Authorizations and Roles

Concept

Authorizations and roles define which objects users can access and which actions they can perform. There are several relevant authorizations and roles in SAP NetWeaver Business Process Management (BPM):

  • Process roles

    A process role defines a set of rights and obligations for a number of principals. In BPM we need process roles for several purposes: processing tasks, processing activities, administering and debugging business processes.

    Process roles exist in all BPM components, in the process composer, in the process server, and in the process desk.

    Caution

    Every user who processes a task in the process, can see the whole process context.

    More information: Process Roles

  • UME roles and actions

    The user management engine (UME) provides a centralized user management for all Java applications and can be configured to work with user management data from multiple data sources. It is integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java. The actions are listed in the user management administration console, where you can group them together into roles. Permissions for BPM tools and objects are available as UME actions that can be displayed in the user management administration console.

    For an overview of the BPM relevant roles and actions, see the sections below.

  • Portal roles

    As a component of SAP NetWeaver Business Process Management , the universal worklist (UWL) is based on the portal platform. UWL provides a set of predefined portal roles that enable access to various functions of the framework - for example, administration.

    More information: Portal Roles , UME Roles, and Portal Roles

For steps that are not driven by a user through a UI, the process server uses the service user SAP_BPM_Service. This user is already preconfigured. If any special roles or actions are needed for steps which are executed automatically by the system then check in the user management the assigned roles and actions. If necessary, configure this user as described here, Configuring BPM Users .

UME Roles for Administration and Debugging

The following table lists the predefined administration and debugging roles used in BPM and their access to the corresponding tasks and views.

Administration UME Role

Authorization

Comment

SAP_BPM_Navigation

Display all process and task administration views in the SAP NetWeaver Administrator

Note

Only the processes and tasks are displayed for which this role is assigned as administrator when modeling the process and tasks with the process composer.

Edit processes and tasks for which the user is assigned as administrator

Data source: UME database

SAP_BPM_SuperDisplay

Display all process and task administration views in the SAP NetWeaver Administrator

Display data for all process and task instances from BPM_MY_PROCESSES_DS and BPM_MY_TASKS_DS data sources

Read-only permission for all views

Data source: UME database

SAP_BPM_SuperAdmin

Display all process and task administration views in the SAP NetWeaver Administrator

Display data for all process and task instances from BPM_MY_PROCESSES_DS and BPM_MY_TASKS_DS data sources

Edit processes and tasks in the process and task management tool (excluding debug a process)

Start processes

Data source: UME database

SAP_BPM_Debug

Debug processes in the Debug perspective or in the Process Instances view in the SAP NetWeaver Developer Studio

Start processes from the debugger in the SAP NetWeaver Developer Studio

Data source: UME database

NWA_SUPERADMIN

Display and manage all views in the SAP NetWeaver Administrator (excluding start a process)

SAP NetWeaver Administrator specific

NWA_READONLY

Display all views in the SAP NetWeaver Administrator (including the process and task specific views)

SAP NetWeaver Administrator specific

SAP_BPM_TRIGGER_EVENT

Start process through Web service call. Invoke intermediate message trigger through Web service call or public API.

For public APIs

UME actions are assigned to every predefined UME role for BPM administration. The UME actions allow detailed refinement of access to various administration views and task. To additionally restrict authorizations for administration you can assign UME actions to various roles, which you can assign to UME users and groups.

The following table lists the UME actions and their use in BPM.

UME Action

Description

NWA_READONLY_BPM_TMMNT

Display authorization for the Manage Tasks application

NWA_SUPERADMIN_BPM_TMMNT

Super administrator authorization for the Manage Tasks application

NWA_READONLY_BPM_RRViewer

Display authorization for the Process Repository application

NWA_SUPERADMIN_BPM_RRViewer

Super administrator authorization for the Process Repository application

SAP_BPM_SuperDisplay

Display authorization for all BPM applications integrated in SAP NetWeaver Administrator

SAP_BPM_SuperAdmin

Super administrator authorization for all BPM applications integrated in SAP NetWeaver Administrator

SAP_BPM_EDIT_CONTEXT

Edit the input data (process context) of a process instance

SAP_BPM_Debug

Debug BPM processes

NWA_SUPERADMIN_BPM_SYSOV

Super administrator authorization for the BPM System Overview

NWA_READONLY_BPM_Log

Display authorization for the process server log in the Troubleshooting application

NWA_SUPERADMIN_BPM_Log

Super administrator authorization for the process server log in the Troubleshooting application

NWA_READONLY_BPM_TRBShoot

Display authorization for Troubleshooting application

NWA_SUPERADMIN_BPM_TRBShoot

Super administrator authorization for the Troubleshooting application

NWA_SUPERADMIN_BPM_ProcMgmt

Super administrator authorization for the Manage Processes application

NWA_READONLY_BPM_ProcMgmt

Display authorization for the Manage Processes application

SAP_BPM_TRIGGER_EVENT

Authorization to start process through Web Service call. Authorization to invoke intermediate message trigger through Web Service call

SPML_READ_ACTION

Display users in the search results of the UME Browse dialog box

SAP_BPM_CTX_SUPER_ADMIN

Allow change of permissions for access to files and folders in ECM where attachments are stored

SAP_BPM_SQL_BROWSER

Allow working with BPM tables in the SQL Browser in SAP NetWeaver Administrator

ARCH_CO_ARCHIVE_bpm_proc

Execute archiving for the archiving set bpm_proc

ARCH_CO_ORGANIZE_bpm_proc

Execute additional organizational tasks for the archiving set bpm_proc

ARCH_CO_CONFIG_bpm_proc

Modify the properties of the archiving set bpm_proc

bpm.solutionmanager

Solution Manager permission for BPM

More information: Standard UME Actions

Portal Roles

The processors of a task need the following portal roles assigned to access the tasks in the universal worklist (UWL), which is integrated in the portal.

Portal Role

Description

Comment

eu_role

Every User Role enables the user to see the default portal page, which contains the UWL

Data source: portal role

com.sap.bpem.Enduser

BPEM End User enables the user to access processes and tasks and their details within a BPM process in portal applications as the UWL

Data source: portal role