Show TOC

Unassigning Users from Remote RolesLocate this document in the navigation structure

Use

Content usage mode: remote role assignment

Applies to: consumers

Note

The functionality described in this topic does not apply to an SAP NetWeaver Composition Environment system without usage type EP Core - Application Portal (EPC).

This topic describes how a user administrator on an SAP NetWeaver consumer portal can unassign local users or groups that are already assigned to remote roles.

Note
  • If a user administrator on the producer portal deletes a local role that contains remote user and group assignments, then the role assignments are also automatically removed from the respective users and groups on the relevant remote consumer portals.

  • User administrators should avoid removing remote user/group assignments directly from local roles on a producer portal. Removal of remote role assignments should be performed using the Identity Management tool on the consumer portal only.

Prerequisites
  • You have created an FPN connection that pairs your system (the consumer portal) with a remote system (the producer portal).

  • The consumer portal is registered with the producer portal.

  • The same user base exists on both producer and consumer portals.

  • The user administrator on the consumer portal has been assigned role assigner permission to the remote role by the system administrator or content administrator on the producer portal. For more information, see Exposing Roles on the Producer for 'Remote Role Assignment' Usage .

  • You have access to the Identity Management tool on the consumer portal. It is available by default in the standard User Admin or Delegated User Admin roles in the portal.

    Note

    You can also work with the Identity Management tool as a standalone console or in the SAP NetWeaver Administrator, as long as the remote producer portal is running. For more information, see Identity Management .

  • You have been assigned at least administrator read permission to the FPN connection that represents the remote producer portal where the remote roles are located. For more information, see Assigning Administrator Permissions to FPN Connections .

  • You have established trust between the producer (as the ticket-issuer system) and the consumer (as the ticket-accepting system). This is only required if you want role assignments to be automatically removed from users and groups on the consumer portal when a user administrator on the producer portal deletes a local role that contains remote user and group assignments. For more information, Setting Up Trust Using the SSO Wizard .

Procedure

To remove remote role assignments, you use the Identity Management tool. Using the tool, you can do either of the following:

  • First select a remote role and then remove the local users or groups that are assigned to the role. See Removing Assigned Users/Groups by Role below.

  • First select a local user or group and then remove a remote role that is assigned to the user or group. See Removing Assigned Roles by User/Group below.

Removing Assigned Users/Groups by Role

  1. On the consumer portal, navigate to Start of the navigation path User Administration Next navigation step Identity Management End of the navigation path.

  2. In the Search pane, do the following to locate the remote role to which you want to assign any local users or groups.

    1. In the first Search Criteria dropdown list, select Role .

    2. In the next dropdown list, select the data source:

      • To search on all remote producers that your portal is registered with, select Remote Data Sources .

      • To search on a specific producer that your portal is registered with, select it. Note that each producer portal is listed by its producer alias.

    3. In the empty field, enter the name of the remote role. You can use wildcard characters in your search string.

    4. Choose Go .

      The results of the search are displayed on the screen.

  3. From the result list, select the role to display its details.

  4. In the Details of Role pane, choose Modify .

  5. In the Assigned Users or Assigned Groups tab, remove the relevant local users and groups that are assigned to the remote role.

  6. Save your changes.

Removing Assigned Roles by User/Group

  1. On the consumer portal, navigate to Start of the navigation path User Administration Next navigation step Identity Management End of the navigation path.

  2. In the Search pane, do the following to locate the local user or group from which you want to remove an assigned remote role.

    1. In the first Search Criteria dropdown list, select User or Group .

    2. If you selected Group , then in the next dropdown list, select the data source. Note that the All Data Sources option for groups refers only to local data sources.

    3. In the empty field, enter the name or ID of the local user or role. You can use wildcard characters in your search string.

    4. Choose Go .

      The results of the search are displayed on the screen.

  3. From the result list, select the user or group to display its details.

  4. In the Details of User or Details of Group pane, choose Modify .

  5. Choose the Assigned Roles tab.

  6. In the Assigned Roles pane, select the assigned remote role that you want to remove from the local user or group.

  7. Choose Remove .

  8. Save your changes.