SAP Datasphere Scoped Roles Conversion
In October 2023 a fundamental new capability is delivered for SAP Datasphere: the so called ‘Scoped’ Roles’ which will allow Administrators of SAP Datasphere to assign roles to the users of SAP Datasphere on Space level.
This means a user can now be a ‘Modeler’ with all related privileges in one Space whereas he potentially is just a consumer in another Space of the same SAP Datasphere tenant.
This feature is shipped on 17th of October 2023 for SAP Datasphere tenants in Asia Pacific Region. On October 31st 2023 it will be shipped for SAP Datasphere tenants in American and European landscapes.
Some fundamental considerations on Scoped Role conversion
- To completely activate this feature there needs to be a conversion of all existing Scoped Roles in customer tenants to the new concept of Scoped Roles. This conversion is automatically performed when the feature is introduced in customer landscapes.
- Important: The conversion is non-disruptive regarding the existing user – role assignment in a tenant. All users will have access to their Spaces with the same privileges as before the conversion.
- After the conversion: Scoped Roles can be used to implement Space dependent privileges according to customers’ requirements step-by-step.
- There might be a need to manually adopt SAML attributes and Scripts created with the Command Line Interface to leverage the new Scoped Roles.
Standard/Custom Roles before vs. after the conversion:
In general, for your existing Standard- and Custom Roles a Scoped Role is generated. Your existing roles remain and serve as templates to derive the Scoped Role so after conversion there are two types of roles:
The initial role assigned to a user which serves as a template for the Scoped Role and the derived Scoped Role after the conversion.
Those Scoped Roles will be assigned to the users according to the Spaces they were a member of before the conversion. This is an important fact to be considered! The Scoped Roles generated during conversion are only assigned to the users according to their initial Space membership to ensure the original behavior.
If additional Scoped Roles are manually created based on a standard or custom role template the default behavior of Scoped Roles is:
- When a (new) user is added to a Scoped Role he becomes member of all Spaces assigned to that given role.
- When a new Space (Scope) is added to a Scoped Role all users assigned to the role are becoming members of that Space.
Global vs. Space dependent privileges
Most of the privileges within a role are Space dependent and will become part of the new Scoped Role generated.
However, there is a fraction of privileges which are still valid on a tenant level. Such Global privileges can be for example found in the standard roles: DW Administrator, Catalog Administrator and Catalog User. Hence, such roles are not converted to Scoped Roles and assigned to the users which had access to those roles as before the conversion so that the Global privileges are still active for such users.
In addition e.g. a user who was a ‘DW Administrator’ and member of certain Spaces before conversion will also be provided with the converted ‘DW Scoped Space Administrator’ role but only for the Spaces he was already a member of before the conversion.
A detailed overview which privileges are considered as global and which are Space dependent can be found in the SAP Datasphere Documentation – Managing Roles and Privileges.
Naming conventions of roles before vs. after the conversion
Your existing roles available in the tenant before the conversion will remain as-is from a naming perspective.
Your converted Scoped Roles will follow a certain naming convention:
- Standard Roles delivered by SAP:
> the addition ‘Scoped’ will be added to the Name of the Standard Role
Before conversion: ‘DW Modeler’ derived Scoped Role: ‘DW Scoped Modeler’
- Customer defined Roles:
> the addition ‘_SAP_SCOPE’ will be added to the Name of the Custom Role
Before conversion: ‘Custom Modeler’ derived Scoped Role: ‘Custom Modeler_SAP_SCOPE’
There is also the remark: ‘Created during SDP conversion’.
SAML attributes in Scoped Roles
With Scoped Roles there is a dedicated maintenance UI available to specify the conditions under which the role is assigned to a given user.
At first the role where SAML attributes need to be maintained must be selected:
To maintain the SAML conditions the new User Interface need to be executed:
Then the SAML conditions can be maintained:
If a custom SAML attribute for groups of users is maintained in the IdP it can be used in such conditions as well instead of single users.
New Command Line Interface
There is a new version of the Command Line Interface which also can handle Scoped Roles. Please download it here: npmjs.com
Use the new commands especially introduced for Scoped Roles. More in the SAP Datasphere Documentation.
More detailed information on Scoped Roles can be found in the SAP Datasphere Community (including system demonstration and more information on related topics) as well as in the SAP Datasphere Documentation.