Thank You ...this is helpful.

Maybe a better question is : How would you create a custom UME action and then view it ?

Thanks Satish ..I will look into

All the best ..

Dan,

These tutorials from the SAP NetWeaver 7.0 documentation might also be of use to you.

http://help.sap.com/saphelp_nw04s/helpdata/en/25/21b957daaaa745b3ded44f8a39d7a1/frameset.htm

-Michael

Thanks Michael, would you have any info on how to exploit the use

of logs and traces for authorizations in JAVA.

For instance , some areas just say 'don't have permissions'. How would you know what

a person actually needs ?

Also, in original question +Also, using NWDI.Administrators group , the group itself gives permissions

outsided of just having the NWDI.Administrator role. Where/How are the group

permissions defined ? Thank You+

does the group pemissions defined give greater permissions then the

UME role ?

I am afraid that I won't be much use to you Dan. I am not much of an administrator. I would guess that you could look in the security log and failing that the default trace. It is not very helpful when applications do not pass that kind of information along.

I am also not much of an NWDI user. I do not know how the NWDI groups can include permissions. Java groups can be assigned Java security roles with the Visual Administrator or UME roles with identity management. The only other authorizations that I can think of is ACLs naming the group, but those are application specific.

-Michael

Thanks Michael,

I talked to our Basis guys and can't readily see where for instance "Administrators" group gives the

permission to go into 'System Information" from the main WAS -Java page. The role and the group

have the same permissions when look in the User Management area in UME.

When he looked in Visual Admininstrator couldn't see readily anything on the Administrators Group ?

The only thing you will see in the visual administrator is if there are any J2EE security roles associated with that group. I would bet that the UME action Manage.All has enough permissions for you to view System Information. By default this action is assigned to the Administrator role, which by default is assigned to the Administrators group. (Naturally if you have a dual stack, these objects may have different default names.) Does that answer your question?

-Michael

Thanks Michael , What's the best way to Navigate to see the Administators Group in J2ee ?

I guess i have a bunch of questions around the Java Environment.

So is it safe to say that Java Security roles are not the same as what i see as a role in the UME user management ?

I've tried a couple tests ..if you have just the Administrators role then you can't view the "System Information" but if you have the "Administrators" Group assigned you can view. Although when looking at

the Group in the UME all it has is the Administrator's role ? See I guess I trying to see what /where is enabling the Administrators Group.

You wouldn't have any links that really explore the security/roles/groups in the J2ee visual administrator ( even though I don't have access to it ..he he

Dan,

This is a good place to start: [Authorization Concept of the AS Java|http://help.sap.com/saphelp_nw04s/helpdata/en/44/7fdf2470a412d2e10000000a422035/frameset.htm]. The two roles are different. Security roles are part of the J2EE Standard. UME roles are collections of UME actions. The UME interface cannot show the J2EE roles.

Now as to the role that lets you look at system info, you are correct. As your test showed, this is not included in Manage.All. I just tried that myself. If you look in the visual admin, you see there is a security role called administrators assigned to the group Administrators. Now when the developers create a J2EE application they specify the name of the role that the user must have in order to access it. Often they use the name administrators. When the applications are deployed to the server, the AS Java consolidates all these roles into a single role with the same name, administrators, by role references. This is assigned to the Administrators group by default. This is done to make the life of the developer and the deployer easier. So System Info needs this role. Well, there are two keystore roles assigned by default as well, but I doubt these are the roles System Info is looking for. In SAP NetWeaver 7.1 you have more granular control. But that is another question.

I hope that helps.

-Michael

Thank you Michael ,yes this does help. So in the J2EE visual administrator in the role Administrator ..i see should see something that gives the System Information permission .or is it transparent ? When you say the role is created

by developers - would this be like a java studio.

I guess where we are at is we have an environment manager who is in

the NWDI.Administrators group but would like to have access to the System

Information area.

Hi Dan,

I cannot think of any way to make it transparent, since the application is installed with the AS Java. The role is created in the coding of the application, or in the deployment descriptor. If you want someone to be able to access System Information, then they must be a member of the Administrators Group.

-Michael

Thanks Michael, so given this is it a fair statement to say that the GROUP/Role permission attributes in J2REE can't be readily changed..at least in this instance ?

I would say no. I would also like to say that I have never been wrong, but I will stick with no.

-Michael