User Roles and Permissions

In the User Roles and Permissions section of the administration area, you can:

• Create custom user roles — if you’re managing roles within your single sign-on (SSO) identity provider (IdP)
• Edit translations for user roles
• Modify role-based permissions unrelated to fact sheets

User Roles

In SAP LeanIX, the following standard user roles are available by default: Viewer, Member, and Admin. If SSO is enabled for your organization and you're managing roles within your IdP, you can create custom roles in addition to standard ones.

Standard User Roles

The following table lists standard user roles available in SAP LeanIX.

As an admin, you can adjust permissions for non-admin roles. For more information, see Role-Based Permissions.

📘

Note

You cannot delete standard user roles.

Custom User Roles

When configuring SSO for SAP LeanIX, you choose how you want to manage user roles: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.

The possibility to create custom user roles depends on how you manage roles:

• Managing user roles internally within SAP LeanIX: Only standard roles are available: Viewer, Member, and Admin. You can not create custom user roles.
• Managing user roles externally within your IdP: You can create custom user roles in addition to standard ones. This lets you assign permissions that are more granular than those provided by standard roles.

📘

Note

• A standard role is still required for access, but the custom role takes precedence.
• If a user is assigned multiple custom roles, their permissions are aggregated.

Creating Custom User Roles

Follow these steps:

1. In your IdP, add claims role and customerRoles, then create the corresponding roles.

   • role: Create the following roles using uppercase letters: VIEWER, MEMBER, and ADMIN.
   • customerRoles: Create custom user roles using uppercase letters, for example, AUDITOR.
     To learn more about attribute mapping, see Attribute Mapping.

2. In SAP LeanIX, create the corresponding user roles in the User Roles section of the administration area.

   1. Click New User Role. You land on the role configuration page.

   2. In the Technical Name field, enter the role name using uppercase letters as specified in your IdP, for example, AUDITOR. The name serves as the unique role ID.

   3. Optional: Clone permissions for the custom role from an existing role. This is a one-time snapshot, not a dynamic relation that is actively maintained. If you skip this option, the new custom role gets a set of default permissions, ensuring that the workspace functions as expected.

   4. Optional: Add translations for the technical name to provide a more user-friendly format for the role label. Translations appear in various areas of the application. Select languages, then enter a translation and description for each language.

   5. Click Add.

   6. Create more custom roles to match the role matrix in your IdP.

      

3. In SAP LeanIX, configure permissions for each custom role. To learn more about permissions, see Role-Based Permissions.

After you’ve configured custom roles, you can assign these roles to users in your IdP. Users get access to SAP LeanIX with the permissions that you configured.

With this configuration, you can’t assign custom roles to users in your SAP LeanIX workspace. You can only do it in your IdP.

Role-Based Permissions

In SAP LeanIX, user permissions are based on their assigned roles. As an admin, you can configure permissions for non-admin user roles as needed. Permissions fall into two main categories:

• Fact sheet permissions: Configure these in the Meta Model Configuration section of the administration area. For more details, see Fact Sheet Permissions.
• Permissions unrelated to fact sheets: Configure these in the User Roles and Permissions section of the administration area. For an overview of permissions, refer to the following table. Permissions for the admin role are read-only to ensure all workspace admins can view and modify items.

The table below lists permissions unrelated to fact sheets.

👍

Recommendation

As a best practice, grant full permissions sparingly and avoid assigning all available permissions to every role. By ensuring that only users with the appropriate roles have the ability to modify data, you can maintain its quality and prevent unintended changes.

Configuring Role-Based Permissions

👍

Tip

Configure fact sheet permissions for non-admin roles in the Meta Model Configuration section of the administration area. For more information, see Fact Sheet Permissions.

To configure role-based permissions unrelated to fact sheets, follow these steps:

1. In the administration area, navigate to the User Roles and Permissions section.

2. Select a role for which you want to configure permissions.

3. On the role editing page, navigate to the Permissions tab.

4. Adjust permissions as needed using relevant checkboxes.

5. Save the changes.