User Management and Authorization Concepts (Dual-Stack)
Use
As SAP PI (dual-stack installation option) is based on both Application Server (AS) ABAP and AS Java, the solutions of the underlying AS for user management, administration, authorizations, and authentication are relevant. These solutions are described in the SAP NetWeaver Security Guide .
User
Different user types are relevant for SAP Process Integration.
More information: User Types
After installation, a set of standard user is available initially for each installation option.
More information: Standard User (Dual-Stack)
Roles
In a dual-stack installation of SAP PI, users and roles are maintained in the user management of AS ABAP.
To make these “ABAP roles” also available for the Java- based tools of SAP PI, they are propagated to user groups of the Java-based User Management Engine (UME). UME is accessible either by SAP NetWeaver Administrator or by calling the page http://<host>:<port> 
User Management
directly.
“ABAP roles” are mapped 1:1 to corresponding UME groups.
UME user groups have the same names as the corresponding “ABAP roles” and also define the same permissions.
On the “Java side” , permissions are defined in the following way: Each UME user group is assigned exactly 1 UME role. A UME role is composed of a set of actions. These actions are the “atomic” sets of permissions assigned to basic applications.
More information:
The concept of user management for a dual-stack installation is shown in the following figure:
Access Control Lists
For specific areas, you can define authorizations based on access control lists (ACLs).
More information: ACL-Based Authorizations
More Information
For information on the Advanced Adapter Engine Extended (AEX), see:
User Management for Advanced Adapter Engine Extended (PI-AEX)
For user management for a non-central Advanced Adapter Engine setup (dual-stack installation), see: User Management for Non-Central AAE (PI-AF)