Authorizations and Roles
Concept
Authorizations and roles define the objects users can access and the actions they can perform. There are various authorizations and roles in SAP Business Process Management (BPM):
-
Process roles
A process role defines a set of rights and obligations for a number of principals. In BPM we need process roles for different purposes: Processing tasks, processing activities, administering and debugging business processes.
Process roles exist in all BPM components, in the process composer, in the Process Server, and in the process desk.
More information: Process Roles
-
UME roles and actions
The User Management Engine (UME) provides centralized user management for all Java applications and can be configured to work with user management data from multiple data sources. It has to be integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java. The actions are listed in the user management administration console, where you can group them together into roles. Permissions for BPM tools and objects are available as UME actions that can be displayed in the user management administration console.
For an overview of the BPM relevant roles and actions, see the sections below.
-
Portal roles
As a component of SAP Business Process Management , the Universal Worklist (UWL) is based on the portal platform. UWL provides a set of predefined portal roles that enable access to various functions of the framework - for example, administration. For the BPM inbox, also one specific portal role is needed.
More information: Portal Roles, UME Roles, and Portal Roles, Authorizations and Roles for BPM Inbox.
For steps that are not driven by a user through a UI, the process server uses the service user SAP_BPM_Service and SAP_BPM_RR_Service, respectively. These users are already preconfigured. If any special roles or actions are needed for steps which are executed automatically by the system, then check the assigned roles and actions in the user management. If necessary, configure this user as described here, Configuring BPM Users.
UME Roles for Administration and Debugging
The following table lists the predefined administration and debugging roles used in BPM and their access to the corresponding tasks and views.
|
Administration UME Role |
Authorization |
Comment |
|---|---|---|
|
SAP_BPM_Navigation |
Display all process and task administration views in the SAP NetWeaver Administrator Edit processes and tasks for which the user is assigned as administrator |
Data source: UME database |
|
SAP_BPM_SuperDisplay |
Display all process and task administration views in the SAP NetWeaver Administrator Display data for all process and task instances from BPM_MY_PROCESSES_DS and BPM_MY_TASKS_DS data sources Read-only permission for all views Read substitution rules |
Data source: UME database |
|
SAP_BPM_SuperAdmin |
Display all process and task administration views in the SAP NetWeaver Administrator Display data for all process and task instances from BPM_MY_PROCESSES_DS and BPM_MY_TASKS_DS data sources Use process and task management tool to edit processes and tasks in the Start processes Create, update, read and delete substitution rules |
Data source: UME database |
|
SAP_BPM_Debug |
Debug processes in the Debug perspective or in the Process Instances view in the SAP NetWeaver Developer Studio Start processes from the debugger in the SAP NetWeaver Developer Studio |
Data source: UME database |
|
NWA_SUPERADMIN |
Display and manage all views in the SAP NetWeaver Administrator (excluding start process) |
SAP NetWeaver Administrator specific |
|
NWA_READONLY |
Display all views in the SAP NetWeaver Administrator (including the process and task specific views) |
SAP NetWeaver Administrator specific |
|
SAP_BPM_TRIGGER_EVENT |
Start process through Web service call. Invoke intermediate message trigger through Web service call or public API. |
For public APIs |
|
SAP_BPM_ODATA |
Access the BPM OData service |
Data source: UME database |
|
UnifiedInboxUserRole |
Access task details within a BPM Inbox |
Data source: UME database |
|
SAP_BPM_JMS_BPMEventTopic_Subscribe |
Subscribe to JMS topic BPMEventTopic |
Data source: UME database |
|
SAP_BPM_JMS_BPMEventTopic_Publish |
Publish to JMS topic BPMEventTopic |
Data source: UME database |
More information about different administrator types: Types of Administrator Roles.
UME actions are assigned to every predefined UME role for BPM administration. The UME actions allow detailed refinement of access to various administration views and tasks. To additionally restrict authorizations for administration you can assign UME actions to various roles, which you can assign to UME users and groups.
The following table lists the UME actions and their use in BPM.
|
UME Action |
Description |
|---|---|
|
NWA_READONLY_BPM_TMMNT |
Display authorization for the Manage Tasks application |
|
NWA_SUPERADMIN_BPM_TMMNT |
Super administrator authorization for the Manage Tasks application |
|
NWA_READONLY_BPM_RRViewer |
Display authorization for the Process Repository application |
|
NWA_SUPERADMIN_BPM_RRViewer |
Super administrator authorization for the Process Repository application |
|
SAP_BPM_SuperDisplay |
Display authorization for all BPM applications integrated in SAP NetWeaver Administrator |
|
SAP_BPM_SuperAdmin |
Super administrator authorization for all BPM applications integrated in SAP NetWeaver Administrator |
|
SAP_BPM_EXPORT_MODEL |
Only used for integration into other SAP applications |
|
SAP_BPM_ACTIONS_READALL |
Read permission for all BPM actions |
|
SAP_BPM_ACTIONS_WRITEALL |
Write permission for all BPM actions |
|
SAP_BPM_DISPLAY_CONTEXT |
Display the input data (process context) of a process instance |
|
SAP_BPM_EDIT_CONTEXT |
Edit the input data (process context) of a process instance |
|
SAP_BPM_TRIGGER_EVENT |
Start process |
|
SAP_BPM_Debug |
Debug BPM processes |
|
NWA_SUPERADMIN_BPM_SYSOV |
Super administrator authorization for the BPM System Overview |
|
NWA_READONLY_BPM_Log |
Display authorization for the process server log in the Troubleshooting application |
|
NWA_SUPERADMIN_BPM_Log |
Super administrator authorization for the process server log in the Troubleshooting application |
|
NWA_READONLY_BPM_TRBShoot |
Display authorization for the Troubleshooting application |
|
NWA_SUPERADMIN_BPM_TRBShoot |
Super administrator authorization for the Troubleshooting application |
|
NWA_SUPERADMIN_BPM_ProcMgmt |
Super administrator authorization for the Manage Processes application |
|
NWA_READONLY_BPM_ProcMgmt |
Display authorization for the Manage Processes application |
|
NWA_SUPERADMIN_BPM_ACTIONS |
Super administrator authorization for the BPM Actions application |
|
SPML_READ_ACTION |
Display users in the search results of the UME Browse dialog box |
|
SAP_BPM_CTX_SUPER_ADMIN |
Allow change of permissions for access to files and folders in ECM where attachments are stored |
|
SAP_BPM_SQL_BROWSER |
Allow working with BPM tables in the SQL Browser in SAP NetWeaver Administrator |
|
ARCH_CO_ARCHIVE_bpm_proc |
Execute archiving for the archiving set bpm_proc |
|
ARCH_CO_ORGANIZE_bpm_proc |
Execute additional organizational tasks for the archiving set bpm_proc |
|
ARCH_CO_CONFIG_bpm_proc |
Modify the properties of the archiving set bpm_proc |
|
bpm.solutionmanager |
Solution Manager permission for BPM |
|
SAP_BPM_Substitution_CreateAll |
Create substitution rules |
|
SAP_BPM_Substitution_UpdateAll |
Update substitution rules |
|
SAP_BPM_Substitution_ReadAll |
Request information about substitution rules |
|
SAP_BPM_Substitution_DeleteAll |
Delete substitution rules |
|
SAP_BPM_DISPLAY_ATTACHMENTS_NOTES |
Display attachments in the Manage Processes application Display notes and attachments in the Manage Tasks application |
|
SAP_BPM_VALUE_HELP |
Allow embedding value help in the task UI of the BPM process |
|
SAP_BPM_ODATA |
Access the BPM OData service |
|
UnifiedInboxUser |
Access tasks and their details within a BPM Inbox |
|
SAP_BPM_DISPLAY_PROCESS_FLOW |
Access to process visualization application to view the process flow |
|
SAP_BPM_RDS_Query |
Display the reporting data source details in process visualization |
|
SAP_BPM_ENGINE_TEST |
Run the BPM Self test and PI Self test |
| SAP_BPM_DELETE_PROCESS |
Execute the delete job |
| SAP_BPM_SUPER_ADMIN |
Execute the delete job |
|
SAP_BPM_JMS_BPMEventTopic_Subscribe |
Subscribe to JMS topic BPMEventTopic |
|
SAP_BPM_JMS_BPMEventTopic_Publish |
Publish to JMS topic BPMEventTopic |
|
SAP_BPM_Cluster_Communication |
Allow BPM Core Service cluster communication |
|
SAP_BPM_RR_Cluster_Communication |
Allow BPM Runtime Repository cluster communication |
More information: Standard UME Actions.
Portal Roles
The processors of a task need the following portal roles assigned to access the tasks in the BPM inbox or the universal worklist (UWL), which is integrated in the portal.
|
Portal Role |
Description |
Comment |
|---|---|---|
|
eu_role |
Every User Role enables the user to see the default portal page, which contains the UWL |
Data source: Portal role |
|
com.sap.bpem.Enduser |
BPEM End User enables the user to access processes and tasks and their details within a BPM process in portal applications as the UWL and in the BPM inbox |
Data source: Portal role |