Start of Content Area

Function documentation Delegated User Administration Using Companies  Locate the document in its SAP Library structure

Use

Delegated user administration allows you to distribute user administration between several administrators so that each administrator is responsible for a particular set of users. For example, you can designate one user administrator for each business area in your company. Each user administrator can only create, modify, and delete users in the business area that he or she is responsible for.

Integration

You use companies to implement a simple form of delegated user administration. By assigning users to companies, you divide them up into administrative sets. One or more administrators are responsible for managing the users in each company.

Features

In delegated administration, we distinguish between overall user administrators and delegated user administrators:

·        Overall User Administrators can add, modify and delete users of all companies. They can create and administer delegated user administrators and assign them appropriate roles and permissions. In addition the following tasks can only be performed by an overall user administrator:

¡        Group management

¡        Role management with permissions to assign all roles to all users and groups

¡        User mapping (SAP Enterprise Portal only)

¡        Import and export of user data

¡        Replication of user data

In the portal, overall user administrators are all administrators who are assigned to the Super Administration or User Administration role. In all other cases, overall user administrators must belong to a role to which the UME.Manage_All action is assigned.

·        Delegated User Administrators can add, modify and delete users that belong to the same company as the delegated user administrator. When they search for users, only users in their company are displayed. They cannot perform any actions involving groups.

Note

In SAP Enterprise Portal only, delegated user administrators can assign roles to their company users. They cannot assign roles to groups. They can only assign portal roles for which they have the Role Assigner permission. They do not need to have any Administrator or End User permissions for the role. For more information on the Role Assigner permission, see Permission Levels.

In the portal, delegated user administrators are all administrators who are assigned to the Delegated User Admin role. In all other cases, delegated user administrators must belong to a role to which the UME.Manage_Users action is assigned.

Caution

On no account should you assign the UME.Manage_Roles action to a delegated user administrator. This action allows users to assign roles using the UME Web-based tool. Since the Web-based tool does not check for the Role Assigner portal-permission, users can assign themselves any role if they have the UME.Manage_Roles action. For example, a delegated user administrator could assign himself the Administrator role and would then have full administrator authorizations.

Constraints

·        Each user can only belong to one company. This means that each delegated user administrator can only belong to one company as well, therefore he or she cannot administer more than one company.

·        It is not possible to have a hierarchy of companies. As a result, you cannot have a hierarchy of user administrators.

End of Content Area