-You can access all the views related to the security topics under the “Security” domain in the left side panel of the Administration workspace.



-Task Profiles

-Data Access Profiles (Member Access Profiles in .)

-From a functional perspective, the main changes in the security configuration are related to the new user experience which enables to improve the way to manage users, teams and profiles and also allows mass maintenance.

-From a technical perspective, the BPC security is roughly mapped to the SAP NetWeaver user management capabilities.


-List of all the users assigned to the environment.

-From this list, you can add or remove some users (multiple deletion is allowed).

-You can also edit a user. Multiple edition of users is allowed to enable to modify several users simultaneously (mass maintenance).

-You can see in this list the IDs of the users, their last and first names and also their email address.

-These properties are those from the NW users and cannot be changed in BPC.

User Management




From ., NW version is directly using NW user to logon BPC application from web client or excel client. Windows AD user or CMS users are no longer supported. In .,a user can either use windows AD user/password or CMS user/password on BPC logon screen, in BPC .,

NW user should be used instead. For upgrade cust windows AD user or CMS user) should be migrated, and all task profiles and data access profiles assigned to windows AD users (or CMS users) will be assigned to NW users instead after migration. To migrate user/security, a customer should create each windows AD user or CMS user a NW user, and create a : mapping between windows AD user (or CMS user) and NW user to enable migration.

For customers still using CMS, CMS side did some development for BPC . NW where customer can customize for each CMS user a NW user with which CMS user could directly logon to BPC application.

There are two roles parts to be assigned to a BPC business user in BW end Static assigned roles(/POA/BUI_FLEX_CLIENT and /POA/BUI_UM_USER) when each user is created in NW, both roles are required by BUI la Dynamic assigned roles when user is added to any environment or user is assigned with any BPC security task from admin console.

Please note that both part of roles are all backend NW roles, which should be transparent to BPC business users. BPC business users only have task profiles and data access profiles.

Task profile is really using NW authorization objects. While detail of data access profiles are really stored in BPC specific tables; same as what was done in.



If multiple users, you cannot manage this setting.

But, as for the teams, you can distinguish in this tab the teams to which all the edited users are assigned („All users‟ v From this tab, you can also use the “Ass edited users to a team.


In the “Task Profiles”singleusertab,you can see the case task of a profiles assigned to this user


But also through the teams he/she is assigned to Inherited”


In case of multiple users, you do not have this information of inherited task profiles. Same principle in this case, you can see the list of all the task profiles assigned to one user in the selection at least and distinguish those that are assigned to all the edited users.

Desired to gain proficiency on SAP BPC ?

Explore the blog post on SAP BPC training to become a pro in SAP BPC.

“Assign to all” in this tab enables also users.

You can of course add task profiles to assign them to all the selected users.


Team Management  Screenshot_228

-Here is the list of all the teams of the environment.

-From this list, you can create or delete a team (multiple deletion is allowed). You can also edit multiple teams simultaneously (mass maintenance).

-In addition to the ID and the description of the teams, you see how many users are assigned to each of them as well as the number of task profiles and data access profiles.


You can edit and change multiple teams simultaneously.

Only the common changes made during the edition will be applied to the set of teams (For example, all things that have not been changed in each team is kept).


In the “Users”the tab,list of all the you users assigned can see to the selection of teams.

You can add a new user that will therefore be assigned to all edited teams.

See the value„All   teams‟  in   the   “Assign

In the same way, you can assign a set of task profile to the selection of teams.


Same principle  as   in   theto”“Users”columntab.   for

If a task profile is assigned to all the edited teams è „All teams‟ valu

If a task profile is not assigned to all the edited teams è „Some teams on value.

In this case, “Assign to all” function edited teams.


Here is the list of all the task profiles created in the environment.


Exactly the same behavior as in the “Users” and “ in the “Data tabAccess. Profiles”Screenshot_235Screenshot_236

Click  the  “Add”  buttonprofile.  to  create a  new  team

This command opens a wizard that enables to create a team through  distinct steps.

In the first step, you must specify an ID and you can also add a description (optional).


You can also select a node in the list to add all its tasks simultaneously to the selection. Multiple selection is also allowed for the nodes.



Data Access Profile Management



This command directly opens the data access profile editor.

You can set all the settings and configure the data access for all models in this page.

You must enter an ID and can add a description (optional).

In the left pane, are listed all the models of the environment and, for each of them you can see the current status of its access rights.

“None” means that access right can be sp dimensions are secured, but none has been defined or completed yet.

“Restricted access” means that some acce the model.

“Full (Unsecured Model) means that there are no secured dimensions in this model. Therefore, unable to specify any access rights for this model.



If no hierarchy exists it is a flat list.



For indepth understanding click on