How to create users,team and task profiles in BPC 10.

0
26 September 2013 |
BW/BI

Anika Gupta |

3 Comments |

SAP Authorizations,SAP

This article gives overview of security settings which can be done in Business Planning and Consolidation 10.0
.It describes how a team, task profile and data access profile can be created and how BPC security can be
managed.

Introduction
SAP Business Objects Planning and Consolidation (a component of SAP Business Objects EPM portfolio) is an
application dedicated to financial processes on a unified platform. Owned by the business and designed for the
end user, it is the target environment to support planning, consolidation and financial reporting, through unique
functionalities like Business Process Flow and tight Microsoft Office integration.
It uses Enterprise Performance Management to enable reporting and planning. Like other SAP components, this
also needs to be secured to enable access only to authorized users and to relevant functionalities.

Security Terminology
Following needs to be set up to enable authorization restriction:

User:

End users of the application. BPC users require an SAP BW named account with specific access.

Tasks:

Specific application level access right/permissions. E.g. Manage Environments, View Environments, Manage
Security, etc.

Task Profile:

A collection of granted tasks. A Task Profile determines what type of activities or tasks a user or team can
perform in BPC.

Data Access Profile:

A collection of read, writes, or denies member access rights to each dimension of the model.

Team:

A group of users with a common task profile and data access profile. A team can have a team lead who have
special access rights to the Teams folder

Environment:

It is a shell or BPC client in which all configuration and data reside. There can be more than one environment

User Authorization
Users Authorizations is determined by the team assigned.

Team

A Team is a group of users and fairly equivalent to a SAP NetWeaver role. Task Profiles and Member Access
Profiles are assigned to a Team. A team can contain one or more task profile and member access profile. BPC
has Admin team by default. Following are the features of team:

Team can be added to user to enable the access

The Manage Security task is required to modify, create, or delete Teams

Any team member can be identified as a Team Lead, which provides management access to the
Teams Folder

Step by step creation of team

Log in to web Interface of Environment in scope

Click on Planning and Consolidation Administration

Select Team on Administration tab and click new. Give the name of team in ID and description in
Description

Click next and save the team created

Team can be modified and deleted

We can assign a team lead to the team if special access rights to the teams folder have to be given to
some user

Task Profile
A Task Profile determines what type of activities or tasks a user or team can perform in BPC.BPC has 3 task
profiles by default:
Default Task Profiles:

PrimaryAdmin

SecondaryAdmin

SystemAdmin

Step by step creation of task profile:

Log in to web Interface of Environment in scope.

Click on Planning and Consolidation Administration

Select Task Profiles on Administration tab and click new. Give the name of task Profile in ID and
description in Description and click next.

Second step is to map available task Ids to task profile.These task Ids helps to customize the access
which task profile should give the access.For Example, if the team has to be created for audit team, then
task profile should have task id Manage Audit.

Data Access Profile

Data access profile needs to be created for security dimensions of model. If the data access profile is not
assigned to team to which user is assigned, user does not have access to the model .If we partially define
access, for example for one of the two secured dimensions, users are still denied access to the model.

Step by step creation of Data Access profile:

Below are the steps followed while creating data access profiles:

Log in to web Interface of Environment in scope.

Click on Planning and Consolidation Administration

Select Data Access Profiles on Administration tab and click new. Give the name of Data
Access Profile in ID and description in Description.


On Member access tab, choose the model. Once chosen select the members and the type of

access (Read/Write) for that member.

Click on Tab Team and choose the team with which data access profile has to be

associated.
Click Save to create the profile.

Team, together with Task Profile and Data Access profile will give necessary access to the

o
user.

Users
BPC uses Dialog users .Users should be present in BI ABAP system and should have flex client and UM user
roles which are mentioned at the end of this document. Users can be added, modified and deleted.
Deletion will only delete users from BPC but will not delete from ABAP System.

Steps to Create Users

o

Log in to web Interface of Environment in scope.

Click on Planning and Consolidation Administration

Select Users on Administration tab and click Add. Select the user by searching the user
name and click on Add.

Click on next. Assign the team which you want to assign the user. Click Next

This will add user to BPC Portal

User Authentication
Users action can be restricted using task profiles and data access profiles. Task profiles define what type of
activities or tasks a user or a team of users can perform. Data access profiles define the specific models and
data within the models to which users have access.

To access BPC portal, user should have following roles in BW ABAP system:

POA/BUI_FLEX_CLIENT: A role that is required to start the Flex client..It includes authorization
object /POA/A_RST.

/POA/BUI_UM_USER: A role that is required to work with user management in particular for retrieving
roles and user information.