Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
Showing results for 
Search instead for 
Did you mean: 
0 Kudos
As part of the SAP BusinessObjects landscape management, administrative delegation becomes a necessity with growth in the landscape and adoption. From a single admin managing the entire role to multiple people managing the single system, setting up the delegation effectively is vital for the proper functioning of the SAP BusinessObjects system.

Common delegation tasks include providing access to parts of CMC like User management or Promotion management. In this blog, we will see the best practices in effective delegation of SAP BusinessObjects landscape management.

Role Matrix

The first step in the process is to identify the role matrix, which highlights the types of roles & access needed to perform different activities. The following is an example of a role matrix.

Role CMC Tabs
User Management Users and Groups, User attribute management
Content Management Access levels, Folders, Categories, Universes, Connections, OLAP Connections
Promotion Management Promotion Management
Auditors Auditing, Query results, Cryptographic Keys
Server Administrator Servers, Instance Manager, Events

This role matrix helps in dividing the responsibilities and assigning them to one or more users/groups.

Delegated Group

The delegated group is used to implement the roles in the SAP BusinessObjects systems. These groups are assigned for each role and the relevant CMC tabs access are provided for the groups. The groups can be prefixed / suffixed (e.g.: DG) to identify that it is for delegated access according to the naming policy followed. The following are the group mappings for the above roles.

Groups Role
User Management – DG User Management
Content Management –DG Content Management
Promotion Management –DG Promotion Management
Auditors –DG Auditors
Server Admin –DG Server Administrator


Restricting CMC Tab Access

The next step would be to restrict the CMC access by default. Navigate to applications tab and open the context menu of Central Management Console and select CMC Tab access Configuration.


Select CMC Tab access to Restricted. Save to apply the setting. By default the CMC access will be restricted which can be overridden explicitly for each of the groups.


Creating Groups

The next step would be to create the groups. The groups can be created from the User and Groups section in the CMC. Navigate to this section and click on ‘Create a group’.


Provide the group name of the mapping created and create the group for all the mapping


Providing CMC Tab Access to the Groups

The next step is to provide necessary CMC Tab access to the groups. On the context menu of the group select CMC Tab configuration.


Select the necessary tabs and grant explicit access to them. The selected ones will be have permission with green icon.


Adding Users to the Group

Finally, add the users to their respective groups using the Users and Groups tabs. When the users login to the CMC, they will be able to access the CMC with only the set of Tabs that are designated to them.

Key Practices for Delegation

These are some of the key practices that should be followed in order to setup a delegated system:

  1. Provide restricted access to only those resources needed

  2. Have a flat role structure and do not overlap different roles into one

  3. Have a direct group to role mapping. Avoid having single group for multiple roles

  4. Audit the users in the Group and revoke access as needed

Labels in this area