HomeDocumentationProduct UpdatesProduct Roadmap
User Docs
Request DemoWebsite

User Roles and Permissions

Modify role-based permissions and define custom roles.

Suggest Edits

In the User Roles and Permissions section of the administration area, you can:

  • Modify role-based permissions that are not related to fact sheets
  • Create custom user roles — if you’re managing roles within your single sign-on (SSO) identity provider (IdP)
  • Edit translations for user roles

User Roles

In SAP LeanIX, the following standard user roles are available by default: Viewer, Member, and Admin. If SSO is enabled for your organization and you're managing roles within your IdP, you can create custom roles in addition to standard ones.

Standard User Roles

The following table lists standard user roles available in SAP LeanIX.

User RoleDefault Fact Sheet Permissions
ViewerCan view, subscribe to, and comment on all fact sheets.
MemberCan view, create, and modify all fact sheets.
AdminHas all permissions of a member user as well as administrator permissions for a workspace.

As an admin, you can adjust permissions for non-admin roles. For more information, see Role-Based Permissions.

📘

Note

You can not delete standard user roles.

Custom User Roles

When configuring SSO for SAP LeanIX, you choose how you want to manage user roles: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.

The possibility to create custom user roles depends on how you manage roles:

  • Managing user roles internally within SAP LeanIX: Only standard roles are available: Viewer, Member, and Admin. You can not create custom user roles.
  • Managing user roles externally within your IdP: You can create custom user roles in addition to standard ones. This lets you assign permissions that are more granular than those provided by standard roles.

📘

Note

  • A standard role is still required for access, but the custom role takes precedence.
  • If a user is assigned multiple custom roles, their permissions are aggregated.

Creating Custom User Roles

Follow these steps:

  1. In your IdP, add claims role and customerRoles, then create the corresponding roles.

    • role: Create the following roles using uppercase letters: VIEWER, MEMBER, and ADMIN.
    • customerRoles: Create custom user roles using uppercase letters, for example, AUDITOR.
      To learn more about attribute mapping, see Attribute Mapping.

  2. In SAP LeanIX, create the corresponding user roles in the User Roles section of the administration area.

    1. Click New User Role. You land on the role configuration page.

    2. In the Technical Name field, enter the role name using uppercase letters as specified in your IdP, for example, AUDITOR. The name serves as the unique role ID.

    3. Optional: Clone permissions for the custom role from an existing role. This is a one-time snapshot, not a dynamic relation that is actively maintained. If you skip this option, the new custom role gets a set of default permissions, ensuring that the workspace functions as expected.

    4. Optional: Add translations for the technical name to provide a more user-friendly format for the role label. Translations appear in various areas of the application. Select languages, then enter a translation and description for each language.

    5. Click Add.

    6. Create more custom roles to match the role matrix in your IdP.

      Creating a Custom User Role

      Creating a Custom User Role

  3. In SAP LeanIX, configure permissions for each custom role. To learn more about permissions, see Role-Based Permissions.

After you’ve configured custom roles, you can assign these roles to users in your IdP. Users get access to SAP LeanIX with the permissions that you configured.

With this configuration, you can’t assign custom roles to users in your SAP LeanIX workspace. You can only do it in your IdP.

Role-Based Permissions

In SAP LeanIX, user permissions are determined by their assigned roles, meaning permissions are role-based. All permissions fall into two main categories:

  • Fact sheet permissions: You can configure fact sheet permissions for non-admin roles in the Meta Model Configuration section of the administration area. For more information, see Fact Sheet Permissions.
  • Permissions unrelated to fact sheets: You can configure permissions that are not related to fact sheets in the User Roles and Permissions section of the administration area. Permissions for the admin role are read-only to prevent a situation where all workspace admins can’t view or modify certain items. For non-admin roles, you can configure permissions for the following items:
    • Portals
    • Collections
    • Surveys
    • Fact sheet shape templates for diagrams
    • Presentations
    • Discovery inboxes

Configuring Permissions Unrelated to Fact Sheets

To configure permissions unrelated to fact sheets for a non-admin user role, follow these steps:

  1. In the administration area, navigate to the User Roles and Permissions section.

  2. Select a role for which you want to configure permissions.

  3. On the role editing page, navigate to the Permissions tab.

  4. Adjust permissions as needed using relevant checkboxes.

  5. Save the changes.

    Adjusting Non-Fact-Sheet Permissions for the Viewer Role

    Adjusting Permissions Unrelated to Fact Sheets for the Viewer Role

👍

Recommendation

As a best practice, grant full permissions sparingly and avoid assigning all available permissions to every role. By ensuring that only users with the appropriate roles have the ability to modify data, you can maintain its quality and prevent unintended changes.

Updated 6 days ago