Show TOC

Configuring Delegated User Administration Using CompaniesLocate this document in the navigation structure

Context

Delegated user administration enables you to distribute user administration between several administrators so that each administrator is responsible for a particular set of users. For example, you can designate one user administrator for each business area in your company. Each user administrator can only create, modify, and delete users in the business area that he or she is responsible for.

Procedure


  1. Configure the user management engine (UME) to support companies.

    • If your data source is SAP NetWeaver Application Server (AS) ABAP, the UME automatically reads the user groups of the AS ABAP and implements them as companies in the AS Java.

      To manage ABAP groups on the AS ABAP, use transaction SUGR.

      Note

      • If you change the ABAP groups, you must restart the AS Java to make the changes visible in the UME.

      • If you do not want the UME to implement the ABAP user groups as companies, you must disable it.

        For more information, see Disabling Companies for an ABAP Data Source .

    • If your data source is the database of the AS Java or an LDAP directory, you must set the required UME properties.

      For more information, see Editing UME Properties .

      You must always set the UME property ume.tpd.companies.

      • To configure one company and guest users, set ume.tpd.companies= 1 .

        Allows for self-registration and approval process. All approved users belong to the same company. Guest users are users who do not belong to the company or are awaiting approval.

      • To configure companies internal, external, and guest users, set ume.tpd.companies= 2 or configure companies with names of your choice and guest users, set ume.tpd.companies= <list of companies> . Separate company names with commas (,).

        Allows for self-registration and approval process. All approved users belong to a company. Guest users are users who do not belong to a company or are awaiting approval. Use this configuration to allow external users, such as suppliers, limited access.

    Example

    You want to manage the employees in your company in sales, marketing, and development separately. Configure the following UME property as shown: ume.tpd.companies= sales, marketing, development

  2. Determine if you want the company groups to appear in the UME display.

    For more information, see Company Group .

    To show company groups, set the following UME properties:

    • ume.company_groups.enabled= TRUE

    • ume.company_groups.guestusercompany.enabled= TRUE

  3. Create one or more delegated user administrators for each company.

    To define a delegated user administrator:

    • Either move an existing administrator to the company or create a new administrator in the company.

      Note

      Delegated user administration on an AS ABAP does not require the delegated user administrator to be a member of the user group for which he or she is responsible. This contrasts with delegated user administration on an AS Java, where the delegated user administrator must be a member of the company for which he or she is responsible. If you want to use delegated user administration on the AS Java, delegated user administrators must be members of the ABAP groups you intend them to administrate.

    • Assign delegated user administrators to delegated user administration roles.

      • If you are setting up delegated user administration in the portal, use the portal role called Delegated User Admin with the ID pcd:portal_content/administrator/user_admin/delegated_user_admin_role.

      • Otherwise assign a role with company-specific UME actions.

      Note

      If the following is true:

      • Your data source is an AS ABAP.

      • You data source is configured to use an RFC destination for changes.

      To enable a delegated user administrator to manage a company, you must assign administrators the ABAP authorization object User Master Maintenance: User Groups (S_USER_GRP) for the ABAP user group in question.

  4. Assign users to companies using the following methods:

    • In the role of overall user administrator, create new users in companies and move existing users into companies.

      Note

      You can assign users to ABAP groups on the AS ABAP with transaction SU01. Enter the group on the Logon Data tab in the field User group .

      For more information, see the AS ABAP documentation.

    • Enable users to request membership in a company during self-registration. Delegated user administrators must approve the requests.

    • In the role of overall user administrator, import new users and use the org_id attribute to assign a company.

      Example

      Import the following data for a user:

      [User]

      uid=miguelasantos

      password=s3cur3P@ssword

      email_Address=miguela.santos@example.com

      first_name=Miguela

      last_name=Santos

      org_id=marketing

Next Steps