User Roles and Permissions
Modify role-based permissions and define custom roles.
In the User Roles and Permissions section of the administration area, you can:
- Modify role-based permissions that are not related to fact sheets
- Create custom user roles — if you’re managing roles within your single sign-on (SSO) identity provider (IdP)
- Edit translations for user roles
User Roles
In SAP LeanIX, the following standard user roles are available by default: Viewer, Member, and Admin. If SSO is enabled for your organization and you're managing roles within your IdP, you can create custom roles in addition to standard ones.
Standard User Roles
The following table lists standard user roles available in SAP LeanIX.
User Role | Default Fact Sheet Permissions |
---|---|
Viewer | Can view, subscribe to, and comment on all fact sheets. |
Member | Can view, create, and modify all fact sheets. |
Admin | Has all permissions of a member user as well as administrator permissions for a workspace. |
As an admin, you can adjust permissions for non-admin roles. For more information, see Role-Based Permissions.
Note
You can not delete standard user roles.
Custom User Roles
When configuring SSO for SAP LeanIX, you choose how you want to manage user roles: internally within SAP LeanIX or externally within your IdP. For more information, see Managing User Roles with SSO.
The possibility to create custom user roles depends on how you manage roles:
- Managing user roles internally within SAP LeanIX: Only standard roles are available: Viewer, Member, and Admin. You can not create custom user roles.
- Managing user roles externally within your IdP: You can create custom user roles in addition to standard ones. This lets you assign permissions that are more granular than those provided by standard roles.
Note
- A standard role is still required for access, but the custom role takes precedence.
- If a user is assigned multiple custom roles, their permissions are aggregated.
Creating Custom User Roles
Follow these steps:
-
In your IdP, add claims
role
andcustomerRoles
, then create the corresponding roles.role
: Create the following roles using uppercase letters:VIEWER
,MEMBER
, andADMIN
.customerRoles
: Create custom user roles using uppercase letters, for example,AUDITOR
.
To learn more about attribute mapping, see Attribute Mapping.
-
In SAP LeanIX, create the corresponding user roles in the User Roles section of the administration area.
-
Click New User Role. You land on the role configuration page.
-
In the Technical Name field, enter the role name using uppercase letters as specified in your IdP, for example,
AUDITOR
. The name serves as the unique role ID. -
Optional: Clone permissions for the custom role from an existing role. This is a one-time snapshot, not a dynamic relation that is actively maintained. If you skip this option, the new custom role gets a set of default permissions, ensuring that the workspace functions as expected.
-
Optional: Add translations for the technical name to provide a more user-friendly format for the role label. Translations appear in various areas of the application. Select languages, then enter a translation and description for each language.
-
Click Add.
-
Create more custom roles to match the role matrix in your IdP.
-
-
In SAP LeanIX, configure permissions for each custom role. To learn more about permissions, see Role-Based Permissions.
After you’ve configured custom roles, you can assign these roles to users in your IdP. Users get access to SAP LeanIX with the permissions that you configured.
With this configuration, you can’t assign custom roles to users in your SAP LeanIX workspace. You can only do it in your IdP.
Role-Based Permissions
In SAP LeanIX, user permissions are determined by their assigned roles, meaning permissions are role-based. All permissions fall into two main categories:
- Fact sheet permissions: You can configure fact sheet permissions for non-admin roles in the Meta Model Configuration section of the administration area. For more information, see Fact Sheet Permissions.
- Permissions unrelated to fact sheets: You can configure permissions that are not related to fact sheets in the User Roles and Permissions section of the administration area. Permissions for the admin role are read-only to prevent a situation where all workspace admins can’t view or modify certain items. For non-admin roles, you can configure permissions for the following items:
- Portals
- Collections
- Surveys
- Fact sheet shape templates for diagrams
- Presentations
- Discovery inboxes
Configuring Permissions Unrelated to Fact Sheets
To configure permissions unrelated to fact sheets for a non-admin user role, follow these steps:
-
In the administration area, navigate to the User Roles and Permissions section.
-
Select a role for which you want to configure permissions.
-
On the role editing page, navigate to the Permissions tab.
-
Adjust permissions as needed using relevant checkboxes.
-
Save the changes.
Recommendation
As a best practice, grant full permissions sparingly and avoid assigning all available permissions to every role. By ensuring that only users with the appropriate roles have the ability to modify data, you can maintain its quality and prevent unintended changes.
Updated 25 days ago