headershadow

How to create users,team and task profiles in BPC 10.0

Print Friendly

This article gives overview of security settings which can be done in Business Planning and Consolidation 10.0 .It describes how a team, task profile and data access profile can be created and how BPC security can be managed.

Introduction

SAP Business Objects Planning and Consolidation (a component of SAP Business Objects EPM portfolio) is an application dedicated to financial processes on a unified platform. Owned by the business and designed for the end user, it is the target environment to support planning, consolidation and financial reporting, through unique functionalities like Business Process Flow and tight Microsoft Office integration.

It uses Enterprise Performance Management to enable reporting and planning. Like other SAP components, this also needs to be secured to enable access only to authorized users and to relevant functionalities.

Security Terminology

Following needs to be set up to enable authorization restriction:

  • User:

End users of the application.  BPC users require an SAP BW named account with specific access.

  • Tasks:

Specific application level access right/permissions.  E.g. Manage Environments, View Environments, Manage Security, etc.

  • Task Profile:

A collection of granted tasks. A Task Profile determines what type of activities or tasks a user or team can perform in BPC.

  • Data Access Profile:

A collection of read, writes, or denies member access rights to each dimension of the model.

  • Team:

A group of users with a common task profile and data access profile.  A team can have a team lead who have special access rights to the Team’s folder

  • Environment:

It is a shell or BPC client in which all configuration and data reside. There can be more than one environment

 

User Authorization

User’s Authorizations is determined by the team assigned.

 

Team

A Team is a group of users and fairly equivalent to a SAP NetWeaver role. Task Profiles and Member Access Profiles are assigned to a Team.  A team can contain one or more task profile and member access profile. BPC has “Admin” team by default. Following are the features of team:

  • Team can be added to user to enable the access
  • The Manage Security task is required to modify, create, or delete Teams
  • Any team member can be identified as a Team Lead, which provides management access to the Team’s Folder

 

Step by step creation of team

  • Log in to web Interface of Environment in scope
  • Click on Planning and Consolidation Administration

BPC_Ani1

  • Select Team on Administration tab and click new. Give the name of team in “ID” and description in “Description”

BPC_Ani2

 

  • Click next and save the team created
  • Team can be modified and deleted
  • We can assign a team lead to the team if special access rights to the team’s folder have to be given to some user

Task Profile

A Task Profile determines what type of activities or tasks a user or team can perform in BPC.BPC has 3 task profiles by default:

Default Task Profiles:

  • PrimaryAdmin
  • SecondaryAdmin
  • SystemAdmin

 

Step by step creation of task profile:

  • Log in to web Interface of Environment in scope.
  • Click on Planning and Consolidation Administration
  • Select Task Profiles on Administration tab and click new. Give the name of task Profile in “ID” and description in “Description” and click next.

BPC_Ani3

  • Second step is to map available task Ids to task profile.These task Ids helps to customize the access which task profile should give the access.For Example, if the team has to be created for audit team, then task profile should have task id “Manage Audit”.

BPC_Ani4

 

Data Access Profile

Data access profile needs to be created for security dimensions of model. If the data access profile is not assigned to team to which user is assigned, user does not have access to the model .If we partially define access, for example for one of the two secured dimensions, users are still denied access to the model.

 

Step by step creation of Data Access profile:

Below are the steps followed while creating data access profiles:

 

    • Log in to web Interface of Environment in scope.
    • Click on Planning and Consolidation Administration
    • Select Data Access Profiles on Administration tab and click new. Give the name of Data Access Profile in “ID” and description in “Description”.

BPC_Ani5

    • On Member access tab, choose the model. Once chosen select the members and the type of access (Read/Write) for that member.
    • Click on Tab “Team” and choose the team with which data access profile has to be associated.
    • Click Save to create the profile.
    • Team, together with Task Profile and Data Access profile will give necessary access to the user.

    Users

    BPC uses Dialog users .Users should be present in BI ABAP system and should have flex client and UM user roles which are mentioned at the end of this document. Users can be added, modified and deleted.

    Deletion will only delete users from BPC but will not delete from ABAP System.

    Steps to Create Users

    • Log in to web Interface of Environment in scope.
    • Click on Planning and Consolidation Administration
    • Select Users on Administration tab and click “Add”. Select the user by searching the user name and click on Add.
    • Click on next. Assign the team which you want to assign the user. Click Next
    • This will add user to BPC Portal

BPC_Ani6

 

User Authentication

Users action can be restricted using task profiles and data access profiles. Task profiles define what type of activities or tasks a user or a team of users can perform. Data access profiles define the specific models and data within the models to which users have access.

 

To access BPC portal, user should have following roles in BW ABAP system:

  • POA/BUI_FLEX_CLIENT: A role that is required to start the Flex client..It includes authorization object /POA/A_RST.

 

  • /POA/BUI_UM_USER: A role that is required to work with user management in particular for retrieving roles and user information.

 

 

 

I am working in SAP Security since 7.5 years and have worked on Security Components like R3 , BI ,BO ,BPC ,SCM ,CRM ,Fiori,GRC Ac 10.0 and 10.1
More about

15 thoughts on “How to create users,team and task profiles in BPC 10.0


Comment author said

By Bala Krishnan on 26 November 2013 at 20:01

Excellent document. Thanks Anushka!

regards,
Bala Krishnan, CISA, CIPP/IT
Sr. SAP Security & Compliance Consultant

 

Comment author said

By Anika Gupta on 13 December 2013 at 20:10

Thanks Bala

 

Comment author said

By vivek on 12 December 2013 at 13:40

Hi thanks for such a good blog...Hope u keep posting..

Need some more insight into the topic as i will start to support on the same.

I have a request to add user to new customer group.

I.e:
the user belongs to the Hypermarket customer group
but now also needs access to supermarket group.

How do i proceed with this?

 

Comment author said

By Subra Manian on 15 July 2015 at 21:56

Very well written document. Is there a way I can find out who all have access to make changes to Dimensions, for example? Thanks again.

 

Comment author said

By Joy Srayil on 10 August 2015 at 23:31

In SAP BPC NW 7.5,we can only provide access to users only for entity and profit centre. Can we provide access to accounts as well in BPC 10?

 

Comment author said

By syed on 25 August 2015 at 15:25

Hi Anika Gupta, Nice presentation
i want only some users to add user in web client ,create team, task profile and data access profile .
Can you please tell me how to restrict this .

 

Comment author said

By Anika Gupta on 26 August 2015 at 02:17

Hi Syed

You can create TP and DP with security access and assign to only those users whom you want to authorize for user creation,TP creation and DP creation.
Hope this answers your question.

 

Comment author said

By Caroline on 30 March 2016 at 07:01

This is cryastl clear. Thanks for taking the time!

 

Comment author said

By Manoj on 25 August 2016 at 09:53

Hi Everyone,

Thank you so much for the detailed documentation in BPC.

Could you please suggest name SAP Standard document where I can be able to find all details of BPC security.

 

Comment author said

By abbey on 9 November 2016 at 20:59

Any idea how to add many users at one time rather than one by one?

 

Comment author said

By abbey on 9 November 2016 at 21:01

Sorry... how to search and add more than 1 at a time. Is there a way to paste a list of user IDs per team?

 

Comment author said

By Anika Gupta on 10 November 2016 at 23:41

There is no way you can paste the list of users.However if you are managing security from backend BI system then you can add the access to multiple users through SU10.

 

Comment author said

By Amparo G. on 28 February 2017 at 23:27

Hi Anika!

Thanks for the information is really useful because in my company are living a migration for HANA.

Actually, we has BPC 7.5 but with the migration we will has BPC 10.0 and I know that some things about security administration change.

I have a question, actually, the users are created on the SAP BPC Server Manager, for this version, only Do we assignment the roles on BW system for reading on the Console?

Thank you!

 

Comment author said

By Anika Gupta on 1 March 2017 at 00:36

Yes.You need to assign below roles for console
To access BPC portal, user should have following roles in BW ABAP system:

POA/BUI_FLEX_CLIENT: A role that is required to start the Flex client..It includes authorization object /POA/A_RST.

/POA/BUI_UM_USER: A role that is required to work with user management in particular for retrieving roles and user information

 

Comment author said

By Amparo G. on 1 March 2017 at 00:39

Thanks for your help :)

 

Leave a Reply


*