Administration Guide for SAP Profitability and Performance

Administration Guide | PUBLIC

2024-08-27

Administration Guide for SAP Protability and

Performance Management Cloud

THE BEST RUN 

Content

1 Administration Guide for SAP Protability and Performance Management Cloud............3

1.1 Account Setup...............................................................3

Prepare the Global (Enterprise) Account..........................................3

Create a Subaccount........................................................4

Prepare Entitlements........................................................6

Subscription..............................................................7

1.2 User Management............................................................ 8

Roles for SAP Protability and Performance Management Cloud.........................9

Build Role Collections.......................................................15

Build User Attribute Roles....................................................16

Assign Role Collections to Users or User Groups....................................17

Congure the Identity Provider (IdP) and Set Up Authentication.........................18

Create User Groups and Assign Users to Groups in the Identity Provider (IdP ).............. 20

1.3 Administration Applications.....................................................20

1.4 Data Protection and Privacy.....................................................20

Glossary................................................................21

User Consent............................................................ 23

Read Access Logging.......................................................23

Information Report........................................................ 24

Change Log..............................................................24

Deletion of Personal Data....................................................25

1.5 Security...................................................................25

Network and Communication Security...........................................25

Trusted Certicate Authentication..............................................25

Data Encryption Strategy....................................................26

Rate Limiting.............................................................26

Auditing and Logging Information..............................................30

Backup and Recovery.......................................................33

Data Protection and Privacy..................................................33

Identity and Access Management..............................................33

1.6 Important Disclaimers and Legal Information........................................ 33

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Content

1 Administration Guide for SAP

Protability and Performance

Management Cloud

About this Guide

This guide is the central source of information for the technical implementation of SAP Protability and

Performance Management Cloud. It contains the following sections:

• Account Setup [page 3]

• User Management [page 8]

• Congure the Identity Provider (IdP) and Set Up Authentication [page 18]

• Data Protection and Privacy [page 20]

• Security [page 25]

1.1 Account Setup

This section describes the steps you need to perform to set up an account for SAP Protability and

Performance Management Cloud. To ensure a successful subscription process, follow the sections below in

the specied order:

1. Prepare the Global (Enterprise) Account [page 3]

2. Create a Subaccount [page 4]

3. Prepare Entitlements [page 6]

4. Subscription [page 7]

1.1.1Prepare the Global (Enterprise) Account

There are the following types of global accounts that you can use to subscribe to SAP Protability and

Performance Management Cloud:

• Customer account

This is a global account type where you can host your productive applications with 24x7 support. For more

information, see section Sign up for a Customer Account in Getting a Global Account.

• Partner account

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 3

This is global account type where your company is then certied by SAP to be an ocial SAP Partner. For

more information, see section Join the Partner Program in Getting a Global Account.

Note

Subscription to SAP Protability and Performance Management Cloud is only available on non-trial global

accounts.

1.1.2Create a Subaccount

It is important to have a subaccount or a Software as a Service (SaaS) tenant as part of the feature set B in the

prepared global account to subscribe to SAP Protability and Performance Management Cloud.

For more information, see the Subaccounts section in Account Model and Create a Subaccount [Feature Set B]

in Create a Subaccount.

Prerequisites

• You have logged in to SAP BTP Cockpit such as https://emea.cockpit.btp.cloud.sap/

• You have a non-trial global account for feature set B.

• SAP Protability and Performance Management Cloud has been entitled in the global account.

• Your user should have a “Global Account Administrator” role assigned to see the Create button.

Procedure

1. In the global account’s navigation menu, choose Account Explorer.

2. Choose

Create Subaccount .

3. A popup window is displayed where you can maintain the following attributes:

Attribute

Denition and Examples

Display Name Subaccount name, such as “MY-SUBACCOUNT”.

4 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Attribute Denition and Examples

Region Hyperscaler and region where your subaccount shall be

created.

Note

You can only subscribe to SAP Protability and

Performance Management Cloud in specic regions.

You can choose from the following regions:

Amazon Web Services (AWS)

•

Australia (Sydney); cf-ap10

•

Brazil (São Paulo); cf-br10

•

Canada (Montreal); cf-ca10

•

Europe (Frankfurt); cf-eu10

•

Europe (Frankfurt); cf-eu11 (EU access only)

•

Japan (Tokyo); cf-jp10

•

South Korea (Seoul); cf-ap12

•

U.S. East (VA); cf-us10

Microsoft Azure

•

Australia (Sydney); cf-ap20

•

Europe (Netherlands); cf-eu20

•

Singapore; cf-ap21

•

U.S. East (VA); cf-us21

•

U.S. West (Washington); cf-us20

Google Cloud Platform (GCP)

•

U.S. Central (IA); cf-us30

•

EU Central (Frankfurt); cf-eu30

Alibaba Cloud

•

China (Shanghai); cf-cn40

Subdomain

The subdomain needs to be part of your URL.

Example

For example, if your EU10 subaccount has been as-

signed with subdomain “papm-yourcompanyname”,

then your SAP Protability and Performance

Management Cloud application is reachable via the

following URL:

https://papm-yourcompany-

name.eu10.papm.cloud.sap

Description

Optional documented information to easily identify the

created subaccount.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 5

Attribute Denition and Examples

Parent Your created global account. Ensure that the global ac-

count is a non-trial account.

Tip

For the Display Name and Subdomain elds, add a sux with your company name at the end of the

subdomain, and dene the display name and the subdomain name in such a way that you can easily

identify your subaccount.

4. Choose Create.

1.1.3Prepare Entitlements

An entitlement is your right to subscribe to a service. Therefore, it is important to ensure that the subaccount

created is entitled for SAP Protability and Performance Management Cloud.

Prerequisites

• A created subaccount in one of the listed SAP Protability and Performance Management Cloud regions

exists.

• Your user should have the “Global Account Administrator” role assigned to see the Congure Entitlement

button.

Procedure

1. In the subaccount’s navigation menu, choose Entitlements.

2. Search for “SAP Protability and Performance Management Cloud”.

3. In case the search does not produce any results, follow the steps below:

1. Choose

Congure Entitlements Add Service Plans .

2. In the popup window, search for “SAP Protability and Performance Management Cloud”.

3. Choose from the available plans:

Plan

Default (Application) Choose this option to entitle the subaccount to

subscribe to SAP Protability and Performance

Management Cloud.

6 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Plan

Workbook Optionally, choose this option to entitle the subaccount

to use the workbook service from SAP Protability and

Performance Management Cloud. For example, to call

the workbook application via API in SAP Protability

and Performance Management 3.0’ Workbook Adapter.

Default

Optionally, choose this option to entitle the subac-

count to use the services from SAP Protability and

Performance Management Cloud. For example, to call

the application via API in SAP Analytics Cloud Multi Ac-

tion.

4. Choose Add Service Plans.

5. You are redirected to the Entitlement screen. Choose Save.

1.1.4Subscription

Performing a subscription process is a prerequisite for being able to use the SAP Protability and Performance

Management Cloud application.

Note

Once you've successfully subscribed to SAP Protability and Performance Management Cloud, you are

entitled to use Standard Model and component Universal Model. To enable Universal Model, you need to

open a customer incident via LOD-PER-ACE.

Prerequisites

• A created subaccount with SAP Protability and Performance Management Cloud entitlement exists.

• Your user should have a “Subaccount Administrator” role to subscribe to a service.

Procedure

1. In the subaccount’s navigation menu, choose Instance and Subscriptions.

2. Choose Create.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 7

3. Provide the information below in the displayed popup window:

Attribute Value

Service Choose “SAP Protability and Performance Management

Cloud”.

Plan Choose “Default (Subscription)”.

Caution

The dropdown list also provides the option “Default

(Service)”. Make sure you select “Default (Subscrip-

tion)”.

4. Choose Create.

5. In the Subscriptions Application section, you can see the progress of the subscription (“In

Progress”). Monitor the progress until the status changes to “Subscribed”.

6. Once the status has changed to “Subscribed”, take note of the application URL and provide it to your end

users.

Related Information

SAP Protability and Performance Management Cloud: Subscription & Decommission

1.2 User Management

This section provides an overview of the role templates and guidance on how to create role collections and user

attributes. It also contains an introduction to the Identity Provider.

The following sections are available:

• Role Template Overview [page 9]

• Creation of Role Collections [page 15]

• Creation of UserAttribute Roles [page 16]

• Assignment of Role Collections to Users or User Groups [page 17]

• Conguration of Identity Provider [page 18]

• Creation of User Groups and Assignment of Users to Identity Provider Group [page 20]

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

1.2.1Roles for SAP Protability and Performance

Management Cloud

Upon subscription, the role templates listed below are available in SAP Business Technology Platform (SAP

BTP) under Navigation Menu Roles . has two main applications, that is, Standard Model and Universal

Model. You can see the role templates that are released for each model below.

Role Templates for Standard Model

The Standard Model provides the following main SAP Business Technology Platform role templates (*_ALL)

that need to be assigned to a Standard Model user to access the application sections:

Home Section

Role

Description

ENVIRONMENTS

Allows users to manage and access the Environment screen.

Users assigned to this role can create, read, update, and

delete an environment or node.

ENVIRONMENTS_READ

Grants users read-only access to the Environment screen.

ENVIRONMENTS_COMPARE

Allows users to compare environments models with read

access only.

Modeling Section

Role

Description

MODELING_USER_ALL

Allows users to focus on broadening modeling activities.

MODELING_USER_DISP

Allows users to focus on displaying the modeling screen with

the rights to run particular functions, including show and

analyze options. Model updates are not allowed.

MODELING

Allows users to perform the conguration of all entities in the

Modeling screen.

MODELING_READ

Grants users read access without the ability to make

changes to the Modeling screen. User assigned to this role

only have the right to run particular functions, including

show and analyze options.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 9

Processing and Reporting Section

Role Description

EXECUTION_USER_ALL

Allows users to focus on Process Management, Report

Management and Business Event Management. In contrast

to the role EXECUTION_MAN_ALL, the rights of this role are

limited to initiating basic actions, such as run, submit, ap-

prove, and reject.

Restriction

The following exemptions apply in the Process

Management application in case a user has the

EXECUTION_USER_ALL role assigned, but is not part of

the reviewer/performer group of the activity:

•

If no teams are assigned to the performer or re-

viewer team of the activities, everyone can see and

run all activities.

•

If a user is part of the performer team for at least

one activity, all activities are visible to that user.

However, these users can then only perform or run

the activity they are part of.

•

If a user is part of the reviewer team for at least one

activity, all activities are visible to that user. How-

ever, these users can then only review the activity

they are part of.

•

If an activity has no team assigned, everyone can

see the whole process and activities.

The following exemptions apply in the Business Event

Management application in case a user has the

EXECUTION_USER_ALL role assigned, but is not part of

the reviewer/performer group of the activity:

•

The Show, Analyze, and Visualize buttons for the

input/output activity are disabled.

•

The Run and Restart buttons for the execution ac-

tivity are disabled.

•

You cannot edit the Type and Description elds.

EXECUTION_MAN_ALL

Allows users to focus on Process Management and Report

Management with extended rights. They can, for example,

create new process instances and manipulate activities.

They also have access to the Business Event Management

screen.

REPORT_TEMPLATES

Allows users to access edit report templates on the Report

Management screen.

REPORT_TEMPLATE_READ

Grants read access to report templates on the Report

Management screen.

10 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Role Description

REPORTS

Allows users assigned to this role to access the edit reports

instance on the Report Management screen.

REPORTS_READ

Grants read access to the report instance on the Report

Management screen.

PROCESSES_OWN

Grants read and action access, for example, reviewing and

executing user’s own processes in the Process Management

screen.

PROCESSES_ALL

Grants all authorization to manage processes in the Process

Management screen.

BUSINESS_EVENTS

Allows users to manage business events in the Business

Event Management screen.

BUSINESS_EVENTS_READ

Grants read access to business events in the Business Event

Management screen.

Administration Section

Role

Description

ADMIN_USER_ALL

Grants full access to all administration screens:

•

Teams

•

Users

•

Environments Access

•

Content Management

•

Connections

•

Settings

•

Provision

ADMIN_USER_RESTRICTED

Grants an administrator role with full rights on administra-

tion screens with the exception of the Provisioning screen.

TEAMS

Grants full access to manage teams. Users assigned to this

role can create, read, edit, and delete teams and users in the

Team Management screen.

TEAMS_READ

Grants read access to the Team Management screen.

USERS

Allows users to create, read, edit, and anonymize teams and

users in the User Management screen.

USERS_READ

Grants read access to the User Management screen.

ENVIRONMENTS_ACCESS_ALL

Allows users to display the Environment Access Management

screen, where they can grant or restrict other user groups

the access to all environments.

CONTENTS

Allows users to access the Content Management screen.

They can upload, import, export, edit, and delete ZIP les

inside the Content Management screen.

CONTENTS_READ

Grants read access to the Content Management screen.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 11

Role Description

CONNECTIONS

Grants read and action access, for example, create, read,

edit, and delete connections in the Connection Management

screen.

CONNECTIONS_READ

Grants read access to the Connection Management screen.

SETTINGS

Grants read and action access, for example, editing the URLs

in the Administration Settings screen.

SETTINGS_READ

Grants read access to the Administration Settings screen.

PROVISIONING

Allows users to recongure the size values of the current

running application in the Provision screen.

Systems Section

Role

Description

SYSTEM_USER_ALL

Grants full access to all system monitor screens:

•

Application Monitor

•

Process Monitor

•

Comment Monitor

•

Process Scheduler

•

Modeling History

APPLICATION_MONITOR_READ

Grants read access to the Application Monitor screen.

PROCESS_MONITOR

Grants access to the Process Monitor screen and allows

users to terminate running processes.

PROCESS_MONITOR_READ

Grants read access to the Process Monitor screen.

COMMENT_MONITOR

Allows users assigned to this role to erase comments in the

Comment Monitor screen.

COMMENT_MONITOR_READ

Grants read access to comments in the Comment Monitor

screen.

PROCESS_SCHEDULER

Grants all authorization to create, copy, read, and delete

process schedules in the Process Scheduler screen.

PROCESS_SCHEDULER_READ

Grants read access to process schedules in the Process

Scheduler screen.

MODELING_HISTORY

Allows user assigned to this role to manage the modeling

history, for example, deleting all types of modeling history

entry.

MODELING_HISTORY_READ

Grants read access to the Modeling History Monitor screen.

DATA_CHANGE_LOG

Grants read and maintain access to data change logs,

which includes deleting logs in the Data Change Log Monitor

screen.

DATA_CHANGE_LOG_READ

Grants read access to the Data Change Log Monitor screen.

12 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Role Templates for Universal Model

Universal Model provides the main SAP Business Technology Platform role templates (*_ALL) that need to

be assigned to a Universal Model user to access the application sections. Universal Model also provides

specialized role templates specic to an application that can be combined with reader and/or writer teams. For

more information about reader and writer teams, see Manage Teams and Build User Attribute Roles [page 16].

Below you nd an overview of all available roles for the Universal Model:

Model Section

Role

Description

MODEL_ALL

Grants all authorizations to manage the Model section appli-

cations, such as environments, and all main design objects

within, including elds, functions, and so on.

MODEL

Grants read and/or write access to selected environments

and dependent objects within, including elds, functions,

and so on, where the environment has assigned reader

and/or writer teams that match the user’s assigned teams.

MODEL_READ

Grants read access to selected environments and dependent

objects within, including elds, functions, and so on, where

the environment has assigned reader and/or writer teams

that match the user’s assigned teams.

Process Section

Role

Description

PROCESS_ALL

Grants all authorizations to manage the Process section ap-

plications, such as processes, activities, teams, layouts, and

so on.

PROCESS

Grants read and/or write access to selected processes,

where the process has assigned reader and/or writer teams

that match the user’s assigned teams. In addition, it pro-

vides read and write access to all standalone activities and

activities created for the process the user has access based

on the assigned teams.

PROCESS_READ

Grants read access to selected processes, where the proc-

ess has assigned reader and/or writer teams that match the

user’s assigned teams. In addition, it provides read access to

all standalone activities and activities created for the proc-

ess the user has access to, based on the assigned teams.

ACTIVITY

Grants read and action access to selected activities, where

the activity has assigned reader and/or writer teams that

match the user’s assigned teams.

ACTIVITY_READ

Grants read access to selected activities, where the activity

has assigned reader and/or writer teams that match the

user’s assigned teams.

TEAM

Grants read and maintain access to all teams.

TEAM_READ

Grants read access to all teams.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 13

Role Description

LAYOUT

Grants read and maintain access to all layouts.

LAYOUT_READ

Grants read access to all layouts.

DATAPRIVILEGE

Grants read and maintain access for data privileges.

DATAPRIVILEGE_READ

Grants read access for data privileges.

DATALOCK

Grants read and maintain access to data locks.

DATALOCK _READ

Grants read access to data locks.

Report Section

Role

Description

REPORT

Grants access to the Edit Reports feature on the Manage

Reports application screen.

REPORT_READ

Grants read access to the reports on the Manage Reports

application screen.

REPORT_ALL

Grants all authorizations (edit, delete and read) for both ap-

plications Manage Reports and Manage Pages.

PAGE

Grants access to the Edit Pages feature on the Manage Pages

application screen.

PAGE_READ

Grants read access to the pages on the Manage Pages appli-

cation screen.

System Section

Role

Description

SYSTEM_ALL

Grants all authorizations to manage the System section ap-

plications, such as event logs and comments.

EVENTLOG

Grants read and action access to all event logs.

EVENTLOG_READ

Grants read access to all event logs.

COMMENT

Grants read and action access to all comments.

COMMENT_READ

Grants read access to all comments.

CHAT

Grants read and action access to chats and chat prompts.

CHAT_READ

Grants read access to chats and chat prompts.

USER

Grants read and action access to user settings.

USER_READ

Grants read access to user settings.

Administration Section

Role

Description

ADMINISTRATION_ALL

Grants all authorizations to manage the Administration sec-

tion applications, such as containers, tenant connections,

and archives.

14 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Role Description

TENANTSETTING

Grants read and action access to all tenant settings.

TENANTSETTING_READ

Grants read access to all tenant settings.

TENANTCONNECTION

Grants read and action access to all tenant connections.

TENANTCONNECTION_READ

Grants read access to all tenant connections.

CONTAINER

Grants read and action access to all containers.

CONTAINER_READ

Grants read access to all containers.

ARCHIVE

Grants read and action access to all archives.

ARCHIVE_READ

Grants read access to all archives.

Teams-Related Roles

Role

Description

Attributes of a User Grants authorization to a specic reader or writer team cre-

ated via the Manage Teams application. For more informa-

tion on how to map teams to a user attribute, see Build User

Attribute Roles [page 16].

1.2.2Build Role Collections

To assign the role templates to specic users, it is mandatory to dene role collections that in the end must be

assigned to certain users who are given access to SAP Protability and Performance Management Cloud.

Prerequisites

• Your user must have a “Subaccount Administrator” role assigned to see the Create New Role Collection

button.

• Ensure that SAP Protability and Performance Management Cloud is successfully subscribed in your

tenant.

• Ensure that the role templates are visible in

SAP BTP Navigation Menu Roles . For more

information, see Roles for SAP Protability and Performance Management Cloud [page 9].

Procedure

1. In the subaccount’s navigation menu, choose Role Collections.

2. Choose  (Create New Role Collection).

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 15

3. Provide the following information in the popup window displayed:

Attribute Value

Name Assign a role collection name, for example,

“SAP_PAPM_MODEL”.

Description Assign any description, for example, “SAP PAPM Modeling

Users”.

4. Choose Create.

5. Once created, choose the created role collection where you can assign upon choosing Edit.

Attribute

Value

Roles Assign selected role templates and user attributes (teams)

mentioned in Roles for SAP Protability and Performance

Management Cloud [page 9].

Users Optionally, you can assign users via a role collection. This is

ideal when adding multiple users to a specic role collection.

User Groups To assign a user group or attribute mapping to a role collec-

tion, an active identity provider is mandatory.

Attribute Mappings

Reference

For more information about maintaining role collections, see SAP Business Technology Platform Maintain Role

Collections.

1.2.3Build User Attribute Roles

To assign Universal Model teams to specic user it is important to create a user attribute.

Prerequisites

• Ensure that Universal Model is activated in your tenant.

• A created role collection is available to be used.

Procedure

1. In the subaccount’s navigation menu, choose Roles.

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

2. Search for the following:

• Application Name = “ace-ACE-live-prod”

• Role Template = “userattributes”

3. Choose, Create Role.

4. In the popup window, follow the steps below:

1. Congure Role

Attribute

Value

Role Name Assign any role name, for example, “Team HR”.

Description Assign any description, for example, “Team created for

HR Department”.

Role Template Displays the selected role template “userattributes”

(cannot be adjusted).

2. Congure Attributes

Attribute

Source Values

Teams Choose “Static” to map the

Universal Model team to an attrib-

ute.

For more information about the op-

tions, see SAP Business Technology

Platform Attributes.

For Universal Model teams, ensure

that the team has been created

in Manage Teams, for example,

“TEAM_HR”.

Note

It is important to press Enter

upon assigning a team prior

choosing Next.

3. Select Role Collections

You need to choose an existing role collection as noted in the Prerequisites section.

4. Review

Review your conguration, then choose Finish.

1.2.4Assign Role Collections to Users or User Groups

For more information about assigning role collections to users or user groups using the SAP BTP cockpit, see

Maintain Role Collections.

If you are using the SAP ID service, you need to assign users to role collections directly. For more information,

see Assign Users to Role Collections.

If you are using Identity Authentication or your existing non-SAP SAML 2-compliant identity provider, you can

either assign users to role collections directly or map role collections to user groups. For more information

about mapping role collections to user groups, see Map Role Collections to User Groups. In the <value> eld,

provide the name of the user group that you previously created in your identity provider.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 17

1.2.5Congure the Identity Provider (IdP) and Set Up

Authentication

By default, SAP BTP tenants are congured with the SAP ID service as the identity provider. Business

users who have an SAP ID service account (https://accounts.sap.com/ ) and who are authorized for SAP

Protability and Performance Management Cloud can log on using their email address and password.

We recommend that you use one of the following options for productive scenarios:

• Identity Authentication

If you already have an Identity Authentication tenant provided with another product, you can use this

as your identity provider for SAP Protability and Performance Management Cloud. If you have SAP

S/4HANA Cloud, it is best to attach the SAP Protability and Performance Management Cloud tenant

to the same identity provider that you are using for SAP S/4HANA Cloud. As a result, you do not have

to log on when switching between SAP S/4HANA Cloud screens and SAP Protability and Performance

Management Cloud screens.

• An SAML 2-compliant non-SAP identity provider that you are already using

If you choose to use SAP ID service, note the following limitations:

• User registration is self-service. You therefore cannot provide users with an SAP ID service identity

provider or lock users (for example, if their responsibilities within the company change or they leave

the company).

• You cannot create user groups to simplify the assignment of role collections.

• You cannot congure single sign-on to work with other applications controlled by your existing identity

provider. This means that you cannot congure IdP proxying.

1.2.5.1 Establish Mutual Trust Between the Subaccount

(UAA) and the Identity Provider (IdP)

Note

This section does not apply to the SAP ID service because trust is precongured on the SAP Business

Technology Platform by default. If you are using SAP ID service as your Identity Provider (IdP), you can skip

this section.

For Identity Authentication or your existing non-SAP SAML 2-compliant identity provider, you need to establish

mutual trust between your subaccount's UAA (SAML2 service provider) and your identity provider. To do

this, you need to upload the corresponding XML metadata les. This process varies depending on the IdP

implementation used.

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Procedure

Proceed as follows to establish trust from the UAA to your identity provider (Identity Authentication or your

existing non-SAP SAML 2-compliant identity provider):

• If you are using Identity Authentication, you can nd more information under Establish Trust with an SAML

2.0 Identity Provider in a Subaccount in Manually Establish Trust and Federation Between UAA and Identity

Authentication.

• If you are using your existing non-SAP SAML 2-compliant identity provider, you can nd more information

underEstablish Trust with Any SAML 2.0 Identity Provider in a Subaccount in Establish Trust and Federation

with UAA Using Any SAML Identity Provider.

Proceed as follows to establish trust from your identity provider (Identity Authentication or your existing

non-SAP SAML 2-compliant IdP) to the UAA:

1. Check the metadata (including public key) of your tenant's UAA (service provider) under:

• https://<subdomain>.authentication.eu10.hana.ondemand.com/saml/metadata or

• https://<subdomain>.authentication.us10.hana.ondemand.com/saml/metadata.

Note

Replace the <subdomain> placeholder with the subdomain names you dened for your test account

and productive account.

2. If you are using Identity Authentication:

1. Follow the procedure described under Register SAP BTP Subaccount in the SAML 2.0 Identity Provider

in Manually Establish Trust and Federation Between UAA and Identity Authentication.

2. Choose a name for the application when you add it as an application to the Identity Authentication

Service.

3. Under Assertion Attribute Name for the Groups user attribute, enter groups in title case.

If you are using your existing non-SAP SAML 2-compliant ID:

1. Follow the procedure described under Register SAP BTP Subaccount in Any SAML 2.0 Identity Provider

in Establish Trust and Federation with UAA Using Any SAML Identity Provider.

2. Under Assertion Attribute Name for the Groups user attribute, enter groups in title case.

1.2.5.2 Subscribe the SaaS Tenant to SAP Protability and

Performance Management Cloud

To work with SAP Protability and Performance Management Cloud, you need to subscribe to the SAP

Protability and Performance Management Cloud application in your subaccount in the SAP BTP cockpit.

Proceed as described in Subscribe to Multitenant Applications Using the Cockpit.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 19

1.2.6Create User Groups and Assign Users to Groups in the

Identity Provider (IdP )

After you have subscribed to the relevant SAP Protability and Performance Management Cloud tenant, you

can assign role collections to these users and user groups in the SAP BTP cockpit.

Procedure

To create users and user groups, proceed as follows:

• If you are using Identity Authentication:

• If you already have a user group for administrators and a user group for key users, use them.

• If you do not already have these two groups, create them under

Users & Authorizations User

Groups

• If you need to create new users, create them under Users & Authorizations User Management .

Afterwards, nd the users under User Management and assign them to the groups. It is not possible to

open a group and assign users to it.

• If you are using your existing non-SAP SAML 2-compliant identity provider, refer to the information

provided by your identity provider.

• If you are using SAP ID service, see Create SAP User Accounts.

1.3 Administration Applications

Within SAP Protability and Performance Management Cloud, it is important that administrators log in to the

application and perform various activities related to administrators, such as data archiving, export or import

of an environment, and so on. In the Application Help, you nd more information about the administration-

specic applications.

Model

Application Help Link

Standard Model Go to section Administration in Applications for Business

Users.

Universal Model Administration

1.4 Data Protection and Privacy

Data protection is associated with numerous legal requirements and privacy concerns. In addition to

compliance with general data protection and privacy acts, it is necessary to consider compliance with industry-

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

specic legislation in dierent countries. SAP provides specic features and functions to support compliance

with regard to relevant legal requirements, including data protection. SAP does not give any advice on whether

these features and functions are the best method to support company, industry, regional, or country-specic

requirements. Furthermore, this information should not be taken as advice or a recommendation regarding

additional features that would be required in specic IT environments. Decisions related to data protection

must be made on a case-by-case basis, taking into consideration the given system landscape and the

applicable legal requirements.

Note

SAP does not provide legal advice in any form. SAP software supports data protection compliance by

providing security features and specic data protection-relevant functions, such as simplied blocking and

deletion of personal data. In many cases, compliance with applicable data protection and privacy laws will

not be covered by a product feature. Denitions and other terms used in this document are not taken from

a particular legal source.

The possibility of sensitive data being processed in SAP Protability and Performance Management Cloud

depends on your specic implementation. You decide what kind of data can be processed by SAP Protability

and Performance Management Cloud. It is strongly recommended that you do not feed personal data into

SAP Protability and Performance Management Cloud. If you still choose to process personal data, we

recommend that you depersonalize (pseudonymize/anonymize) the data on your own before feeding it into

SAP Protability and Performance Management Cloud. You should enforce secure access to data using the

authorization concept described in the earlier sections. We strongly recommend that you run the temporary

table data deletion report on a regular basis to clear data from the SAP Protability and Performance

Management Cloud temporary tables.

If you process personal data in any way, you need to make sure that you operate SAP Protability and

Performance Management Cloud in compliance with the relevant data privacy regulations, particularly,

requirements like personal data consent management, personal data read access logging, information about

existing personal data, logging changes to personal data, and erasure of personal data.

Related Information

Data protection and privacy in SAP HANA Cloud

1.4.1Glossary

Term

Denition

Blocking A method of restricting access to data for which the primary

business purpose has ended.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 21

Term Denition

Consent The action of the data subject conrming that the usage

of his or her personal data shall be allowed for a given pur-

pose. A consent functionality allows the storage of a consent

record in relation to a specic purpose and shows if a data

subject has granted, withdrawn, or denied consent.

Data subject

An identied or identiable natural person. An identiable

natural person is one who can be identied, directly or in-

directly, in particular by reference to an identier such as

a name, an identication number, location data, an online

identier or to one or more factors specic to the physical,

physiological, genetic, mental, economic, cultural, or social

identity of that natural person.

Deletion

Deletion of personal data so that the data is no longer availa-

ble.

End of business (EoB) Date where the business with a data subject ends, for exam-

ple, the order is completed, the subscription is canceled, or

the last bill is settled.

End of purpose (EoP) End of purpose and start of blocking period. The point in

time when the primary processing purpose ends, for exam-

ple, a contract is fullled.

End of purpose (EoP) check A method of identifying the point in time for a data set when

the processing of personal data is no longer required for the

primary business purpose. After the EoP has been reached,

the data is blocked and can only be accessed by users with

special authorization, for example, tax auditors.

Personal data

Any information relating to an identied or identiable natu-

ral person (a data subject).

An identiable natural person is one who can be identied,

directly or indirectly, in particular by reference to an identi-

er such as a name, an identication number, location data,

an online identier or to one or more factors specic to the

physical, physiological, genetic, mental, economic, cultural,

or social identity of that natural person.

Purpose

The information that species the reason and the goal for

the processing of a specic set of personal data. As a rule,

the purpose references the relevant legal basis for the proc-

essing of personal data.

Residence period

The period of time between the end of business and the

end of purpose (EoP) for a data set during which the data

remains in the database and can be used in case of sub-

sequent processes related to the original purpose. At the

end of the longest congured residence period, the data is

blocked or deleted. The residence period is part of the over-

all retention period.

22 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Term Denition

Retention period The period of time between the end of the last business

activity involving a specic object (for example, a business

partner) and the deletion of the corresponding data, subject

to applicable laws. The retention period is a combination of

the residence period and the blocking period.

Sensitive personal data

A category of personal data that usually includes the follow-

ing type of information:

•

Special categories of personal data, such as data reveal-

ing racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade union membership, genetic

data, biometric data, data concerning health or sex life

or sexual orientation.

•

Personal data subject to professional secrecy

•

Personal data relating to criminal or administrative of-

fenses

•

Personal data concerning insurances and bank or credit

card accounts

Where-used check (WUC)

A process designed to ensure data integrity in the case of

potential blocking of business partner data. The where-used

check (WUC) of an application determines if there is any de-

pendent data for a certain business partner in the database.

If dependent data exists, this means the data is still required

for business activities. Therefore, the blocking of business

partners referenced in the data is prevented.

1.4.2User Consent

SAP Protability and Performance Management Cloud uses data from operational source systems, or from

systems with permanent data stores that have actual data lifecycle management objects, and does not collect

any data directly. However, it allows to store email addresse maintained in the Teams and Users applications.

1.4.3Read Access Logging

Read access logging (RAL) is used to monitor and log read access to sensitive data. This applies for all personal

data, but not for email addresses. Data may be categorized as sensitive by law, by external company policy, or

by internal company policy. RAL enables you to answer questions about who accessed particular data within a

specied time frame.

The following are examples of some typical questions that might be asked:

• Who accessed the data of a given business entity (for example, a bank account)?

• Who accessed personal data, for example of a business partner?

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 23

• Which employee accessed personal information (for example, religion)?

• Which accounts or business partners were accessed by which users?

The data processed in SAP Protability and Performance Management Cloud is read from operational source

systems, or systems with permanent data stores that have actual data lifecycle management. SAP Protability

and Performance Management Cloud assumes that read access logging is implemented in these source

systems. If you need to track read access in the Cloud Foundry environment account of SAP Protability and

Performance Management Cloud, you need to congure RAL yourself.

Related Information

Change Logging and Read-Access Logging

Audit Log Retrieval API Usage for the Cloud Foundry Environment

1.4.4Information Report

Data subjects have the right to obtain information about their personal data being processed.

Since the data processed in SAP Protability and Performance Management Cloud is read from operational

source systems, or systems with permanent data stores that have actual data lifecycle management, SAP

Protability and Performance Management Cloud assumes that information reporting is implemented in these

source systems. Since SAP Protability and Performance Management Cloud has no permanent data storage,

the local temporary data is deleted regularly, and the calculated nal results data is written back to the source

systems, the assumption is that the information report has to be implemented in these source systems.

1.4.5Change Log

Personal data is subject to frequent changes. Therefore, for review purposes or as a result of legal regulations,

it may be necessary to track the changes made to this data. When these changes are logged, you should be

able to check which employee made which change, the date and time, the previous value, and the current

value, depending on the conguration. It is also possible to analyze errors in this way.

Logging changes to personal data is not relevant in SAP Protability and Performance Management Cloud

because data is read only from operational source systems, or systems with permanent data stores that have

actual data lifecycle management to SAP Protability and Performance Management Cloud for calculations or

processing. Regarding email adresses, SAP Protability and Performance Management Cloud provides change

logging and the option to lter, delete and anonymize email adresses.

Since SAP Protability and Performance Management Cloud has no permanent data storage, the local

temporary data is deleted regularly, and the calculated nal results data is written back to the source systems.

The assumption is that change logging has to be implemented in these source systems.

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

1.4.6Deletion of Personal Data

The processing of personal data is subject to applicable laws related to the deletion of this data when the

specied, explicit, and legitimate purpose for processing this personal data has expired. If there is no longer a

legitimate purpose that requires the retention and use of personal data, it must be deleted. When deleting data

in a dataset, all referenced objects related to that dataset must be deleted as well. Industry-specic legislation

in dierent countries also needs to be taken into consideration in addition to general data protection laws. After

the expiration of the longest retention period, the data must be deleted.

Data is read from source systems (which have data lifecycle management objects) into SAP Protability and

Performance Management Cloud for calculations or processing and the results are written back to these

systems. The deletion of personal data has to be performed in those source systems. For the data residing

in the temporary buer tables of SAP Protability and Performance Management Cloud, you need to run the

temporary table data deletion report, which clears data from the temporary tables of SAP Protability and

Performance Management Cloud (see Delete Temporary Data).

1.5 Security

This section provides an overview of the security-relevant information that applies to SAP Protability and

Performance Management Cloud.

For more information, see the Security section in the SAP Business Technology Platform documentation.

1.5.1Network and Communication Security

SAP Protability and Performance Management Cloud relies on the network and communication security

provided by the SAP Business Technology Platform.

For more information, see Transport Layer Security (TLS) Connectivity Support in the SAP Business

Technology Platform documentation.

1.5.2Trusted Certicate Authentication

SAP Protability and Performance Management Cloud relies on the trusted certicate authentication provided

by the SAP Business Technology Platform.

For more information, see Trusted Certicate Authentication in the SAP Business Technology Platform

documentation.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 25

1.5.3Data Encryption Strategy

SAP Protability and Performance Management Cloud relies on the data encryption strategy provided by the

SAP HANA Cloud service on SAP Business Technology Platform.

For more information, see Data Encryption in the SAP HANA Cloud, SAP HANA Database Administration Guide.

1.5.4Rate Limiting

This section informs you about the rate limitations in SAP Protability and Performance Management Cloud.

To protect SAP Protability and Performance Management Cloud from an overload of incoming requests,

rate limiting is in place. The limit applies per subaccount and on a more granular level for API requests per

authorization header.

The system applies a more restrictive rule at a given point in time. For example, incoming API calls for the

same endpoint with dierent JWT authorization headers for each request may not be limited by authorization

header-based limiting, but by the endpoint-related limit. Conversely, for the same JWT header, for one endpoint

the authorization header limit can apply rst since it is more restrictive. For more information, see the table

below.

Requests sent at a lower rate than the given limit are processed directly. For more information, see the limits in

the tables below.

When a limit is exceeded, the requests are queued and sent to SAP Protability and Performance Management

Cloud at a maximum rate. For more information, see the tables below. The response times can increase

because of the queuing.

If too many requests are queued so that the response time due to queuing exceeds a certain time, the

service sends an “HTTP 429 Too Many Requests” response status code. This response also contains the HTTP

Retry-After header, which indicates when the client can retry.

The rate limiting runs on dierent instances. Requests are forwarded based on the BTP Cloud Foundry

environment load balancing algorithm. Therefore, the requests to the rate limiting instances need to be equally

distributed.

Requests Based on User Interface

The requests are sent to the application when the user interacts with the application based on the graphical

user interface.

Endpoint or URL Description (includ-

ing subpaths, if applicable) Subaccount Limit per Instance Eect

https://<api-url>/

Up to 50 requests per second All requests are sent to the application

within one second.

26 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Endpoint or URL Description (includ-

ing subpaths, if applicable) Subaccount Limit per Instance Eect

https://<api-url>/

Exceeding 50 requests per second The requests are queued and then initi-

ated.

https://<api-url>/

Signicantly exceeding 50 requests per

second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

Requests ending with one of the follow-

ing suxes indicating the le type:

•

gif

•

jpg

•

jpeg

•

svg

•

css

•

wo2

•

wo

•

ttf

Up to 125 requests per second

All requests are sent to the application

at once.

Requests ending with one of the follow-

ing suxes indicating the le type:

•

gif

•

jpg

•

jpeg

•

svg

•

css

•

wo2

•

wo

•

ttf

Exceeding 125 requests per second

The requests are queued and then initi-

ated.

Requests ending with one of the follow-

ing suxes indicating the le type:

•

gif

•

jpg

•

jpeg

•

svg

•

css

•

wo2

•

wo

•

ttf

Signicantly exceeding 125 requests

per second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 27

Endpoint or URL Description (includ-

ing subpaths, if applicable) Subaccount Limit per Instance Eect

https://<application-url>/

<root>, where <root> is one

of the following page types:

•

webpages

•

shellpages

•

cnwebpages

•

provisionerwebpages

Up to 25 requests per second

All requests are sent to the application

at once.

https://<application-url>/

<root>, where <root> is one

of the following page types:

•

webpages

•

shellpages

•

cnwebpages

•

provisionerwebpages

Exceeding 25 requests per second

The requests are queued and then exe-

cuted.

https://<application-url>/

<root>, where <root> is one

of the following page types:

•

webpages

•

shellpages

•

cnwebpages

•

provisionerwebpages

Signicantly exceeding 25 requests per

second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

https://<application-url>/

<root>, where <root> is one

of the following:

•

provisionersrv

Up to 10 requests per second

All requests are sent to the application

within one second.

https://<application-url>/

<root>, where <root> is one

of the following:

•

provisionersrv

Exceeding 10 requests per second

The requests are queued and then initi-

ated.

https://<application-url>/

<root>, where <root> is one

of the following:

•

provisionersrv

Signicantly exceeding 10 requests per

second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

https://<application-url>/

<root>, where <root> is user-api

Up to 5 requests per second All requests are sent to the application

within one second.

https://<application-url>/

<root>, where <root> is user-api

Exceeding 5 requests per second The requests are queued and then exe-

cuted.

28 PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Endpoint or URL Description (includ-

ing subpaths, if applicable) Subaccount Limit per Instance Eect

https://<application-url>/

<root>, where <root> is user-api

Signicantly exceeding 5 requests per

second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

https://<application-url>/

<root>, where <root> matches

sap/opu/odata

Up to 50 requests (or 10 modifying re-

quests) per second

All requests are sent to the application

at once.

https://<application-url>/

<root>, where <root> matches

sap/opu/odata

Exceeding 50 requests (or 10 modifying

requests) per second

The requests are queued and then initi-

ated.

https://<application-url>/

<root>, where <root> matches

sap/opu/odata

Signicantly exceeding 50 requests (or

10 modifying requests) per second

An “HTTP 429 Too Many Requests” re-

sponse status code is sent.

Note

Requests sent from the user interface to the sap/opu/odata path are rst processed as incoming

user interface requests, and then forwarded to the respective API endpoint https://papm-cloud-

api.<domain>/sap/opu/odata. Hence, multiple rate limiting rules apply, that is, rst the user interface

related ones, followed by those for the API call.

API Requests

The requests are sent to the application when the user interacts with the application based on the API access.

For more information, see API Guide for SAP Protability and Performance Management Cloud.

Endpoint (including sub-

paths) API Limit per Instance

API + Authorization Header

Limit per Instance Eect

Up to 100 requests per sec-

ond

Up to 25 requests per second All requests are sent to the

API endpoint within one sec-

ond.

https://<api-url>/

Exceeding 100 requests per

second

Exceeding 25 requests per

second

The requests are queued and

then initiated.

https://https://<api-

url>/

Signicantly exceeding 100

requests per second

Signicantly exceeding 25 re-

quests per second

An “HTTP 429 Too Many

Requests” response status

code is sent.

https://papm-cloud-

api.<domain>/sap/opu/

odata

Up to 125 requests per sec-

ond

Up to 50 requests (or 10

modifying requests) per sec-

ond

All requests are sent to the

API endpoint at once.

https://papm-cloud-

api.<domain>/sap/opu/

odata

Exceeding 125 requests per

second

Exceeding 50 requests (or 10

modifying requests) per sec-

ond

The requests are queued and

then initiated.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 29

Endpoint (including sub-

paths) API Limit per Instance

API + Authorization Header

Limit per Instance Eect

https://papm-cloud-

api.<domain>/sap/opu/

odata

Signicantly exceeding 125

requests per second

Signicantly exceeding 50 re-

quests (or 10 modifying re-

quests) per second

An “HTTP 429 Too Many

Requests” response status

code is sent.

https://papm-

spreadsheets-

api.<domain>/api

Up to 125 requests per sec-

ond

Up to 50 requests per sec-

ond

All requests are sent to the

API endpoint at once.

https://papm-

spreadsheets-

api.<domain>/api

Exceeding 125 requests per

second

Exceeding 50 requests per

second

The requests are queued and

then executed.

https://papm-

spreadsheets-

api.<domain>/api

Signicantly exceeding 125

requests per second

Signicantly exceeding 50 re-

quests per second

An “HTTP 429 Too Many

Requests” response status

code is sent.

1.5.5Auditing and Logging Information

Here you can nd details on the security events that are logged by SAP Protability and Performance

Management Cloud.

The system writes the audit log of SAP Protability and Performance Management Cloud into the audit log of

your Cloud Foundry subaccount on the SAP Business Technology Platform.

For more information about the service, see Audit Logging in the Cloud Foundry Environment in the “SAP

Business Technology Platform” documentation.

You can access the audit log using the Audit Log Viewer or Audit Log Retrieval APIs:

• For information about subscribing to the viewer and authorizing your business users to access the

log, see Audit Log Viewer for the Cloud Foundry Environment in the SAP Business Technology Platform

documentation.

• For information about the Audit Log Retrieval API, see Audit Log Retrieval API Usage for Subaccounts in the

Cloud Foundry Environment in the SAP Business Technology Platform documentation.

Note

Audit log entries are automatically deleted after a dened retention period. For information, see Audit Log

Retention for the Cloud Foundry Environment in the SAP Business Technology Platform documentation.

The system writes the following messages into the Audit Log by SAP Protability and Performance

Management Cloud.

Missing Authorization of SAP Protability and Performance Management

Cloud

This message is logged when the user is missing a specic authorization.

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Example

Timestamp

26 May 2023, 17:16:07.668 +0200

Log Message

Security event message. Security event message "User not authorized, source of route: /sap/opu/

odata/NXI/P1_N_MOD_SRV/ENVVSet, IP: 10.140.75.152, required scopes: getEnvironmentData, user

scopes: openid" on 2023-05-26T15:16:07.668Z. Security event was related to user "614343d24-1234-4456-

a109-e62b94fb0f60".

10.140.75.152

User

614343d24-1234-4456-a109-e62b94fb0f60

Category

audit.security-events

Requesting Database Credentials

This message is logged when the user accesses the Database Settings screen.

Example

Timestamp

26 May 2023, 17:30:41.223 +0200

Log Message

Security event message. Security event message "User requested the credentials for

the database user "DB_USER_ABC" on "614343d24-3333-2222-1111-41aa972f598e.hana.prod-

br10.hanacloud.ondemand.com:443"" on 2023-05-26T15:30:41.223Z. Security event was related to user

"614343d24-1234-4456-a109-e62b94fb0f60".

10.158.152.181

User

614343d24-1234-4456-a109-e62b94fb0f60

Category

audit.security-events

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 31

Accessing Teams Management

This message is logged when the user accesses the Teams screen.

Example

Timestamp

26 May 2023, 17:34:24.069 +0200

Log Message

Data Access message. Reading attribute with name "email". The attribute is a part of an object with type

"Neo Backend" and id consisting of: name "Team Management".

User

614343d24-1234-4456-a109-e62b94fb0f60

Category

audit.data-access

Accessing User Management

This message is logged when the user accesses the Users screen.

Example

Timestamp

26 May 2023, 17:39:47.858 +0200

Log Message

Data Access message. Reading attribute with name "email". The attribute is a part of an object with type

"Neo Backend" and id consisting of: name "User Management".

User

614343d24-1234-4456-a109-e62b94fb0f60

Category

audit.data-access

For more information, see Read Access Logging [page 23].

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

1.5.6Backup and Recovery

SAP employs backup processes and other measures that ensure rapid recovery of business-critical systems as

and when necessary.

For more information, see Backup and Recovery in the SAP HANA Cloud, SAP HANA Cloud Administration

Guide.

1.5.7Data Protection and Privacy

SAP Protability and Performance Management Cloud operates on the user data of the SAP Business

Technology Platform.

For more information, see Working with Users in the SAP Business Technology Platform documentation.

The User ID in SAP Protability and Performance Management Cloud is copied from the user data of SAP

Business Technology Platform. This can be the user’s email address if the Identity and Authorization Service is

set up respectively.

For more information about personal data, see Data Protection and Privacy [page 20].

1.5.8Identity and Access Management

SAP Protability and Performance Management Cloud does not provide any default users. Users are

maintained in the SAP BTP Cockpit. It also allows for the assignment of roles to users.

For more information, see User Management [page 8] and Congure the Identity Provider (IdP) and Set Up

Authentication [page 18].

1.6 Important Disclaimers and Legal Information

Hyperlinks

When you follow some of the links provided in this document, you are leaving the documentation for SAP

Protability and Performance Management Cloud and are entering a SAP-hosted website. By using such links,

you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product

claims against SAP based on this information.

Administration Guide for SAP Protability and Performance Management Cloud

PUBLIC 33

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability

of videos stored on these platforms. Furthermore, any advertisements or other content hosted on these

platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not

within the control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the ocially delivered scope that SAP guarantees for future releases.

This means that experimental features may be changed by SAP at any time for any reason without notice.

Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or

otherwise use the experimental features in a live operating environment or with data that has not been

suciently backed up.

The purpose of experimental features is to get feedback early on, allowing customers and partners to inuence

the future product accordingly. By providing your feedback (e.g. in the SAP Community), you accept that

intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code

Any software coding and/or code snippets are examples. They are not for productive use. The example code

is only intended to better explain and visualize the syntax and phrasing rules. SAP does not warrant the

correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by

the use of example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language

We try not to use gender-specic word forms and formulations. As appropriate for context and readability, SAP

may use masculine word forms to refer to all genders.

PUBLIC

Administration Guide for SAP Protability and Performance Management Cloud

Important Disclaimers and Legal Information

Hyperlinks

Some links are classied by an icon and/or a mouseover text. These links provide additional information.

About the icons:

• Links with the icon

: You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your

agreements with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any

damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering an SAP-hosted Web site. By using

such links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this

information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any

advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within

the control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the ocially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by

SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use

the experimental features in a live operating environment or with data that has not been suciently backed up.

The purpose of experimental features is to get feedback early on, allowing customers and partners to inuence the future product accordingly. By providing your

feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code

Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax

and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of

example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language

SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities,

genders, and abilities.

Administration Guide for SAP Protability and Performance Management Cloud

Important Disclaimers and Legal Information

PUBLIC 35

www.sap.com/contactsap

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP

aliate company. The information contained herein may be changed

without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.

National product specications may vary.

These materials are provided by SAP SE or an SAP aliate company for

informational purposes only, without representation or warranty of any

kind, and SAP or its aliated companies shall not be liable for errors or

omissions with respect to the materials. The only warranties for SAP or

SAP aliate company products and services are those that are set forth

in the express warranty statements accompanying such products and

services, if any. Nothing herein should be construed as constituting an

additional warranty.

SAP and other SAP products and services mentioned herein as well as

their respective logos are trademarks or registered trademarks of SAP

SE (or an SAP aliate company) in Germany and other countries. All

other product and service names mentioned are the trademarks of their

respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN 