on 03-13-2009 11:16 AM
Hello,
Environment = NWA 7.1 , Java Stack Only , No Central User Administration
Situation = One group of individuals responsible for developing and maintaining Java Roles & Groups
(Permissions). Another group of individuals responsible for maintaining Users and
allocating the above Roles & Groups to the Users.
In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.
The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.
This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.
Many thanks in advance,
Jay
Hi,
Remove the actions UME.Manage_Roles, UME.Manage_Groups in the role created and test it. These two actions will remove the access to create/delete roles and create/delete groups.
Regards,
Gowrinadh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Gowrinadh,
As I mentioned before, if I take the actions UME.Manage_Roles & UME.Manage_Groups out of the selected Role, the group of individuals with this Role cannot allocate other Roles to users.
Only with the actions UME.Manage_Roles & UME.Manage_Groups in the selected Role is it possible to allocate users to other Roles. Unfortunely, they can also delete other Roles. This has been tested numerous times.
At this point I do not see a possibility to split these two areas of responisibilities (ie. one group administers the users by associating Roles and the other group administers the Roles but cannot associate them to users.
For security purposes (dual control or "four eyes principle") I think this should be possible.
Hallo Gowrinadh,
I allocated the following actions in the 'User Administrator' Role:
-> Manage_Role_assignments
-> Manage_Users
-> Manage_User_Password
With this constellation I still cannot assign Roles to users (I can't even search and find a Role to grant a user).
It appears that without the action 'Manage_Roles', it is not possible to assign Users to Roles under NWDI 7.1 without having the ability to also delete a Role.
To date I have not found any additional UME actions (a search on 'Manage' returned a total of eleven pre-defined actions) that would remedy the problem.
Regards,
Jay
Hi Jay,
UME.Manage_All Provides permissions required by an overall user administrator.
These include:
u2022 Administration of users belonging to any company and
possibility of assigning users to companies
(In a multitenant portal, even if a tenant user is assigned this
action, he or she will still only have access to users, groups,
and roles in his or her tenant.)
u2022 Group management
u2022 Role assignment
u2022 User mapping
u2022 Import and export of user data
u2022 Manual replication of user data
To set up delegated user administration, overall user administrators
must belong to a role to which the UME.Manage_All action is
assigned.
In portal installations, any role that includes the UME.Manage_All
action automatically has Role Assigner permissions on all portal roles in the portal installation.
Try this.
Regards,
Gowrinadh
User | Count |
---|---|
91 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.