Showing posts with label User Administration. Show all posts
Showing posts with label User Administration. Show all posts

UME Roles and Portal Roles

In the portal, you can manage both user management engine (UME) roles and portal roles. Both types of roles determine what users can do, but each with a different focus. The following table lists the main differences between these two types of roles.

Comparison of UME and Portal Roles

UME Roles

Portal Roles

Are a container for UME actions (actions are sets of Java permissions).

Are a container for portal content (iViews, worksets, folders, and so on).

Define a set of authorizations. By assigning a UME role, you define what authorizations a user has to run applications on the J2EE engine. The authorizations are defined by the UME actions in the role.

Defines how content is grouped together and how it is displayed in the portal. By assigning a portal role, you define which content a user sees in the portal.

Like UME roles, you can assign UME actions to portal roles.

Are stored in the user management tables of the J2EE database.

Are stored in the Portal Content Directory (PCD) tables of the J2EE database.

Are created with identity management.

Are created in the Role Editor of the Portal Content Studio.

Protect access to applications on the J2EE engine.

Constitute a small part of the authorization concept of the portal. When you assign a portal role to a user or group, they get end user permission on the role.

You can define role assigner permission on a portal role. Users or groups that are granted role assigner permission on a portal role can assign the portal role to users or groups.

Tools

The tools need to manage UME and portal roles are identity management and the Portal Content Studio. The following table lists the main differences in use of these tools.

Comparison of Identity Management and Portal Content Studio

Activity

Identity Management

Portal Content Studio

Create and edit roles

UME roles

Portal roles

Assign UME actions

UME roles and portal roles

Portal roles

Assign roles to users and groups

UME roles and portal roles

None. Can assign portal permissions for PCD objects to users and groups.

To perform these activities you need the required permissions.

More Information:

Managing Users, Groups, and Roles

Role Assignment

Example

Carmen Fernandez is assigned to the UME role Administrator and no other role. She has full administrator authorizations on the J2EE Engine, but does not see any content in the portal. In contrast, Oleg Semenov is assigned to the portal Super Administrator role. He can see all the administrator functions when he logs on to the portal, and he has the corresponding authorizations on the J2EE Engine.

UME Actions in the Portal

Use

The user management engine (UME) uses UME actions to enforce authorizations. An action is a collection of Java permissions that define which activities a user can perform. UME actions can be assigned to UME roles or portal roles. If a role with a UME action is assigned to a user, the user gains the authorizations provided by the action. The UME verifies that users have the appropriate UME actions assigned to them before granting them access to UME iViews and functions. Other applications can also define or check for actions.

The following table lists the UME actions assigned to portal roles by default.

Portal Roles with Default UME Actions

Portal Role

Assigned UME Actions

Delegated User Administrator

UME.Manage_Users

UME.Manage_Role_Assignments

Every User Core Role

UME.Manage_My_Profile

Standard User Role

UME.Manage_My_Profile

Super Administrator

UME.AclSuperUser

UME.Manage_All

System Admin

UME.System_Admin

User Administrator

UME.Manage_All

Some UME actions are defined specifically for the portal environment:

· UME.AclSuperUser

· UME.Manage_Role_Assignments

· UME.Remote_Producer_Read_Access

· UME.Remote_Producer_Write_Access

Integration

In the portal, you can assign UME actions to portal roles with the Role Editor. Each UME action is listed as a property in the Property Editor for roles. Set an action to Yes to assign it to the portal role and change the role's authorizations. This information is recorded in the Portal Content Directory (PCD), which is why you cannot use the delete function of identity management to remove actions from a portal role. When try to delete the role with identity management, the UME only removes the user and group assignments. You must edit the role manually either in identity management or the Role Editor.

User Administration

Purpose

The user administrator performs all tasks that are relevant to user management and role assignments. In the portal, all user management functions related to users and groups are provided by the user management engine (UME). The UME is integrated in the SAP NetWeaver Application Server (AS) Java.

For more information about the administration functions of the UME, see Administration of Users and Roles.

In this section you can find information about concepts that need additional clarification in a SAP NetWeaver Portal context. These are:

UME Actions in the Portal – a brief description of how UME actions are integrated in the portal.

UME Roles and Portal Roles – an explanation of the difference between these two types of roles and how they are both used in the portal.

In addition, you can find information about administration functions that are specific to the portal. These are:

Assigning roles to users and groups

Mapping users – for Single Sign-On purposes

Features

In a portal installation, the UME provides you with tools for performing user management tasks in a set of iViews and worksets integrated in the User Administration role in the portal