ONE Support Launchpad, for example. Only a person with an S-User is assigned by us to a customer account and therefore can see customer content in SAP for Me. And in the same way, we use the User Management – which is still located in SAP ONE Support Launchpad – which also provides us with a full authorization model. In that respect, SAP for Me is not different yet.
However, the possession of an S-User – which is always managed centrally by the customer (company) – is already an initial authorization for us. The question now is, which data can already be shown with it and which are worth to be packed behind an additional authorization.
Here, SAP for Me differs in that the mere fact that a person has an S-User means that we already classify the first content as unobjectionable and display it. For example, the overview of SAP products available under the given customer account.
Why do we do it this way? It’s mainly because of the tons of customer feedback, telling us over and over again that the authorization of S-User has become too complex. The call for simplicity was unmistakable. And I think that at a certain point it was also clear that customers nowadays also position themselves differently internally and that internal transparency has become much more important in order to be able to identify opportunities for further improving the company. After all, what is the point if a license manager “believes” to see everything, but still some information remains hidden. This is not a good foundation for license optimization, for example. Of course, these license optimizations will not always be in our favor, but that is exactly what we want to stand for: The success of the customer comes first.
Which authorizations for what?
The table above has already compiled which authorizations are currently relevant in SAP for Me. I would like to go into more detail about the individual capability areas.
As already described in What is SAP for Me?, SAP for Me currently offers six different (business) capability areas. In addition, there is one area that combines all important cross capabilities.
Portfolio & Products
As already mentioned, a person with S-User can already directly see the products available through the customer account. This includes products from SAP as well as products licensed from SAP partners. Since we always want to put the data in SAP for Me in relation to each other, the user will naturally stumble across content when exploring through the products where he/she does not have permissions. In this case, this content will of course not be displayed.
For example, the product list in the Portfolio & Product Dashboard shows licenses, orders, and systems attached to the product in addition to the products. The latter would be visible to the user. For the licenses and orders you need a special permission (see below).
Currently there is no explicit authorization for simple product content in SAP for Me. So the following options are directly available to the user:
- View all purchased SAP on premise products (based on the user’s customer account).
- Display of all purchased SAP Cloud products (based on the user’s customer account)
- Exploration of the respective product with views on systems, available learning materials, product roadmap and further product materials.
Knowledge & Learning
There are currently no special permissions in the Knowledge & Learning area. However, it must be noted here that the content for “My Learnings” in particular is personal content that is already authorized via the user account as such. No further authorization is necessary here.
Systems & Provisioning
As with the products, an S-User can already see some information about the systems behind the products. Here, availabilities are certainly an interesting information, whereby it is not only about the current availability but also about the planned maintenance.
In addition to the system, there is also a strong self-service, which we now want to expand further and further. This is about the provisioning of cloud systems. Of course, we cannot simply make this self-service available to all S-Users, which is why it lies behind an authorization. A user can indeed see that new systems could be provisioned. Without the right authorization, however, he cannot trigger this provisioning.
Finance & Legal
As expected, this is the area with the most authorizations, as it is a more sensitive data environment. An S-user without special permissions sees practically nothing here.
To see software orders and their included licenses you need a special permission.
Another permission is needed to see the cloud license usage. And another one will be necessary soon, if we want to offer the view of on premise license usage in SAP for Me.
In addition, there is still information about billing. While balance sheets are displayed as part of the order and license Authorization, a user needs a separate permission to view invoices.
Finally, there is another permission that allows an S-User to purchase licenses, which can be used in the near future, for example, to repurchase an overused license.
Support & Maintenance
In the area of Support & Maintenance, we do not yet use our own authorizations, but instead use the authorizations already available, as they are also used in the SAP ONE Support Launchpad. If the S-User already has the authorization to view or create incidents, he has the same possibilities in SAP for Me.
Users & Contacts
Finally, there is the User and User Management area as well as Contacts. The topic of user management will only become relevant at a later point in time and is mentioned by name here but is not yet included in our plans.
Contacts, on the other hand, have already been extensively implemented in SAP for Me. It is not only possible to see the company’s own contacts for a product, but also to easily find SAP contacts that are available for the customer or a specific product at the customer’s site. Both do not require any further authorization, as long as it is only about the display. On the other hand, you need an authorization if you want to change the company’s own contacts. There are two authorizations for this, because we have differentiated again between product-relevant and order-relevant contacts. The latter have a direct connection to the financial data and therefore require special authorization. The function to change order-relevant contacts is not yet available, which is why I have omitted the necessary authorization in the table above.
I hope this blog helps to better understand the topic of authorizations in SAP for Me. Of course, SAP for Me is still growing, so I will adapt this blog again in due course. Basically, we are also currently working on a more comprehensive, central documentation for SAP for Me, which will then make these blogs obsolete in the future.
I am – as always – very interested in feedback. So please feel free to let me know directly in the comments.
Hi, thanks for the informative overview. Which authorization do I need to work with Deal Registrations?
Partner authorizations are assigned by the Partner Security Manager at your organisation. If you do not have authorization to view a card, you will see a note in the card to contact the Security Manager, and there is a link to contact them directly in the tool. You can also find your Security Manager by contacting email@example.com.
For Deal execution, you will need one of the following functions assigned: Sales Contact, Sales Manager, Sales Operation, Partner Manager or Security Manager.
You can access the deal execution section of SAP for Me here: https://me.sap.com/partner/dashboard/salesAndMarketing/dealExecution
You can also directly access the Deal Registration app here:
If you have any further questions, please let me know.
Please see also the general introduction to s-user management and authorizations including an updated view on SAP for Me.
About the user, authorization and administrator concept
Are security changes made to user accounts via User Management (in the Launchpad) reflected immediately for the user? Is there a wait/sync period? Should the user logout and log back in?
Is there any way for customers to drill-down to specific users that are consuming Cloud Solution licenses? For example, my customers would like to know who are the users behind the number of licenses consumed in Performance Management and Recruiting.
The instance license usage reports require additional configuration that the customer is not willing to perform in Production envrionment just for this purpose.
I installed the mobile application on my professional iPhone, entered my SAP email and password in the "sapit-forme-prod" screen to open a session. It prompts me to enter a PIN code (RADIUS Server token) to continue.
Which SAP application should be used to get this PIN code?
I'm stuck as I tested with multiple MFA applications (MS Authenticator, SAP Authenticator, SecurID Authenticator) and none of them work
P.S.: I've installed the mobile application once SAP for Me was available to SAP employees and it has worked like a charm without this extra PIN code setup...