Show TOC

Segregation of DutiesLocate this document in the navigation structure


SAP NetWeaver Application Server (AS) Java enables you to create user administrators with separate role creation and role assignment capabilities. Not only is this important for compliance reasons, but also to ensure the security of your system. An all-powerful administrator can create and assign roles as he or she pleases, leaving your system exposed to abuse by a single individual. By separating role creation and role assignment, two administrators must cooperate to abuse their powers.

The following figure illustrates the role administrator and the role assigner. The role administrator creates the roles. The role assigner assigns the roles to the rest of the users.

Figure 1: The Function of the Role Administrator and the Role Assigner

The table below lists the user management engine (UME) actions required to configure segregation of duties.

Technical Name


Manage_ Role_ Assignments_ SoD

Use this action to enable a role assigner to assign roles to anyone but him or her self within his or her company.

Manage_ Roles_ SoD

Use this action to enable a role administrator to create and edit roles. Role administrators cannot add actions to roles of which they are a member.


Do not combine either of these actions with the Manage_ Users, Manage_ Groups, Manage_ Roles, or Manage_ All_ Companies UME actions. For example, with Manage_ Users, the administrator can create a user, assign or edit the appropriate roles, and then log on as that user.