How to authorize for BPC Planning in SAC
1. General
When you want to plan with BPC Planning in SAC to BW, the authorization is set-up in three parts:
- 1. BPC Roles and authorizations
- 2. BPC Web Client (Data Access Profiles)
- 3. SAC set-up for planning and update access
In the following document, the best practice set-up for planning with BPC in SAC is explained.
2. Set-Up
2.1. BW Roles and BPC Web Client Access
To get the connection for BPC planning, it is necessary to set up a profile on the BPC Web Client. Only one profile with all planning BW models is needed and should be set to “WRITE”. Users who have access to the models through their BW roles.
All models including with write access. Users are taken automatically and can be seen on the “Users”-Tab.
After setting up the profile in the BPC Web Client, a role is created on BW automatically. This role always starts with ZBPC* and contains authorization profile for RSBPC_DAP with the following values. Without this role it is not working.
Add the role to Users profiles (best add to a “combined” planning role) who plan in SAC.
BPC content authorization in BW stays as it is, no changes are required.
2.2 SAP Analytics Cloud Access
It is not necessary to have a planning professional role for end users to plan in SAC via BPC. It’s enough to create a custom role under planning standard.
In order for end users to plan but NOT change anything within the planning story/dashboard the role needs read only access to public files. For many customers the end users usually plan but not create any stories or dashboards. They will get the link to the respective corporate story and plan their numbers accordingly.
In the following screenshot a sample role is shown with the necessary ticks on read for public files and on execute and maintain for planning models. Additionally, granting execution access to the data sources is essential.
After assigning the teams/users to the role it is possible to further maintain custom access on Folder, Model and Story to prevent users from changing any pre-defined set-up.
2.2.1 Folder
For Folder Access click the share icon next to the folder name and add the teams with their access rights. Admin would have full access, end users would have “view” (example is shown in the next section). In special circumstances other user groups would require to set a “custom access”.
Example: Key Users with the authorization to create Folders and Files as well as Share
End-user, who only need “view” to see the folder and plan on the stories within.
2.2.2 Story
Afterwards the planning stories can be configured within the share access.
Example: Story Custom Access Team A for BPC Planning, Team B and C only view rights and the development team gets different custom access as well. This broadens the role that we saw previously for the necessary authorization.
2.2.3 Model
Important here that the authorization is set-up to “Update” and “Maintain” for the Model to write back the new planning data set. Only necessary for the planning models and not for the reporting models. Reporting Models only need View access. This is required to update the planning model with the new numbers and write back to BW.
If it is not set to “Update” and “Maintain”, the user will get an error message “authorization for maintenance missing”, which could lead to the administrator suspecting, the user needs a tick at “manage” for public files. Downside on this is, that the end user is then able to change the story themselves which would then be changed for everyone in return and lead to chaos among planning set-ups.
Actually missing though, was the tick by the Custom Access on “maintain” and “update” for the models.
We hope this blog helps you to identify the best practice for setting up a smooth BPC Planning process.