Create Custom User Roles in SAP Datasphere

A role represents the main tasks that a user performs in SAP Datasphere. Each role has a set of privilege types and are assigned different permissions like Create, Read, Update, Delete or Manage and Share. The privilege types represent areas of the application like the Space Management or the Business Builder and the files or objects created in those areas.

Each role has a set of privilege types and are assigned different permissions. These settings are configured in the Privilege page.

The standard application roles provide a set of privilege types that are appropriate for each particular job role.

For example, the SAP Datasphere Administrator role includes the Create, Read, Update, Delete and Manage permissions for the privilege type Spaces, while the SAP Datasphere Viewer has no permissions selected on this permission type. Instead the user has the Read permission for Space Files, meaning this user won’t be able to assign users or connections, but they would be able to view the tables and views in the Spaces they have been assigned to.

A privilege type represents a task or an area in SAP Datasphere and is assigned to a specific role. The actions that can be performed in the area are determined by the permissions assigned to a privilege type.

The following link lists the SAP Datasphere privilege types and the available permissions. Please note, that some of the privileges that are not restricted to an SAP Datasphere license (for example, Users and Roles) can be found in the Other Privileges and Permissions table. These object types and privileges depend on your license type and might, therefore, not be relevant or available to you.

Permissions allow the user to perform certain actions such read, write or delete on privilege types. The type of action depends on the privilege type that permission have been assigned to.

For example, the Read permission allows opening and viewing an item and it’s content, whereas the Delete permission allows deletion of the item. The full list of all the permissions and it’s meaning can be found in the linked table here.

Creating a custom role and assigning them to users in SAP Datasphere is a simple procedure. As an administrator, you can custom define roles that fit your organization’s needs. To create a custom user role, simply follow the procedure below.

In this procedure, we use the Roles page to assign roles to users, but you can also assign roles on the Users page. Whether you create users first or roles first does not matter.

1. To add roles, click on Security and Roles.

   

2. Click on Add Role on the top right of the screen.

   

3. Enter a unique name for the role and select the license type SAP Datasphere.

4. Select Create.

5. Select a role template.

   Role templates are the predefined standard roles associated with the SAP Datasphere license type. If you wish to create a role without extending a predefined standard role, choose the blank template. After you select a template, the Permissions page appears, showing you the individual permissions assigned to privilege types that have been defined for the role template you chose.

6. Define the permissions for your new role for every privilege type. The permission privileges represent an area, application or tool in SAP Datasphere while the permissions (create, read, update, delete, manage and share) represent the actions a user can perform.

7. If you want to change the role template that your new custom role will be based on, select (**Select Template**), and choose a role.

8. Save your new custom role.

   You can’t delete or save changes to the predefined standard roles.

A user with SAP Datasphere Viewer, for example, cannot see the Space Management area including the Spaces. They can only read the files of the Space that they have been assigned to (Space files) and read the data belonging to their Space in the Data Builder. They can only see the connections, but not edit them. They cannot see the member section or the individual members of their Space (user and team). A user with SAP Datasphere Administrator on the other hand would have almost all permissions of all areas.

With an even finer granularity, you can select permissions that allows your user to see or edit only certain areas of your Space. A modeler, for example, can be prohibited to see the general settings in particular the storage, priority and data lake settings. The user might, however, be configured to see the members of a Space, but is not allowed to add or delete members.

You can learn in detail about different privileges and permissions in SAP Datasphere by following this link.

Well done!

You have completed the 4th tutorial of this group. Now you know how to create custom roles in SAP Datasphere.

Learn in the next tutorial how to create and monitor Spaces in SAP Datasphere.