Show TOC

Standard UME ActionsLocate this document in the navigation structure

Use

The following table lists the UME actions delivered with the user management engine (UME). These actions are defined in the file UMErole.xml.

Note

In the identity management application, you can search for actions by entering either the UME action ID, such as Logon_ Help , or the name of the relevant service or application, such as com. sap. security. core. ume. service .

UME Action ID

Description

AclSuperUser

(Relevant for SAP Enterprise Portal only)

Provides Owner permissions on all objects in the Portal Content Catalog. You cannot remove this permission in the permission editor. This action is designed for super administrators.

Be restrictive with this action, as it provides extensive permissions on portal content. Only assign it to the Super Administration role in the portal. Do not assign it to any other roles.

Batch_ Admin

Provides permissions to use the import and export functions using identity management.

To import users, groups, or roles, or to import user, group, or role assignments, you must also have the permissions to change the relevant principals. To export, you must have read permissions for the relevant principals.

Logon_ Help

Provides permissions to access the logon help Web Dynpro application.

Manage_ All

Provides permissions required by an overall user administrator. These include:

  • Administration of users belonging to any company and the possibility of assigning users to companies

  • Group management

  • Role management

  • User mapping

  • Import and export of user data

  • UME configuration

  • Consistency check and repair tools

  • Refresh the user cache

  • Full access to the Service Provisioning Markup Language (SPML) interface

    To set up delegated user administration, overall user administrators must belong to a role to which the Manage_ All action is assigned.

    In portal installations, any role that includes the Manage_ All action automatically has Role Assigner permissions on all portal roles in the portal installation.

Manage_ All_ Companies

Provides permissions to manage users in all companies.

Manage_ All_ User_ Passwords

Provides permissions required by a user to change the password of other users independent of company. This also enables the user to view all user profiles.

Manage_ Groups

Provides permissions to view, add, modify, and delete groups. To assign users or roles to a group, you must have permission to modify users or roles.

Manage_ My_ Password

Provides nonadministrator users with permissions to change their own personal password in their user profile. The action Manage_ My_ Profile includes this action. You must also set the Allow Users to Change Their Own Password radio button in the security policy.

For more information, see Configuring the Security Policy for User ID and Passwords .

Manage_ My_ Profile

Provides nonadministrator users with permissions to display and change their own personal user profile.

Manage_ Role_ Assignments

(Relevant for SAP Enterprise Portal only)

Provides permissions to assign portal roles, for which you have Role Assigner permissions, to users within your company. With this action, you cannot affect UME roles. You can neither assign roles to groups, nor change the actions assigned to a role.

This is a default role for delegated user administration for the portal.

Manage_ Role_ Assignments_ SoD

Provides permissions to assign portal roles, for which you have Role Assigner permissions, and all UME roles to users within your company, except yourself .

Manage_ Roles

(Not relevant for SAP Enterprise Portal)

Provides permissions to view, create, modify, and delete UME roles. To assign users or groups to a role, you must have permission to modify users or groups.

Be careful to whom you assign this action. Users with this action can assign themselves the Administrator role, which gives them wide-ranging administrator rights on the AS Java.

Manage_ Roles_ SoD

(Not relevant for SAP Enterprise Portal)

Provides permissions to view, create, and delete UME roles. You can modify UME roles, but you cannot change UME roles assigned to you, neither directly nor indirectly.

Manage_ User_ Passwords

With this action a user can manage the passwords of users belonging to his or her company. The user with this action can view the user profiles of other users in his or her company and even lock and unlock their accounts. Use this action to create a delegated password administrator.

Manage_ Users

Provides permissions to manage users belonging to the same company as the administrator (such as search, create, modify, delete, lock, unlock, reset password, approve new user requests, and deny new user requests). To assign groups or roles to a user, you must have permission to modify groups or roles.

Read_ All

Enable a user to read user, group, and role profiles in all companies. It also provides the permissions to refresh the user cache of the AS Java.

Read_ Basic

For internal use only.

Read_ My_ Profile

Provides nonadministrator users with permission to display their own personal user profile.

Read_ User_ Mapping_ Credentials

Only this action in consultation with SAP Support.

Remote_ Producer_ Read_ Access

(Relevant for federated portal only)

Provides permissions for remote users to read roles available on this producer portal.

Remote_ Producer_ Write_ Access

(Relevant for federated portal only)

Provides permissions for remote users to assign roles available on this producer portal. Does not include read-access.

Selfregister_ User

Provides permissions for users to enter data in the self-registration forms.

Signature_ Administration

Provides permissions for users to manage the content of the corporate signature and the personalized signatures of all users.

Signature_ Enduser_ Modify

Provides permissions for users to create, view, and modify the content of their own personalized signatures.

Signature_ Enduser_ Readonly

Provides permissions for users to view their own personalized signature.

Signature_ Support

Provides permissions for users to view the content of the corporate signature and the personalized signatures of all users.

Spml_ Read_ Action

With this action a user can conduct searches and read the schema of the SPML interface.

Spml_ Write_ Action

Provides full access to the SPML interface.

System_ Admin

Provides a system administrator with permission to change the UME configurations in the Web Dynpro user administration application, and the permissions to run the consistency check and repair tool.

User_ Viewer

Provides permissions for users to view the public profiles of other users belonging to their own company with the user viewer iView.

User_ Viewer_ All_ Companies

Provides permissions for user to view the public profiles of all other users with the user viewer iView.