Exposing Roles on the Producer for 'Remote Role Assignment' Usage

Use

Content usage mode: remote role assignment

Applies to: producers

To support the design time workflow and runtime activities for remote role assignment on the consumer portal, portal administrators must assign portal permissions and UME actions on both the producer and consumer portals.

This topic describes the portal permissions and UME actions that must be set on the producer portal to allow:

User administrators on a consumer portal to search for remote roles and assign local users and groups to them.
Business users on a consumer portal to run content embedded in a remote role.

.

Note

Additional permissions are required on the consumer to fully support remote role assignment . For more information, see:

If the consumer system is running a different SAP NetWeaver release than that of your producer system, then ignore these references and refer to the FPN documentation for that specific release on SAP Help Portal at help.sap.com .

Caution

After an administrator from a consumer portal has assigned users to remote roles on the producer, make sure you adhere to the following instructions to ensure continuous availability of remote roles:

Do not change the ID of the role on the producer portal. You can change the names of roles.
Do not move the role on the producer portal to a new PCD location.

Prerequisites

The same user base exists on both producer and consumer portals.
Roles have been created on the producer portal.
You are assigned Owner permission in the objects to which you want to assign additional permissions.
Access to the Permissions editor in the portal.
You have access to the Identity Management tool on the consumer portal. It is available by default in the standard User Admin or Delegated User Admin roles in the portal.

Note
You can also work with the Identity Management tool as a standalone console or in SAP NetWeaver Administrator, as long as the remote producer portal is running.
You have the IDs of the consumer-side user administrators and business users to which you need to assign the permissions.

In most cases, the user administrator on the producer portal should be able to provide you with this information.

Procedure

Certain portal permissions and UME actions must be assigned on the producer portal before a user administrator on the consumer can perform a remote role assignment, while other permission settings must be assigned either before or after a remote role assignment has been performed by the user administrator of the consumer portal.

Assigning Permissions and UME Actions on the Producer Portal: Before Remote Role Assignment is Performed

In the Permissions editor on the producer portal, the system or content administrator must assign the following permissions:

Object (on Producer)	Target User on Consumer (Assignee)	Permission Level	Description
Role (any role that you are exposing for remote usage)	User Admin -or- Delegated User Admin	Role assigner: enabled	This permission setting allows the user administrator on the consumer portal to do the following in the Identity Management tool: Search for and view the remote role. Assign local users on the consumer to the remote role.

Object (on Producer)

Target User on Consumer (Assignee)

Permission Level

Description

Role (any role that you are exposing for remote usage)

User Admin

-or-

Delegated User Admin

Role assigner: enabled

This permission setting allows the user administrator on the consumer portal to do the following in the Identity Management tool:

Search for and view the remote role.
Assign local users on the consumer to the remote role.

In the Identity Management tool on the producer portal, the user administrator must assign the following UME actions to any role to which the pcd_service user is already assigned. If such a role does not exist, you need to create one and then assign the pcd_service user to it.

Note

UME actions can only be assigned to roles; not directly to users or groups.

Target User (Assignee)	UME Actions	Description
pcd_service ⁽¹⁾	Remote_Producer_Read_Access ⁽²⁾ Remote_Producer_Write_Access ⁽²⁾	These UME actions enable the following: The Remote_Producer_Read_Access action is needed for portal business users to use remote role assignment content at runtime. (Optional) When a role is deleted on a producer portal, the administrator performing this task must be assigned the Remote_Producer_Write_Access action (through the pcd_service user) so that all remote role assignments to that role on the respective consumer portal are automatically removed. Without this assigned action, the role assignments remain on the consumer after the source has been deleted on the consumer. Both UME actions are required so that a user administrator on the consumer can perform remote role assignments.

Target User (Assignee)

UME Actions

Description

pcd_service ⁽¹⁾

Remote_Producer_Read_Access ⁽²⁾

Remote_Producer_Write_Access ⁽²⁾

These UME actions enable the following:

The Remote_Producer_Read_Access action is needed for portal business users to use remote role assignment content at runtime.
(Optional) When a role is deleted on a producer portal, the administrator performing this task must be assigned the Remote_Producer_Write_Access action (through the pcd_service user) so that all remote role assignments to that role on the respective consumer portal are automatically removed. Without this assigned action, the role assignments remain on the consumer after the source has been deleted on the consumer.
Both UME actions are required so that a user administrator on the consumer can perform remote role assignments.

⁽¹⁾ The pcd_service user is an internal service user that is automatically generated when the portal starts up. For more information, see User Management .

⁽²⁾ For more information about UME actions, see Standard UME Actions .

Assigning Permissions and UME Actions on the Producer Portal: Either Before or After Remote Role Assignment is Performed

Using the Permissions editor, the system or content administrator of the producer portal must enable and assign end user permission to portal components and any back-end systems for remote business users logging on to the consumer portal.

If the system or content administrator on the producer already knows which business users or groups require the permissions, the permission assignments can be made before the user administrator on the consumer has performed the remote role assignments.

Object (on Producer)	Target User on Consumer (Assignee)	Permission Level	Description
Portal component ⁽¹⁾	Business user	End user: enabled	Allows users to execute at runtime the iViews, pages, and layouts that are assigned to remotely assigned roles. Note In remote role assignment usage mode, all portal components are executed at runtime on the producer portal.
System	Business user	End user: enabled	If an iView on the producer uses a system object to enable access to a back-end system, the system administrator on the producer must assign end user permission to the remote business users in these system objects.

⁽¹⁾ The portal components correspond to the unit iViews, pages, and page layouts used by content that is embedded in the roles you are exposing. Portal components are located in the Security Zones folder in the Portal Catalog.

Note

If you have applied the SAP recommendations and guidelines with regard to initial permission settings in the portal, then in most cases there should be no need to modify your existing security zone permissions.

The guidelines are such that most of your content is probably assigned to the Low safety level, to which the Authenticated Users group has end user authorization. This means that all non-anonymous users logging on to the portal are automatically assigned to the Authenticated Users group.

More Information

'Remote Role Assignment' Mode