When I look back at my blogs of the last 2 years, one blog aroused particular interest. It was about the authorizations a user needs in SAP for Me.
In the meantime, so much has happened in SAP for Me that I decided to write another blog about this topic. Of course, it will again be about what authorizations are available and how they can be used. But I also want to use this blog to give some insights into what thoughts have led us to where we are today with SAP for Me and where we want to go from here.
Side note 1: If you don’t have an S-User yet, don’t miss my blog “How do I get access to SAP for Me?”
Side note 2: If you are an SAP partner, don’t miss the blog “What permissions do you need for SAP for Me for Partners?” from my colleague Aine O’Flynn.
All current SAP for Me authorizations at a glance
For those who want to get right to the point, however, I’ll start right away with the overview of authorizations. The following table shows an overview about
- the capability areas in SAP for Me
- the available authorizations
- which additional information is made available
- and where you can find this information in SAP for Me.
|Portfolio & Products||No permissions required|
|Knowledge & Learning||No permissions required|
|Systems & Provisioning||
Edit Cloud Data
Trigger system provisioning
|Finance & Legal||
Display Order Information in SAP for Me
View all orders assigned to customer account
View list of license materials related to order
View CPEA Balance Statements
Manage Invoices and Payments
Trigger purchase of additional licenses
Access License Utilization for Cloud
View consumption of cloud
|Support & Maintenance||
Display All Incidents and/or Display Incidents
View all incidents or just the incidents of the S-User
Report an Incident and/or Send Incidents to SAP
Report and incident and send incident to SAP
|Users & Contacts||
Edit Contact-Role Assignment in SAP for Me
Change the assignment of a person on customer side to a customer contact role related to a product.
As the table shows, the necessary authorizations have been kept very low so far. And obviously there is no need for permissions in some areas. I would like to address this below with some background information.
Why is SAP for Me somewhat different from other SAP tools?
In SAP for Me, we identify a user in the same way as SAP ONE Support Launchpad, for example. Only a person with an S-User is assigned by us to a customer account and therefore can see customer content in SAP for Me. And in the same way, we use the User Management – which is still located in SAP ONE Support Launchpad – which also provides us with a full authorization model. In that respect, SAP for Me is not different yet.
However, the possession of an S-User – which is always managed centrally by the customer (company) – is already an initial authorization for us. The question now is, which data can already be shown with it and which are worth to be packed behind an additional authorization.
Here, SAP for Me differs in that the mere fact that a person has an S-User means that we already classify the first content as unobjectionable and display it. For example, the overview of SAP products available under the given customer account.
Why do we do it this way? It’s mainly because of the tons of customer feedback, telling us over and over again that the authorization of S-User has become too complex. The call for simplicity was unmistakable. And I think that at a certain point it was also clear that customers nowadays also position themselves differently internally and that internal transparency has become much more important in order to be able to identify opportunities for further improving the company. After all, what is the point if a license manager “believes” to see everything, but still some information remains hidden. This is not a good foundation for license optimization, for example. Of course, these license optimizations will not always be in our favor, but that is exactly what we want to stand for: The success of the customer comes first.
Which authorizations for what?
The table above has already compiled which authorizations are currently relevant in SAP for Me. I would like to go into more detail about the individual capability areas.
As already described in What is SAP for Me?, SAP for Me currently offers six different (business) capability areas. In addition, there is one area that combines all important cross capabilities.
Portfolio & Products
As already mentioned, a person with S-User can already directly see the products available through the customer account. This includes products from SAP as well as products licensed from SAP partners. Since we always want to put the data in SAP for Me in relation to each other, the user will naturally stumble across content when exploring through the products where he/she does not have permissions. In this case, this content will of course not be displayed.
For example, the product list in the Portfolio & Product Dashboard shows licenses, orders, and systems attached to the product in addition to the products. The latter would be visible to the user. For the licenses and orders you need a special permission (see below).
Currently there is no explicit authorization for simple product content in SAP for Me. So the following options are directly available to the user:
- View all purchased SAP on premise products (based on the user’s customer account).
- Display of all purchased SAP Cloud products (based on the user’s customer account)
- Exploration of the respective product with views on systems, available learning materials, product roadmap and further product materials.
Knowledge & Learning
There are currently no special permissions in the Knowledge & Learning area. However, it must be noted here that the content for “My Learnings” in particular is personal content that is already authorized via the user account as such. No further authorization is necessary here.
Systems & Provisioning
As with the products, an S-User can already see some information about the systems behind the products. Here, availabilities are certainly an interesting information, whereby it is not only about the current availability but also about the planned maintenance.
In addition to the system, there is also a strong self-service, which we now want to expand further and further. This is about the provisioning of cloud systems. Of course, we cannot simply make this self-service available to all S-Users, which is why it lies behind an authorization. A user can indeed see that new systems could be provisioned. Without the right authorization, however, he cannot trigger this provisioning.
Finance & Legal
As expected, this is the area with the most authorizations, as it is a more sensitive data environment. An S-user without special permissions sees practically nothing here.
To see software orders and their included licenses you need a special permission.
Another permission is needed to see the cloud license usage. And another one will be necessary soon, if we want to offer the view of on premise license usage in SAP for Me.
In addition, there is still information about billing. While balance sheets are displayed as part of the order and license Authorization, a user needs a separate permission to view invoices.
Finally, there is another permission that allows an S-User to purchase licenses, which can be used in the near future, for example, to repurchase an overused license.
Support & Maintenance
In the area of Support & Maintenance, we do not yet use our own authorizations, but instead use the authorizations already available, as they are also used in the SAP ONE Support Launchpad. If the S-User already has the authorization to view or create incidents, he has the same possibilities in SAP for Me.
Users & Contacts
Finally, there is the User and User Management area as well as Contacts. The topic of user management will only become relevant at a later point in time and is mentioned by name here but is not yet included in our plans.
Contacts, on the other hand, have already been extensively implemented in SAP for Me. It is not only possible to see the company’s own contacts for a product, but also to easily find SAP contacts that are available for the customer or a specific product at the customer’s site. Both do not require any further authorization, as long as it is only about the display. On the other hand, you need an authorization if you want to change the company’s own contacts. There are two authorizations for this, because we have differentiated again between product-relevant and order-relevant contacts. The latter have a direct connection to the financial data and therefore require special authorization. The function to change order-relevant contacts is not yet available, which is why I have omitted the necessary authorization in the table above.
I hope this blog helps to better understand the topic of authorizations in SAP for Me. Of course, SAP for Me is still growing, so I will adapt this blog again in due course. Basically, we are also currently working on a more comprehensive, central documentation for SAP for Me, which will then make these blogs obsolete in the future.
I am – as always – very interested in feedback. So please feel free to let me know directly in the comments.