Hello Everyone,

As customers and consultants are becoming more and more engaged with SAP Profitability and Performance Management Cloud (SAP PaPM Cloud), I believe after several blogposts released by experts, you are now ready to also focus on one of the importat topics that is to be known when using SAP PaPM Cloud.

this topic is ADMINISTRATION

As this topic is technical I will try my best to really start from the very beginning and discuss the points one by one in a human language. In order for you to imagine the content of this blogpost, I then divided it into 3 major parts:

(01) Roles and SAP PaPM Cloud User Creation

• We will go through together the actual steps on how an Administrator can create a user in BTP, Create Role Collection and even assign role collection to users.

(02) SAP PaPM Cloud Administration Applications

• We will visit together the applications expected to be governed by users with Administration rights in SAP PaPM Cloud.

(03) DB Firefighter, DB Explorer and DB User Creation

• We will discuss further the firefighter (SAP_PAPM_ADMIN). After so we will check the database explorer and will give you few hints on where to find what. Lastly, I will give you some helpful commands that you may want to use when you are creating a new user in the database via SAP_PAPM_ADMIN

Let us start!

---

Roles and SAP PaPM User Creation

---

SAP PaPM Cloud is part of SAP's offering for SaaS (Solution as a Service).

In human language this means you just need to subscribe to the cloud provisioned SAP PaPM solution in order for you to use it in your project or business. This eliminates the need to invest on big servers, perform days of installations, and database setup. So just as any other cloud solution, SAP PaPM Cloud erradicates the high demand for your internal administrators to perform installation and stabilization before/during/after your project or implementation.

Even so above is really a good news, as internal administrators you should still remember to perform few administration activities. Below are the minimal administration activities that you should safeguard in order to use SAP PaPM Cloud officially

1. Ensure that your Global account is NOT a trial account


2. Ensure that your Subaccount has been created in the right region


3. Subscribe to SAP PaPM Cloud, reference:


4. Create role collection, users, and assign roles in BTP


5. Create users in the database


6. Manage and control SAP PaPM Cloud's Administration Applications

the first three points are covered in this blogpost SAP Profitability and Performance Management Cloud: Subscription & Decommission. The last 3 points, I will cover today in this blogpost starting with....

Forbidden. You don't have permissions to view this page

 

Click on the image to zoom-in

Once you officially subscribed to SAP PaPM Cloud, the initial reaction is to visit right away the URL of the application to find out that you are getting "Forbidden. You don't have permissions to view this page". In situation like this you are either not yet a BTP user or your user has not enough authorization or role collection to access the application. Allow me to teach you some tips and tricks with respect to (I) Role Collection Creation, (II) User Creation, and (III) Assigning of role to users.

I. As a subaccount admin you can create a role collection by performing the following:

1. Ensure you are in the right subaccount


2. Choose Role Collections


3. Choose + button


4. Define a name and description for your role collection


5. Choose Create


6. Once the role collection has been created, choose that newly created role collection


7. Choose Edit button


8. Choose the Roles that must be added


9. To filter PaPM Cloud Roles, Choose sap-papm-cloud as application identifier


10. Choose the roles that you want to add with the guidance of the help documentation -  Roles for SAP Profitability and Performance Management Cloud


11. Choose Add


12. Ensure that the Role added is in the list of roles


13. Choose Save

Click on the image to zoom-in

Click on the image to zoom-in

II. As a subaccount admin you can create a user that should access SAP PaPM Cloud

1. Ensure you are in the right subaccount


2. Choose Users


3. Choose Create


4. Fill in the Username, Identity Provider, E-mail fields


5. Choose Create

This user will then get an invitation to access SAP BTP Cockpit and will be able to access SAP PaPM Application afterwards (assuming the user has some roles assigned to his/her user, if the user does not have any SAP PaPM Cloud roles added yet proceed with III)

Click on the image to zoom-in

III. As a subaccount admin assign SAP PaPM Cloud Role Collection to the created users.

1. Ensure you are in the right subaccount


2. Choose Users


3. Choose the User that must be enhanced with role collections, (e.g. user created in phase II)


4. Choose More


5. Choose Assign Role Collection


6. Choose the proper Role collection to be assigned, (e.g. role collection created in phase I)


7. Choose Assign Role Collection

Click on the image to zoom-in

Problem solved! Let us proceed with the next topic.

---

SAP PaPM Cloud Administration Applications

---

On a successful login to the home page of SAP PaPM Cloud, as an administrator, you are expected to govern below applications.

Click on the image to zoom-in

To save your time I will just focus on (I) Users, (II) Provisioning, (III) Settings as Teams and Connections are applications available in SAP PaPM OP, and Content Network overview has already been provided through blogpost SAP Profitability and Performance Management reached the cloud!

I. Users

This is not a USER Creation screen instead this screen is used for the following purposes

1. You want to see who from the SAP PaPM Cloud Users already visited the tenant. On a successful login to SAP PaPM Cloud, the Email ID and the AutoGenerated USER ID will be then listed. In the screenshot below, you can interpret this as out of the numbers of users you created in BTP, only Justine Angeles logged in so far.


2. Email address is a sensitive information for your company and you want to anonymize the users. You may choose the Anonymize button to avoid seeing the email address in the screen.


3. You want to create a user, hence you can choose the User Creation button to be redirected back to BTP, and in there create the user accordingly.

Click on the image to zoom-in

II. Provisioning

Provisioning application redirects you to the provisioner of SAP PaPM Cloud where you (as an Admin) can flexibly expand your tenant's subscription to use more resources if demand calls for it.

Increasing the resources will ofcourse increase the Total Capacity Unit contracted to your tenant, reason for your company to get an updated subscription contract from SAP with this additional resources information and rightful amount.

So as my suggestion

• before deciding to give everyone the Administration rights to SAP PaPM Cloud, please always take into account the provisioning application. (^^,)


• only update the configuration in this screen if business demanded and approved a subscription upgrade.

Click on the image to zoom-in

III. Settings

The last Application in the Administration that you must be aware of is the Settings Application. This application has been created to provide database information to administrator concerning the

1. Database firefighter (SAP_PAPM_ADMIN). It is still ideal for customers to get flexibility and perform some powerful commands such as user creation, create views, tables, or even connecting to other database through Smart Data Access, hence on a successful subscription there is a powerful user called SAP_PAPM_ADMIN that can be used by the administrators to login to SAP HANA Cloud Database. As this is a powerful user, this user is not expected to be shared to everyone in your company. In case they need to login to the database, create a user for them instead.


2. Password of the firefighter. The password is randomly and automatically generated for the firefighter. This is the password that you can use to login to the database. OPTIONALLY it is possible to change the password upon loging into the database but please remember that the new password will not reflect on this screen.


3. Database host. This is the dbhost that you can use in case you need to perform remote connection to your tenant's database


4. Database port. same as with #3, this can also be helpful for you when you wish to do a connection to your tenant's db


5. Hana dashboard url. This is the link that you can give to your db users so they can access the database using their own ID and password

Now let us go to Integration Settings -- unlike the first part of Settings that is more of read-only, this second part which  is something that you as administrator could fill in. It is possible (Optional) to

6. fill these fields with DWC and SAC urls that are meant to be the primary DWC and SAC which are connected to SAP PaPM Cloud. In the future, the same URLs will also be used for automatic redirection to DWC or SAC via SAP PaPM Cloud UI.

Click on the image to zoom-in

 

---

DB Firefighter, Explorer, & User Creation

---

Two down, one to go!

Last topic that we have in this blogpost is all about database. As an administrator it will be good to understand what are expected from you as well in the database side starting with

I. DB Firefighter (SAP_PAPM_ADMIN)

This user has been delivered by default with PAPM_OPERATOR_ROLE which then is being updated by the development team as needed. So far these are the Grants (or authorizations) that SAP_PAPM_ADMIN has by default

GRANT CATALOG READ TO PAPM_OPERATOR_ROLE;

GRANT SELECT ON SCHEMA "_SYS_STATISTICS" TO PAPM_OPERATOR_ROLE;

GRANT USERGROUP OPERATOR ON USERGROUP DEFAULT TO PAPM_OPERATOR_ROLE;

GRANT EXECUTE ON "GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS" TO PAPM_OPERATOR_ROLE;

GRANT CREATE REMOTE SOURCE TO PAPM_OPERATOR_ROLE;

GRANT CREATE SCHEMA TO PAPM_OPERATOR_ROLE;

GRANT CERTIFICATE ADMIN TO PAPM_OPERATOR_ROLE WITH ADMIN OPTION;

GRANT TRUST ADMIN TO PAPM_OPERATOR_ROLE WITH ADMIN OPTION;

GRANT SELECT ON SCHEMA ${ PAPM } TO PAPM_OPERATOR_ROLE WITH GRANT OPTION;

To get the updated list of authorization, please visit Database Role PAPM_OPERATOR_ROLE .

 

As you can see, SAP_PAPM_ADMIN user can do administration activities in the database, and some administrators feel that they need to ensure that only 1 or 2 know the password. So as I mentioned in my previous topic, it is possible (optional) to change the password of the firefighter.

To change the password of the firefighter you will need to login to SAP HANA DB Explorer by following below steps after logging into SAP PaPM Cloud Tenant > Administration > Settings

1. Choose the redirect button, a new browser will pop-up


2. Provide the SAP_PAPM_ADMIN credentials


3. Choose OK


4. Choose SQL Console


5. A new screen will pop up where you can choose, Open SQL Console button


6. A console will be opened on the right handside where you can then insert your command
   

   --Logged in as SAP_PAPM_ADMIN
   
   --Change the password of your firefighter
   
   ALTER USER SAP_PAPM_ADMIN PASSWORD <NEWPASSWORD>;​

   
   


7. Choose Execute

Click on the image to zoom-in

 

II. DB User Creation

Now that you already know how to login successfully and even execute a command via SAP HANA Database Explorer, i wish to share with you some sql commands that you might want to consider when creating a user

--Logged in as SAP_PAPM_ADMIN

--Creation of user

CREATE USER <USER> PASSWORD NOTTHEREALPASSWORD;



--Giving select privilege to the user to be able to create a view on top of PaPM artifacts

GRANT SELECT ON SCHEMA SAP_PAPM TO <USER>; 



--Giving debug privilege to the user to be able to see the procedure

GRANT DEBUG ON SCHEMA SAP_PAPM TO <USER>;



--Granting insufficient privilege call to know authorization issues

GRANT EXECUTE ON SYS.GET_INSUFFICIENT_PRIVILEGE_ERROR_DETAILS to <USER>;

 

Please take note that after creating the user, please also inform the users that if they want to expose their private schema to SAP PaPM Cloud, they will need to perform a grant privilege such as below.

Also the same command will be handy if you want to expose any database schema, table or view to SAP PaPM Cloud's Connection Manager to be further used by information functions such as Model Table / Model View

-- Logged in as the user

-- Granting PaPM full privilege to consume, update tables/views of your own schema

GRANT ALL PRIVILEGES ON SCHEMA "<USER>" TO SAP_PAPM;

 

Now that I am done with the main topics that I wish to discuss with you, as always there is one more take-away information that I want to share with you. (^^,)

If you will take a closer look at the commands I provided you will see lots of SAP_PAPM in the command line, it is because by default -- SAP_PAPM is SAP PaPM Cloud's Primary User and Schema. Without this user fully established, connection between the tenant and the database is impossible.

As an administrator, you need to remember that manipulation of this schema and user is not possible. This user is managed by SAP PaPM Cloud provider (Development team) and is being kept stable and up to date by the SAP PaPM Cloud provider.

 

Now I am really really done!!! (^^,)

I hope this blogpost helped you get a better understanding of what and how you can administer your SAP PaPM Cloud Tenant and Database

 

Happy configuring in the cloud!!! Til my next post!