1. Security Management Logic

Security Management is split by Role and Scope depending on the object you want to give users access to.

1.1 Role

One user needs to have at least one role (but can have multiple ones).
The role is a user group.
The objective is to give access to Workspaces (Remote and/or Web), Models, Shortcuts.
The list of roles by GBU has been defined and should not change frequently.
For example: two users can be Sales Manager for one GBU - they will see the same workspaces, shortcuts, models... The process will be identical.

1.2 Scope

One user needs to have one scope/perimeter only (in order to avoid conflict/blocking between several users.)
The scope is a user group.
The objective is to give access to a specific list of DFUs or any other dimension (depending on an aggregated level).
The scope is changing frequently depending on the Commercial Team organization in SAP/GBU.
For example: two users can be Sales Managers for one GBU but with two different scopes - they will be able to work on the same workspace at the same time on a different set of DFUs.

2. Security by GBU

The logic and best practices are to:

Use exclusively User Groups “Role” to set-up Models security - no exception for user group scope;
Set-up security at the highest level of the structure: set-up will be inherited at each disaggregated level;
Apply “deny” when data is not used for this user role, by Models - never at a more detailed level (and in the opposite way, apply "Allow" when data is used for the user role).

If a business request can’t follow these rules, a new user group "role" needs to be created - no exception can be applied.

As explained above, security is applied based on GBU and role. Here is the summary of GBU roles list.

GBU	Data base	Role	Scope	Model security	User profile	Type of access
AROMA PERFORMANCE	DP1	Demand Planner	Zone		Global Planner	Remote
		Sales Rep.	Sales group code (WP1) Account Manager code (PF1)		Collaborator	Remote (Migration to web in progress)
		Global Key Account Manager	GBU Ship-To Group name/code		Viewer	Remote (Migration to web in progress)
NOVECARE	DP3	S&OP Manager	Windows Login + set-up by Main Shipping plant / Main Production plant	U00 - Impot - IN U99 - Export - OUT x. Supersession x. Master Tables Update x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Global Planner	Remote
		Sales Manager	Sales group code (WP1) Account Manager (PF1)	U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Collaborator	Web
		Sales Assistant (CSR - Customer Service Representative)	ZI Partner code (WP1) CSS Representative code (PF1)	U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Collaborator	Web
		Global Key Account Manager	Ship-To KA name/code	U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Viewer	Web
		RMD (Regional Market Director)	Zone and BfC Market	U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Viewer	Web
		BDM (Business Development Manager)	Zone and BfC Market	U00 - Impot - IN x. Supersession x. Users Scope Management y. GBU - NOVECARE z. MTP / Commercial RoadMap z. Budget	Viewer	Web
TS	DP1	Demand Planner	BU	F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management	Global Planner	Remote
		Product Manager	Material (updated manually through data field)	F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management	Collaborator	Web
		Sales Employee	Sales Employee Code	F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management	Collaborator	Web
		RSD	No condition (list of Sales Rep. through users group)	F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management	Collaborator	Web
		Pricing Team	Full GBU (no condition)	F01C-1. Material:Shipto@DC U00 - Import - IN x. Supersession x. Master Tables Update y. GBU - TS z. Budget z. Classification ABC z. CRM Opportunities/Quote z. Pricing management	Collaborator	Remote

3. Examples

Here are some examples on concrete cases, raised by tickets through the years.

3.1 Example #1 - Simple

For ex: for a Sales Employee of a given GBU

#	Description	Screenshot
1	right click the master table Sales Employee ID, then click Security, In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups,
2	right click the master table Material:shipto@DC, click Security, In the Advanced security tab, for each user group, associate the conditions to the corresponding user groups,

3.2 Example #2 - Complex

#	Description	Screenshot	Reference view
Problem Reporting!
1	user SANTOSMA all black view while open the work space,
Trouble Shooting!
2	The grid view has a split on dimension Material:Shipto@DC into Country Ship-To Sold-To Material and the original data field dimension, Material:Shipto@DC
3	If you connect as the user into the rich client and right click => Configure on the view, you can check which one is empty (the one with /) :
4	The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material \| TS : Yes' :
5	User belongs to those groups :
6	The only group having a security configured on the master table 'Material' is TS - US / Marcio Santos, with the visibility condition 'GBU - SA&D' Finally, a right click => hierarchy view (with a super user account) on the master table 'Material' shows that there is no intersection between the combination of the conditions used to filter the grid and the condition of visibility :
7	select here the 3 conditions (pressing control key allows to multiple select them) :
8	And we can see that no material fulfills the 3 conditions :
Fix!
9	The problem is on Material : the view has a filter on Material, on condition 'GBU - TS: Yes & Planned Material \| TS : Yes' : The only group having a security configured on the master table 'Material' is TS - US / Marcio Santos, with the visibility condition 'GBU - SA&D' To remove the condition 'GBU - SA&D' in Material table associated with user group TS - US / Marcio Santos

4. Useful documentation

EN MODELING Demand Planning 2018 (3).pdf