Thanks for your response. Each company has branch offices. So the Administrator can manage users belonging to more than one such branch (belonging to the same company). The branch offices have office numbers associated with their names, For example, CompanyA_branch001, CompanyA_branch002, etc.

And the branch offices each have roles like Admin, Specialist, general_content (corresponding to order status for that particular branch).

Thanks

Srinivas

I can't think of an easy way to do what you're trying to achieve. The delegated user admin wasn't really designed for this type of structure.

Have you considered not using portal useradmin but using LDAP admin tools?

Hi Michael,

Thank you for your quick response. We are not using LDAP at this point (although, we'll eventually integrate LDAP and UME). For now UME is the data source for these external users.

What we are trying to implement is user administration at the branch office level and not the company level.

CompanyA

> branchOffice1

> branchOffice2

Each branchOffice, has an admin role

Each admin role can manage more than one branch office.

Can this be feasible in UME !

Thanks

Srinivas

Not that I am aware of..

What sort of user admin is being done? User creation? Password maintenenace? Role assignment?

Yes, the general user management. Creation/deletion/changing the user, corresponding to the branch office(s) that the Administrator has authorization to.

Thanks

Srinivas

I think you need to write your own useradmin application. For example, how will you ensure username standards are followed?

The user name would be email ID. So it would be consistent across all the companies and their branch offices. What did you mean by our own user admin application. Can you please be more specific.

Thanks

Srinivas

I mean write a Web Dynpro application that has some simple forms that are used by the company admins to do user creation etc which then are processed by a central team.

So a custom web dynpro application with a custom logon screen, can be used to manage users at the branch office level (not at the company level)?

Please correct me if I am wrong.

Thanks

Srinivas

If you write your own application then you can do what you want!

How about the specialist roles at the branch office level..., the specialist role can view/edit invoices. Its tedious to write multiple webdynpro applications for each such role at the branch office level. (admin, specialist).

Can we not leverage the UME groups (sub groups) to realize this requirement?

Admin roles and specialist roles at the branch office level ( and not at the company level) ?

Thanks

Srinivas

Maybe I'm not understanding. You were asking how to do user administration. In other words how to create new users in a delegated way and give them group membership and do role assignment. Now you are asking about editting and viewing invoices.

A role is just a set of functions that can be executed. It is given to a set of users, normally through group membership. The application that is started has to decide who is allowed to do what. This is normally by authorizations in an ABAP system. How are you writing these applications?

We are trying to implement the UME for external users who are spread out in companies and branch offices under each company.

1. Admin role at the branch office level ( should allow to create/delete/change users at the branch office level)

This is kind of delegated administration, but not at the company level but branch office level.

2. We are trying to also deploy a Java webdynpro, that should only show orders pertaining to that particular branch office.

3. There are specialist roles at the branch office level who are allowed to access/edit invoices pertaining to that particular branch office.

This is on portal side (java stack).

Thanks for your response.

Srinivas

Edited by: srinivas M on Jan 7, 2009 10:59 PM

I think I see some confusion between UME and security.

UME is all about creating users etc and assigning them to groups and roles. As I said, I think you will need to have your own application to do this to allow for creating users in different branches etc. Using the delegated admin tool will be too messy for you as they need to have the Jave instance reatarted every time a new branch is added. Also, brabch is not specific enough for your needs.

Security is about deciding at run time who is allowed to do what. This could be based on things like group membership if it is a pure Java app etc, or using actions. However, most applications started from the portal are based on getting data out of an ABAP based system, which is then relying on ABAP authorisations.