Introduction
As part of this blog, I will be showing how the Datasphere new feature Scoped Roles can be used in different enterprise scenarios. Please note that the sample scenarios shown here may not fit AS IS to all the scenarios within your organization but could act as an inspiration for using the scoped roles within Datasphere.
Also, you can also refer to the previous blogs, as mentioned below, to get more details about this feature.
Note:This feature is shipped on 17th of October 2023 for SAP Datasphere tenants in Asia Pacific Region. On October 31st 2023 it will be shipped for SAP Datasphere tenants in American and European landscapes.
Scenario 1 – Centrally Governed Spaces with All or nothing access:
In first case, let us assume, Company ABC LTD wants to govern their users Centrally via scoped roles for centrally managing the DWH functions like Integration, Modelling, Consumer etc. , as shown below.
Fig1: Scenario 1 - Centralized, All or Nothing
From above diagram, below scoped roles could be used by the company ABC LTD within their DS landscape.
Role
|
Template
|
Area
|
Scope
|
Users
|
SRC_Consumer |
DW Consumer |
Sales, Finance |
Sales, Finance |
All Business users |
SRC_Viewer |
DW Viewer |
Sales, Finance |
Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM |
All Business Analysts, Few Senior Modelers |
SRC_Modeler |
DW Modeler |
Sales, Finance |
Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP |
Central Modelling team |
SRC_MDM |
DW Modeler |
MDM |
Master Data |
Central MDM team |
SRC_Integration |
DW Integrator |
Sales, Finance |
S/4, BW, CRM |
Central Integration Team |
Steps to follow when creating new Users:
For creating the new users, tenant admin needs to follow below steps:
- In User management UI,create new users and assigned the respective scoped roles. For example – if there are new employees’ addition within the Central Integration team then the scoped role SRC_Integration will be granted to them.
- Alternatively, users can be assigned Centrally governed scoped role in the Role management UI based on their role within an organization.
Scenario 2 – Space specific access:
In second case, let us assume that for company XYZ LTD, wants to restrict and fine tune the access at the space level for each department for example Sales and Finance.
In Datasphere, this can be achieved using 2 approaches – Centralized and Decentralized.
• Centralized approach
Fig2: Scenario 2 - Centralized Approach
From above diagram, we see that a separate scoped role is created for the different Business department across different DWH functions, as explained below:
Role
|
Template
|
Area
|
Scope
|
Users
|
SRC_Sales_Consumer |
DW Consumer |
Sales |
Sales |
Sales Business users |
SRC_Sales_Viewer |
DW Viewer |
Sales |
Sales, Delivery, Invoicing, Orders, S/4, BW, CRM |
Sales Business Analysts, Few Senior Modelers |
SRC_Sales_Modeler |
DW Modeler |
Sales |
Sales, Delivery, Invoicing, Orders |
Sales Modelling team |
SRC_Finance_Consumer |
DW Consumer |
Finance |
Finance |
Finance Business users |
SRC_Finance_Viewer |
DW Viewer |
Finance |
Finance, GL, AR, AP, S/4, BW, CRM |
Finance Business Analysts, Few Senior Modelers |
SRC_Finance_Modeler |
DW Modeler |
Finance |
Finance, GL, AR, AP |
Finance Modelling team |
SRC_MDM_Modeler |
DW Modeler |
MDM |
Master Data |
Central MDM team |
SRC_Integration |
DW Integrator |
Sales, Finance |
S/4, BW, CRM |
Central Integration Team |
Steps to follow when creating new Users:
- In User management UI, create new users and assign respective scoped roles. For example, new Sales Business Analysts will be assigned Scoped role SRC_Sales_Viewer whereas Finance Business Analysts will be assigned Scoped role SRC_Finance_Viewer.
- Alternatively, users can be assigned scoped role in the Role management UI based on their role within an organization.
• DeCentralized approach
As an alternative to above scenario, decentralized approach can also be used. In this approach, a tenant admin will create a single scoped role for each DWH function but will isolate the user access between employees from different departments by assigning the respective spaces during user assignment in the scoped role.
Also, tenant admin can delegate the responsibility to a space admin for assigning the roles to user via space management UI.
Fig3: Scenario 2 - Decentralized Approach
From above diagram, we see that below roles are used by the company XYZ LTD in their DS landscape.
Role
|
Template
|
Area
|
Scope
|
Users
|
SRD_Consumer |
DW Consumer |
Sales, Finance |
Sales, Finance |
Sales Business users with scope assignment limited to space Sales
Finance Business users with scope assignment limited to space Finance |
SRD_Viewer |
DW Viewer |
Sales, Finance |
Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM |
Sales Business Analysts + Few Senior Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders, S/4,BW
Finance Business Analysts + Few Senior Modelers with scope assignment limited to space Finance, GL, AR, AP,CRM,BW |
SRD_Modeler |
DW Modeler |
Sales, Finance |
Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP |
Sales Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders
Finance Modelers with scope assignment limited to space Finance, GL, AR, AP
|
SRC_MDM |
DW Modeler |
MDM |
Master Data spaces |
Central MDM team |
SRD_Integration |
DW Integrator |
Integration |
S/4,
BW,
CRM |
Sales Integration team with scope assignment limited to space CRM and BW
Finance Integration team with scope assignment limited to space S/4 and BW |
SRD_Space_admin |
DW Space Administrator |
ADMINISTRATION |
Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM |
Sales ADMIN team with scope assignment limited to space Sales, Delivery, Invoicing, Orders
Finance ADMIN team with scope assignment limited to space Finance, GL, AR, AP
MDM ADMIN team with scope assignment limited to space Master Data
Integration ADMIN team with scope assignment limited to space Integration S/4, BW, CRM |
Steps to follow when creating new Users:
- In User management UI, new users will be created without any role assignment.
- Then these users will be added to the decentralized scoped role by tenant admin in the Role management UI and relevant scope will be selected for them. For example, new Sales Modelers will be assigned scope Sales, Deliveries, Invoicing and Orders whereas Finance Modelers will be assigned scope to the spaces Finance, AP,AR and GL using same scoped role during user assignment in the scoped roles.
- Users will get the relevant privileges and permissions on the specific spaces granted within scoped roles.
Alternatively, Tenant admin can delegate a space admin to grant access to the spaces as explained below.
Use of Space admin:
- Here, Tenant admin will assign the scoped role of space Admin to the relevant users.
- In our scenario, we have different admin teams – SALES ADMIN, FINANCE ADMIN, INTEGRATION ADMIN, , MDM ADMIN. Therefore, tenant admin will assign the relevant scope to the space admin based on his profile instead of assigning all the scopes to a single admin. For example SALES ADMIN team will only be assigned scopes Sales, Delivery, Invoicing, Orders during user assignment within the scoped role SRD_Space_admin.
- After this a space admin can assign the relevant scoped roles to the users via space management UI. For example – Sales Modelers can be added as members in the spaces Sales, Deliveries, Invoicing and Orders via Space Management UI by Sales ADMIN and Finance Modelers can be added to spaces Finance, AP,AR and GL via Space Management UI by Finance ADMIN using the scoped role SRD_Modeler.
Useful Hints
- Let say if we are following Centralized Approach for different departments and creating similar roles like SRC_SALES_MODELER and SRC_FINANCE_MODELER can be headache. To overcome these existing roles can be copied without user or scope assignment using Save As option in the role management UI and then we can assign new spaces as scope along-with relevant users assignment to the copied roles .
- If you are an existing Datasphere customer then as part of scoped roles rollout, your existing global or custom roles will be migrated into new scoped roles as mentioned below:
- For each Standard Datasphere rolewith Space-specific privileges, “DW Standard_role”, a new Scoped Role “DW Scoped (Standard_role)” will be created.
- For each Custom role “Custom_role” a new Scoped Role “(Custom_role)_SAP_Scope” will be created with a description “Created during SDP conversion”.
Based on your past strategy, you might be able to use these converted roles without any tweaks for any of the above highlighted scenarios.
Conclusion
This blog introduced you to the different scenarios in which scoped roles can help.
Thanks for reading! I hope you find this blog helpful. For any questions or feedback just leave a comment below this post. Feel free to also check out the other blog posts in the series.
Best wishes,
Jai Gupta
Further Links
https://blogs.sap.com/2023/10/02/sap-datasphere-scoped-roles-conversion/#:~:text=In%20October%202023...
Find more information and related blog posts on the
topic page for SAP Datasphere .