As part of this blog, I will be showing how the Datasphere new feature Scoped Roles can be used in different enterprise scenarios. Please note that the sample scenarios shown here may not fit AS IS to all the scenarios within your organization but could act as an inspiration for using the scoped roles within Datasphere.
Also, you can also refer to the previous blogs, as mentioned below, to get more details about this feature.
Note:This feature is shipped on 17th of October 2023 for SAP Datasphere tenants in Asia Pacific Region. On October 31st 2023 it will be shipped for SAP Datasphere tenants in American and European landscapes.
In first case, let us assume, Company ABC LTD wants to govern their users Centrally via scoped roles for centrally managing the DWH functions like Integration, Modelling, Consumer etc. , as shown below.
Fig1: Scenario 1 – Centralized, All or Nothing
From above diagram, below scoped roles could be used by the company ABC LTD within their DS landscape.
Role |
Template |
Area |
Scope |
Users |
SRC_Consumer | DW Consumer | Sales, Finance | Sales, Finance | All Business users |
SRC_Viewer | DW Viewer | Sales, Finance | Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM | All Business Analysts, Few Senior Modelers |
SRC_Modeler | DW Modeler | Sales, Finance | Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP | Central Modelling team |
SRC_MDM | DW Modeler | MDM | Master Data | Central MDM team |
SRC_Integration | DW Integrator | Sales, Finance | S/4, BW, CRM | Central Integration Team |
For creating the new users, tenant admin needs to follow below steps:
In second case, let us assume that for company XYZ LTD, wants to restrict and fine tune the access at the space level for each department for example Sales and Finance.
In Datasphere, this can be achieved using 2 approaches – Centralized and Decentralized.
Fig2: Scenario 2 – Centralized Approach
From above diagram, we see that a separate scoped role is created for the different Business department across different DWH functions, as explained below:
Role |
Template |
Area |
Scope |
Users |
SRC_Sales_Consumer | DW Consumer | Sales | Sales | Sales Business users |
SRC_Sales_Viewer | DW Viewer | Sales | Sales, Delivery, Invoicing, Orders, S/4, BW, CRM | Sales Business Analysts, Few Senior Modelers |
SRC_Sales_Modeler | DW Modeler | Sales | Sales, Delivery, Invoicing, Orders | Sales Modelling team |
SRC_Finance_Consumer | DW Consumer | Finance | Finance | Finance Business users |
SRC_Finance_Viewer | DW Viewer | Finance | Finance, GL, AR, AP, S/4, BW, CRM | Finance Business Analysts, Few Senior Modelers |
SRC_Finance_Modeler | DW Modeler | Finance | Finance, GL, AR, AP | Finance Modelling team |
SRC_MDM_Modeler | DW Modeler | MDM | Master Data | Central MDM team |
SRC_Integration | DW Integrator | Sales, Finance | S/4, BW, CRM | Central Integration Team |
As an alternative to above scenario, decentralized approach can also be used. In this approach, a tenant admin will create a single scoped role for each DWH function but will isolate the user access between employees from different departments by assigning the respective spaces during user assignment in the scoped role.
Also, tenant admin can delegate the responsibility to a space admin for assigning the roles to user via space management UI.
Fig3: Scenario 2 – Decentralized Approach
From above diagram, we see that below roles are used by the company XYZ LTD in their DS landscape.
Role |
Template |
Area |
Scope |
Users |
SRD_Consumer | DW Consumer | Sales, Finance | Sales, Finance |
Sales Business users with scope assignment limited to space Sales Finance Business users with scope assignment limited to space Finance |
SRD_Viewer | DW Viewer | Sales, Finance | Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM |
Sales Business Analysts + Few Senior Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders, S/4,BW Finance Business Analysts + Few Senior Modelers with scope assignment limited to space Finance, GL, AR, AP,CRM,BW |
SRD_Modeler | DW Modeler | Sales, Finance | Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP |
Sales Modelers with scope assignment limited to space Sales, Delivery, Invoicing, Orders Finance Modelers with scope assignment limited to space Finance, GL, AR, AP |
SRC_MDM | DW Modeler | MDM | Master Data spaces | Central MDM team |
SRD_Integration | DW Integrator | Integration |
S/4, BW, CRM |
Sales Integration team with scope assignment limited to space CRM and BW Finance Integration team with scope assignment limited to space S/4 and BW |
SRD_Space_admin | DW Space Administrator | ADMINISTRATION | Sales, Delivery, Invoicing, Orders, Finance, GL, AR, AP, S/4, BW, CRM |
Sales ADMIN team with scope assignment limited to space Sales, Delivery, Invoicing, Orders Finance ADMIN team with scope assignment limited to space Finance, GL, AR, AP MDM ADMIN team with scope assignment limited to space Master Data Integration ADMIN team with scope assignment limited to space Integration S/4, BW, CRM |
Alternatively, Tenant admin can delegate a space admin to grant access to the spaces as explained below.
Based on your past strategy, you might be able to use these converted roles without any tweaks for any of the above highlighted scenarios.
This blog introduced you to the different scenarios in which scoped roles can help.
Thanks for reading! I hope you find this blog helpful. For any questions or feedback just leave a comment below this post. Feel free to also check out the other blog posts in the series.
Best wishes,
Jai Gupta
Find more information and related blog posts on the topic page for SAP Datasphere .