In the first part of the blog we have seen the changes introduced with the file repository integration of Data Action (DA) and Multi Action (MA). this second part we will have at look at the permission setups required in different areas and the FAQs.
Part II Content:
Helpful Hints
Required Permissions for DA/MA and Related Artifacts
The integration of DA/MA into file repository means that the assignment of permissions for these two artifacts needs to be considered as well when setting up a business logic. Below is an overview of the required permissions, together with those of the related artifacts:
For User Triggering DA/MA
Source Model | Target Model | Data Action | Multi Action | Story/App containing DA/MA | |
Permission | Read | Read, Maintain | Read, Execute | Read, Execute | Read |
Purpose | Reading Data | Write data, see results (To do planning) |
Trigger | Trigger | Consume
(To do planning) |
For User Creating DA/MA (and Frontend for Trigger)
Source Model | Target Model | Data Action | Multi Action | Story/App containing DA/MA | |
Permission | Read | Read, Maintain | Read, Execute, Create, Update, Delete | Read, Execute, Create, Update, Delete | Read, Update |
Purpose | Reading Data | Write data, see results (Trigger Testing) |
Creation and maintenance | Creation and maintenance | Consume
(Testing) |
The permissions shown above need to be the results of aggregated permissions granted in the following areas:
-
- Role Permission
- Public/private file access (if used)
- Overall DA/MA permissions
- Workspace membership (if workspace is used)
- File repository share permissions
- Role Permission
This means that the required permission setup for DA/MA is as follows:
- For users triggering DA/MA
- Public/private file access (role permission): Read
- Overall DA/MA access (role permission): Read, Execute
- If the DA/MA is stored in a workspace, the user must be assigned as a member to the workspace
- Individual DA/MA Permission (File Repository Share Permission): Read (it includes Execute implicitly, when granted via role permission)
- For users creating DA/MA
- Public/private file access (role permission): Create, Read, Delete, Manage
- Overall DA/MA access (role permission): Create, Read, Delete, Update, Execute
- If the DA/MA should be stored in a workspace, the user must be assigned as a member to the workspace
- Individual DA/MA Permission (File Repository Share Permission): (They are file owners but also subjected to the role permission setup.)
Note: Creators will also need Create Files permission for the target folder where they wish to save the DA/MA.
Points to Remember
Remember to assign “Read” to content importers
As mentioned in part I of the blog, the Read permission does not come automatically with Create in the overall setting for DA/MA under role permissions, hence care should be taken to assign this to DA/MA creators. But do note that content importers, since they will become file owners of imported DA/MA, will require Read permission too to see the imported artifacts.
If the content importers should also be able to overwrite existing artifacts (for example in cases of re-importing) do remember to grant them Update permission.
If using workspaces, remember that moving artifacts from public into the workspace will reset the file repository permissions.
Hence, to avoid double configuration work, set up the permissions for individual DA/MA after having moved them into the designated workplace and conduct testing from there.
Folders are not workspaces
Unsharing Read permission to a folder containing shared DA/MA will not withdraw the access to those artifacts via default. To unshared those as well, remember to select the option “To the selected folder, its subfolders, and files” at the point of removing the access.
This is different for workspaces, where contained artifacts are not accessible to users with no authorization to the workspace itself.
Likewise, when moving shared DA/MA to an unshared folder, the existing access will not be withdrawn. To remove access, remove Read permission of the DA/MA from the file repository share dialog.
FAQ
Questions to DA/MA Creation:
Q: Why is the page listing all DA/MA now blank?
A: The list which used to contain all DA/MA is now showing only recently opened files by the current user. The previously created DA/MA before wave 20203.06 are not gone but integrated into the file repository.
Q: The user has created a DA/MA, but it cannot be found in the file repository?
A: Make sure the user has been granted Read for the overall DA/MA setting under the role permission setup.
Q: The user is creating a DA/MA and cannot return to editing after refreshing, because “File not found”. What is happening?
A: Similar to the above, the created DA/MA is not lost if it has been saved beforehand. Make sure the user has been granted Read for the overall DA/MA setting under the role permission setup.
Q: The user has started creating a DA/MA, but why can it not be saved?
A: Check if the user has been granted the Create Files permission for the target folder.
Q: The user has created a DA/MA, is file owner, but does not seem to have full access and cannot update or execute the DA/MA
A: File owners of DA/MA do not have full access as a default but are subjected to the permissions granted in their role permission setup. Grant the user all permissions there to enable full privilege.
Questions to DA/MA Trigger Execution:
Q: The user sees a DA/MA trigger in the story/app, but it is inactive and cannot be triggered?
A: Check the user’s role permission setup for DA/MA and grant Execute permission if it is missing.
Q: The user sees a DA/MA trigger in the story/app; it appears to be active, but upon trigger an error appears stating that the DA/MA has been deleted or there is no permission to access it? (It is not deleted.)
A:Permissions for DA/MA are aggregated permissions granted via different areas. Check hence the following:
- Workspace permission: Is the DA/MA stored in a workspace? If yes, check if user is assigned as a member to the workspace
- File repository permission: Is the specific DA/MA shared with the user? The user requires here Read permission for the execution.
Questions to DA/MA Import/Export:
Q: After import, the DA/MA cannot be found?
A: Check the user’s role permission setup for DA/MA and grant Read permission if it is missing.
Q: A user has imported a DA/MA but now cannot re-import and overwrite it?
A: Check the user’s role permission setup for DA/MA and grant Update permission if it is missing.
Q: Can DA/MA be exported from a tenant with the file repository integration (toggled on) into a tenant without the integration (toggled off)?
A: No, this is not possible. But it is possible the other way around: to export from a tenant with the file repository integration toggled off into another which has the integration toggled on.
Further Reading
The latest details to the file repository integration of DA/MA will be available in the in-app help in wave 2023.06. Navigate to the information by:
- In SAP Analytics Cloud, select Data Actions or Multi Actions from the side navigation and select Help from the shell bar.
- Select Help again within the pop-up.
Questions to the DA/MA file repository integration can also be posted in the SAP community.