Managing Users, Groups, and Roles

Use

This function enables you to create, modify, and delete users, groups, and roles with the user management engine (UME). This enables you to define these objects so you can then group them according to your access management strategy.

Prerequisites

To manage users, groups, or roles, you must be assigned a role that includes the relevant actions or combination of actions. For example, to assign roles to users, your role assignments must include UME actions that enable you to change both principals, roles and users, such as UME.Manage_Roles and UME.Manage_Users. The figure below summarizes the UME actions available by default in the SAP NetWeaver Application Server (AS).

This graphic is explained in the accompanying text

UME Actions According to Principal and Role

Along the top of the figure is a list of role archetypes. For example, if you are an overall administrator, under Administrators All is a list of actions appropriate to that role. The rows represent the different permission areas or principals for which the actions are relevant. For example, the top row of blocks lists actions relevant to working with users, from full access to read-access to only your own profile. The last two rows refer to specific functions, such as permission to access the import and export functions, or profile-specific actions. Some actions are subsets of other actions. For example, UME.Manage_My_Profile includes UME.Manage_My_Password. For a detailed description of these UME actions, see Standard UME Actions.

Standard UME roles include such actions. The UME role Administrator includes UME.Manage_All, which enables you to display and change everything. By default, administrator roles are only assigned to administrators.

Features

Integration with ABAP User Management

If your system is configured to use user management of an AS ABAP, PFCG roles from the ABAP system are displayed as groups in the user administration console. You cannot change or delete these groups using Identity management. The only possible action is to assign UME and security roles to them. You can create new groups, which are then stored in the database of the AS Java and are not created as PFCG roles in the ABAP system. For more information, see AS ABAP User Management as Data Source.

Principal Locking

Identity management locks principals you are currently editing. Other users, who attempt to edit the user, group, or role you are editing, receive a warning that the principal is being edited by another user. The lock prevents multiple users from editing the same principal and accidentally overwriting each others’ work.


This lock only applies to identity management (either stand-alone or integrated into the SAP NetWeaver Administrator or SAP NetWeaver Portal). If you use another application or access the principal with back-end tools, such as management tools for a directory service, the lock does not apply.

The lock is session based.

· If you open another browser window within the same session, for example, in Microsoft Internet Explorer by typing CTRL + N, the lock does not apply. Both windows can simultaneously edit the same principal.

· If you open another browser window in a new session, for example, by choosing the browser application from the Microsoft Windows Start menu, even if you log on to the identity management application as the same user, you cannot simultaneously edit the same principal.

Activities

With identity management, you can perform the following activities:

Activity

How to Perform the Activity

Search for a user, group, or role (simple search)

...

1. In the search area, choose the type of object you are looking for: user, group, or role.

2. Enter a string to search for.

The search function searches for this string in the user ID (users only) and name. Use the asterisk (*) as a wildcard. If you do not enter any text, the search function returns a list of all users, groups, or roles, depending on the object you chose.

3. Choose Go.

A list of search results appears in the Search view.


When searching for portal roles, you can only search for the URL path below the portal content directory (PCD). You cannot search for the full path.

You can narrow the search by selecting the data source you want to search, if there is more than one data source.

A federated portal network adds some complexity. For roles only, you can search remote data sources, meaning remote portal systems in your network. If you search All Data Sources this includes the remote portals. For all other principals (users, groups, and actions) the search only includes the data sources relevant to your local portal.

Search for a user (advanced search)

...

1. In the search area, choose User as the type of object you are looking for.

2. Choose Advanced Search.

3. Enter your search criteria in the required fields in the various tabs.

4. Choose Search.

A list of search results appears in the Search view.

View detailed information on a user, group, or role

In the search results list, select the user, group, or role. The detailed information appears in the Details view.

Create new user, group, or role

1. In the search area, choose the type of object you wish to create.

2. Choose Create.

3. Enter data as required in the Details view.

Copy an existing user

...

1. In the search results list, select the user you want to copy.

2. Choose Copy to New.

3. Enter a logon ID and define a password.

4. Choose Save.

Change existing user, group, or role

...

1. In the search results list, select the user, group, or role you want to change.

2. Choose Modify.

3. Change the data as required.

4. Choose Save.

Delete a user, group, or role

Recommendation

We recommend that you do not delete users, rather lock the user and set the expiration date of the account. Only delete a user after a period of time in accordance with your local auditing regulations.

...

1. In the search results list, select a user, group, or role.

2. Choose Delete.

If you delete a user, you are prompted to write a reason for deleting the user. This text is sent to the user in a notification e-mail, if you enabled e-mail notification.


You cannot delete a portal role. You can only delete the group, user, and user mapping assignments. To delete the role itself you must do that with the portal content tools.

Change the logon alias of a user

To perform this activity, you must enable the use of a logon alias. For more information, see Using Basic Authentication (User ID and Password).

...

1. In the search results list, select a user.

2. Choose Modify.

3. Choose the Additional Information tab.

4. Change the data as required.

5. Choose Save.

Lock or unlock a user

See Locking or Unlocking Users

Approve or reject a user

See Approving or Rejecting Users.

Generate a new password for a user

See Password Management.

Assign a user to a group or a role

See Assigning Objects to Roles or Groups.

Move a user to another company

See Moving a User to Another Company.

End of Content Area

No comments:

topics