In a complex system landscape with an SAP Enterprise Portal and any number of ABAP systems, you must decide how you are going to manage roles and assign them to users. You can choose to have one system as the leading system to maintain your original roles and user assignments. Then you transfer this information to the other systems and make the necessary adjustments. For consistency and to reduce overhead, we recommend that you designate one system as the leading system. Otherwise, you can choose to manage roles and user assignments on each system independently.
The principal tasks in integrated role and user administration are as follows:
Often different teams perform these tasks. You can decide which system is the leading system for each the tasks above. Use the table below to help you decide which system to use as the leading system.
Administration Options for Integrated Role and User Administration
When to use: You are adding a portal to an ABAP system landscape with an established authorization concept.
You can leverage the ABAP roles in your existing authorization concept to create portal roles.
You must manually upload roles from each ABAP production system to the portal.
When to use: You are adding new ABAP systems to an existing landscape with a portal.
You can leverage existing portal roles to create ABAP roles, including updates.
There is no automatic export of updated portal roles. You must manually redistribute updated portal roles to all affected ABAP systems.
When to use: You want to use SU01 or other ABAP user management tools.
With SU01, you can assign ABAP roles directly and portal roles indirectly.
There is no direct relationship between the portal roles and the ABAP roles with the required authorizations. You must have an existing authorization concept to keep track of what portal role requires which ABAP authorizations.
When to use: Where possible, you want to use the portal to assign roles.
You can assign portal roles directly, but you must still perform some work with ABAP user management.
When you change role assignments in the portal, you must redistribute portal roles to the ABAP systems. (Use portal-centered role administration described above).
You can also use an external identity management system to perform role assignment.