cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NWA 7.1 - User Administration with regards to Roles/Groups

Former Member

on ‎03-13-2009 11:16 AM

0 Kudos

Hello,

Environment = NWA 7.1 , Java Stack Only , No Central User Administration

Situation = One group of individuals responsible for developing and maintaining Java Roles & Groups

(Permissions). Another group of individuals responsible for maintaining Users and

allocating the above Roles & Groups to the Users.

In accordance with various documentation (ie. http://help.sap.com/saphelp_nwpi711/helpdata/en/4a/e06f429c789041e10000000a1550b0/frameset.htm) I have set up a Role which includes the actions: UME.Manage_Roles, UME.Manage_Groups, UME.Manage_Users, UME.Manage_All_User_Passwords & UME.Read_All. This Role is intended for the second group of individual mentioned above.

The problem is however that with the mentioned actions they can not only allocate an user to a Role or Group but also delete the Role/Group from the system. Without the above actions in the Role it is not possible to assign Users to a Role/Group.

This leads me to the question if it is possible to split these two various areas of responibility or does NWA 7.1 view both activities as residing in only group (documentation to this effect would be helpful). If not, which actions will ensure that only Users can be administered but the rights to the system (Roles/Groups) can not be tampered with.

Many thanks in advance,

Jay

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎03-13-2009 9:42 PM
0 Kudos

Hi,

Remove the actions UME.Manage_Roles, UME.Manage_Groups in the role created and test it. These two actions will remove the access to create/delete roles and create/delete groups.

Regards,

Gowrinadh

Show replies
Show replies
Former Member
‎03-17-2009 1:12 PM
0 Kudos

Hello Gowrinadh,

As I mentioned before, if I take the actions UME.Manage_Roles & UME.Manage_Groups out of the selected Role, the group of individuals with this Role cannot allocate other Roles to users.

Only with the actions UME.Manage_Roles & UME.Manage_Groups in the selected Role is it possible to allocate users to other Roles. Unfortunely, they can also delete other Roles. This has been tested numerous times.

At this point I do not see a possibility to split these two areas of responisibilities (ie. one group administers the users by associating Roles and the other group administers the Roles but cannot associate them to users.

For security purposes (dual control or "four eyes principle") I think this should be possible.

Former Member
‎03-17-2009 7:11 PM
0 Kudos

Hi,

There is another action available like UME.Manage_role_assignments .this will allow only the users to manage assignments. I have EP 6.0 system and checked the same.

Regards,

Gowrinadh

Former Member
‎03-19-2009 10:18 AM
0 Kudos

Hallo Gowrinadh,

I allocated the following actions in the 'User Administrator' Role:

-> Manage_Role_assignments

-> Manage_Users

-> Manage_User_Password

With this constellation I still cannot assign Roles to users (I can't even search and find a Role to grant a user).

It appears that without the action 'Manage_Roles', it is not possible to assign Users to Roles under NWDI 7.1 without having the ability to also delete a Role.

To date I have not found any additional UME actions (a search on 'Manage' returned a total of eleven pre-defined actions) that would remedy the problem.

Regards,

Jay

Former Member
‎03-19-2009 10:22 AM
0 Kudos

Hi Jay,

UME.Manage_All Provides permissions required by an overall user administrator.

These include:

u2022 Administration of users belonging to any company and

possibility of assigning users to companies

(In a multitenant portal, even if a tenant user is assigned this

action, he or she will still only have access to users, groups,

and roles in his or her tenant.)

u2022 Group management

u2022 Role assignment

u2022 User mapping

u2022 Import and export of user data

u2022 Manual replication of user data

To set up delegated user administration, overall user administrators

must belong to a role to which the UME.Manage_All action is

assigned.

In portal installations, any role that includes the UME.Manage_All

action automatically has Role Assigner permissions on all portal roles in the portal installation.

Try this.

Regards,

Gowrinadh

Former Member
‎03-19-2009 12:42 PM
0 Kudos

Hallo Gowrinadh,

I tested that action already but unfortunately without the desired result. I would assume in this case that 'Manage_All' includes the action 'Manage_Roles' which allows a deletion of a Role.

Regards,

Jay

Former Member
‎03-19-2009 2:13 PM
0 Kudos

Hi,

I don;t have the NWA 7.1 system and hence not able to help you much.

Regards,

Gowrinadh

Ask a Question