User Roles and Permissions
Adjust role-based permissions and define custom roles.
In the User Roles and Permissions section of the administration area, you can:
- Create custom user roles — if you’re managing roles within your single sign-on (SSO) identity provider (IdP)
- Edit translations for user roles
- Modify role-based permissions unrelated to fact sheets
User Roles
In SAP LeanIX, the following standard user roles are available by default: Viewer, Member, and Admin. If SSO is enabled for your organization and you're managing roles within your IdP, you can create custom roles in addition to standard ones.
Standard User Roles
The following table lists standard user roles available in SAP LeanIX.
| User Role | Default Fact Sheet Permissions |
|---|---|
| Viewer | Can view, subscribe to, and comment on all fact sheets. |
| Member | Can view, create, and modify all fact sheets. |
| Admin | Has all permissions of a member user as well as administrator permissions for a workspace. |
As an admin, you can adjust permissions for non-admin roles. For more information, see Role-Based Permissions.
Note
You can not delete standard user roles.
Custom User Roles
When configuring SSO for SAP LeanIX, you choose how you want to manage user roles: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.
The possibility to create custom user roles depends on how you manage roles:
- Managing user roles internally within SAP LeanIX: Only standard roles are available: Viewer, Member, and Admin. You can not create custom user roles.
- Managing user roles externally within your IdP: You can create custom user roles in addition to standard ones. This lets you assign permissions that are more granular than those provided by standard roles.
Note
- A standard role is still required for access, but the custom role takes precedence.
- If a user is assigned multiple custom roles, their permissions are aggregated.
Creating Custom User Roles
Follow these steps:
-
In your IdP, add claims
roleandcustomerRoles, then create the corresponding roles.role: Create the following roles using uppercase letters:VIEWER,MEMBER, andADMIN.customerRoles: Create custom user roles using uppercase letters, for example,AUDITOR.
To learn more about attribute mapping, see Attribute Mapping.
-
In SAP LeanIX, create the corresponding user roles in the User Roles section of the administration area.
-
Click New User Role. You land on the role configuration page.
-
In the Technical Name field, enter the role name using uppercase letters as specified in your IdP, for example,
AUDITOR. The name serves as the unique role ID. -
Optional: Clone permissions for the custom role from an existing role. This is a one-time snapshot, not a dynamic relation that is actively maintained. If you skip this option, the new custom role gets a set of default permissions, ensuring that the workspace functions as expected.
-
Optional: Add translations for the technical name to provide a more user-friendly format for the role label. Translations appear in various areas of the application. Select languages, then enter a translation and description for each language.
-
Click Add.
-
Create more custom roles to match the role matrix in your IdP.
Creating a Custom User Role
-
-
In SAP LeanIX, configure permissions for each custom role. To learn more about permissions, see Role-Based Permissions.
After you’ve configured custom roles, you can assign these roles to users in your IdP. Users get access to SAP LeanIX with the permissions that you configured.
With this configuration, you can’t assign custom roles to users in your SAP LeanIX workspace. You can only do it in your IdP.
Role-Based Permissions
In SAP LeanIX, user permissions are based on their assigned roles. As an admin, you can configure permissions for non-admin user roles as needed. Permissions fall into two main categories:
- Fact sheet permissions: Configure these in the Meta Model Configuration section of the administration area. For more details, see Fact Sheet Permissions.
- Permissions unrelated to fact sheets: Configure these in the User Roles and Permissions section of the administration area. For an overview of permissions, refer to the following table. Permissions for the admin role are read-only to ensure all workspace admins can view and modify items.
The table below lists permissions unrelated to fact sheets.
| Feature | Permissions | Related Information |
|---|---|---|
| Portals | Open, delete, create, and update portals | Portals |
| Collections | Manage entries within collections and manage collections | Collections |
| Surveys | Create and manage surveys | Surveys |
| Fact sheet shape templates | Manage fact sheet shape templates in diagrams: view, delete, create, update, change the owner, change default settings, and unlock custom templates | Fact Sheet Shape Templates |
| Presentations | Manage presentations | Presentations |
| Discovery inboxes | Access to the SAP landscape discovery inbox and SaaS discovery inbox | SAP Landscape Discover Inbox SaaS Discovery Inbox |
Recommendation
As a best practice, grant full permissions sparingly and avoid assigning all available permissions to every role. By ensuring that only users with the appropriate roles have the ability to modify data, you can maintain its quality and prevent unintended changes.
Configuring Role-Based Permissions
Tip
Configure fact sheet permissions for non-admin roles in the Meta Model Configuration section of the administration area. For more information, see Fact Sheet Permissions.
To configure role-based permissions unrelated to fact sheets, follow these steps:
-
In the administration area, navigate to the User Roles and Permissions section.
-
Select a role for which you want to configure permissions.
-
On the role editing page, navigate to the Permissions tab.
-
Adjust permissions as needed using relevant checkboxes.
-
Save the changes.
Adjusting Permissions Unrelated to Fact Sheets for the Viewer Role
Updated about 1 month ago