Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
jaigupta
Product and Topic Expert
Product and Topic Expert
2,840

Introduction


As part of this blog, I will be showing how the Datasphere new feature Scoped Roles can be used in different enterprise scenarios. Please note that the sample scenarios shown here may not fit AS IS to all the scenarios within your organization but could act as an inspiration for using the scoped roles within Datasphere.

Also, you can also refer to the previous blogs, as mentioned below, to get more details about this feature.

Note:This feature is shipped on 17th of October 2023 for SAP Datasphere tenants in Asia Pacific Region. On October 31st 2023 it will be shipped for SAP Datasphere tenants in American and European landscapes.

Scenario 1 – Centrally Governed Spaces with All or nothing access:


In first case, let us assume, Company ABC LTD wants to govern their users Centrally via scoped roles for centrally managing the DWH functions like Integration, Modelling, Consumer etc. , as shown below.


Fig1: Scenario 1 - Centralized, All or Nothing


From above diagram, below scoped roles could be used by the company ABC LTD within their DS landscape.
















































Role



Template



Area



Scope



Users


SRC_Consumer DW Consumer Sales, Finance Sales, Finance All Business users
SRC_Viewer DW Viewer Sales, Finance Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM All Business Analysts, Few Senior Modelers
SRC_Modeler DW Modeler Sales, Finance Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP Central Modelling team
SRC_MDM DW Modeler MDM Master Data Central MDM team
SRC_Integration DW Integrator Sales, Finance S/4, BW, CRM Central Integration Team


Steps to follow when creating new Users:


For creating the new users, tenant admin needs to follow below steps:

  • In User management UI,create new users and assigned the respective scoped roles. For example – if there are new employees’ addition within the Central Integration team then the scoped role SRC_Integration will be granted to them.

  • Alternatively, users can be assigned Centrally governed scoped role in the Role management UI based on their role within an organization.


Scenario 2 – Space specific access:


In second case, let us assume that for company XYZ LTD, wants to restrict and fine tune the access at the space level for each department for example Sales and Finance.

In Datasphere, this can be achieved using 2 approaches – Centralized and Decentralized.

•   Centralized approach



Fig2: Scenario 2 - Centralized Approach


From above diagram, we see that a separate scoped role is created for the different Business department across different DWH functions, as explained below:





































































Role



Template



Area



Scope



Users


SRC_Sales_Consumer DW Consumer Sales Sales Sales Business users
SRC_Sales_Viewer DW Viewer Sales Sales, Delivery, Invoicing, Orders, S/4, BW, CRM Sales Business Analysts, Few Senior Modelers
SRC_Sales_Modeler DW Modeler Sales Sales, Delivery, Invoicing, Orders Sales Modelling team
SRC_Finance_Consumer DW Consumer Finance Finance Finance Business users
SRC_Finance_Viewer DW Viewer Finance Finance, GL, AR, AP, S/4, BW, CRM Finance  Business Analysts, Few Senior Modelers
SRC_Finance_Modeler DW Modeler Finance Finance, GL, AR, AP Finance Modelling team
SRC_MDM_Modeler DW Modeler MDM Master Data Central MDM team
SRC_Integration DW Integrator Sales, Finance S/4, BW, CRM Central Integration Team

Steps to follow when creating new Users: 



  • In User management UI, create new users and assign respective scoped roles. For example, new Sales Business Analysts will be assigned Scoped role SRC_Sales_Viewer whereas Finance Business Analysts will be assigned Scoped role SRC_Finance_Viewer.

  • Alternatively, users can be assigned scoped role in the Role management UI based on their role within an organization.


 

•   DeCentralized approach


As an alternative to above scenario, decentralized approach can also be used. In this approach, a tenant admin will create a single scoped role for each DWH function but will isolate the user access between employees from different departments by assigning the respective spaces during user assignment in the scoped role.

Also, tenant admin can delegate the responsibility to a space admin for assigning the roles to user via space management UI.


Fig3: Scenario 2 - Decentralized Approach


From above diagram, we see that below roles are used by the company XYZ LTD in their DS landscape.























































Role



Template



Area



Scope



Users


SRD_Consumer DW Consumer Sales, Finance Sales, Finance

Sales Business users with scope assignment limited to space Sales

Finance Business users with scope assignment limited to space Finance
SRD_Viewer DW Viewer Sales, Finance Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM

Sales Business Analysts + Few Senior Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders, S/4,BW

Finance Business Analysts + Few Senior Modelers with scope assignment limited to space Finance, GL, AR, AP,CRM,BW
SRD_Modeler DW Modeler Sales, Finance Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP

Sales Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders

Finance Modelers with scope assignment limited to space Finance, GL, AR, AP

 
SRC_MDM DW Modeler MDM Master Data spaces Central MDM team
SRD_Integration DW Integrator Integration

S/4,

BW,

CRM


Sales Integration team with scope assignment limited to space CRM and BW

Finance Integration team with scope assignment limited to space S/4 and BW
SRD_Space_admin DW Space Administrator ADMINISTRATION Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM

Sales ADMIN team with scope assignment limited to space Sales, Delivery, Invoicing, Orders

Finance ADMIN team with scope assignment limited to space Finance, GL, AR, AP

MDM ADMIN team with scope assignment limited to space Master Data

Integration ADMIN team with  scope assignment limited to space Integration S/4, BW, CRM

Steps to follow when creating new Users:



  • In User management UI, new users will be created without any role assignment.

  • Then these users will be added to the decentralized scoped role by tenant admin in the Role management UI and relevant scope will be selected for them. For example, new Sales Modelers will be assigned scope Sales, Deliveries, Invoicing and Orders whereas Finance Modelers will be assigned scope to the spaces Finance, AP,AR and GL using same scoped role during user assignment in the scoped roles.

  • Users will get the relevant privileges and permissions on the specific spaces granted within scoped roles.


Alternatively, Tenant admin can delegate a space admin to grant access to the spaces as explained below.

Use of Space admin:



  • Here, Tenant admin will assign the scoped role of space Admin to the relevant users.

  • In our scenario, we have different admin teams – SALES ADMIN, FINANCE ADMIN, INTEGRATION ADMIN, , MDM ADMIN. Therefore, tenant admin will assign the relevant scope to the space admin based on his profile instead of assigning all the scopes to a single admin. For example SALES ADMIN team will only be assigned scopes Sales, Delivery, Invoicing, Orders during user assignment within the scoped role SRD_Space_admin.

  • After this a space admin can assign the relevant scoped roles to the users via space management UI. For example – Sales Modelers can be added as members in the spaces Sales, Deliveries, Invoicing and Orders via Space Management UI by Sales ADMIN and Finance Modelers can be added to spaces Finance, AP,AR and GL via Space Management UI by Finance ADMIN using the scoped role SRD_Modeler.


Useful Hints



  • Let say if we are following Centralized Approach for different departments and creating similar roles like SRC_SALES_MODELER and SRC_FINANCE_MODELER can be headache. To overcome these existing roles can be copied without user or scope assignment using Save As option in the role management UI and then we can assign new spaces as scope along-with relevant users assignment to the copied roles .

  • If you are an existing Datasphere customer then as part of scoped roles rollout, your existing global or custom roles will be migrated into new scoped roles as mentioned below:





    • For each Standard Datasphere rolewith Space-specific privileges, “DW Standard_role”, a new Scoped Role “DW Scoped (Standard_role)” will be created.

    • For each Custom role “Custom_role” a new Scoped Role “(Custom_role)_SAP_Scope” will be created with a description “Created during SDP conversion”.




Based on your past strategy, you might be able to use these converted roles without any tweaks for any of the above highlighted scenarios.



Conclusion


This blog introduced you to the different scenarios in which scoped roles can help.

Thanks for reading! I hope you find this blog helpful. For any questions or feedback just leave a comment below this post. Feel free to also check out the other blog posts in the series.

Best wishes,

Jai Gupta

Further Links


https://blogs.sap.com/2023/10/02/sap-datasphere-scoped-roles-conversion/#:~:text=In%20October%202023...


Find more information and related blog posts on the topic page for SAP Datasphere .
1 Comment