Show TOC

Authorization Concept of the AS JavaLocate this document in the navigation structure


You control the access of users to applications and resources by assigning permissions to user accounts. You assign these authorizations using Java EE standard methods or extended methods provided by SAP.

The SAP NetWeaver Application Server (AS) Java supports the following types of authorizations:

  • Roles

    Use roles to assign activities to users either directly or indirectly by using groups.

  • Access Control Lists (ACL)

    Use ACLs to control the use of objects.


Authorization in the Java environment of the AS Java is dependent on UME roles. You manage UME roles with identity management in the AS Java. The administrator builds UME roles out of actions. These actions can be (JEE) security roles or UME actions.

Security Roles

The application developer deploys security roles together with the JEE application in accordance with the JEE specification.

More information: Architecture of Security Roles .

The administrator builds UME roles with security roles, which appear as actions in the identity management user interface. The security roles appear as one of the following types:

  • J2EE

    This action links roles of the same module together at the application level.



    The administrator should use actions of type J2EE , when constructing UME roles.

UME Actions

UME actions are collections of permissions used for Web Dynpro applications. UME actions are deployed with your applications and defined in the file actions.xml.

More information: Permissions, Actions, and UME Roles .


The user management engine (UME) provides APIs for reading, writing, and authorization checks of ACLs. ACLs limit access to individual objects. The portal is one application that uses ACLs to control access to objects on the AS Java. One example of this is the portal content directory (PCD).

More information:

Authorization Checks

The AS Java supports the following authorization checks:

  • Activity-related access control with security roles for applications (JEE standard)

    The developer defines these roles in the deployment descriptors for his or her application. The administrator maps the users to the corresponding roles.

  • Instance-related access control with roles (UME roles)

    Using these roles, you specify which activities a user can execute on the AS Java. You can also specify which instances a user can access.

  • Instance-related access control with access control lists

    Access control lists are suitable for protecting a large number of objects (that is, instances). In this case, you define an access control matrix that contains a subject (role), a predicate (type of access), and the object (instance to be protected). Only users that are mapped to at least one of these roles can access this resource.

    For UME ACLs, you can only manage these ACLs in the application context.