The following table lists the UME actions delivered with the user management engine (UME). These actions are defined in the file UMErole.xml.
Note
In the identity management application, you can search for actions by entering either the UME action ID, such as Logon_Help, or the name of the relevant service or application, such as com.sap.security.core.ume.service.
UME Action ID |
Description |
---|---|
AclSuperUser |
(Relevant for SAP NetWeaver Portal only) Provides Owner permissions on all objects in the Portal Content Catalog. You cannot remove this permission in the permission editor. This action is designed for super administrators. Be restrictive with this action, as it provides extensive permissions on portal content. Only assign it to the Super Administration role in the portal. Do not assign it to any other roles. |
Batch_Admin |
Provides permissions to use the import and export functions using identity management. To import users, groups, or roles, or to import user, group, or role assignments, you must also have the permissions to change the relevant principals. To export, you must have read permissions for the relevant principals. |
Logon_Help |
Provides permissions to access the logon help Web Dynpro application. |
Manage_All |
Provides permissions required by an overall user administrator. These include:
|
Manage_All_Companies |
Provides permissions to manage users in all companies. |
Manage_All_User_Passwords |
Provides permissions required by a user to change the password of other users independent of company. This also enables the user to view all user profiles. |
Manage_Groups |
Provides permissions to view, add, modify, and delete groups. To assign users or roles to a group, you must have permission to modify users or roles. |
Manage_My_Password |
Provides nonadministrator users with permissions to change their own personal password in their user profile. The action Manage_My_Profile includes this action. You must also set the Allow Users to Change Their Own Password radio button in the security policy. For more information, see Configuring the Security Policy for User ID and Passwords. |
Manage_My_Profile |
Provides nonadministrator users with permissions to display and change their own personal user profile. |
Manage_Role_Assignments |
(Relevant for SAP NetWeaver Portal only) Provides permissions to assign portal roles, for which you have Role Assigner permissions, to users within your company. With this action, you cannot affect UME roles. You can neither assign roles to groups, nor change the actions assigned to a role. This is a default role for delegated user administration for the portal. |
Manage_Role_Assignments_SoD |
Provides permissions to assign portal roles, for which you have Role Assigner permissions, and all UME roles to users within your company, except yourself. |
Manage_Roles |
(Not relevant for SAP NetWeaver Portal) Provides permissions to view, create, modify, and delete UME roles. To assign users or groups to a role, you must have permission to modify users or groups. Be careful to whom you assign this action. Users with this action can assign themselves the Administrator role, which gives them wide-ranging administrator rights on the AS Java. |
Manage_Roles_SoD |
(Not relevant for SAP NetWeaver Portal) Provides permissions to view, create, and delete UME roles. You can modify UME roles, but you cannot change UME roles assigned to you, neither directly nor indirectly. |
Manage_User_Passwords |
With this action a user can manage the passwords of users belonging to his or her company. The user with this action can view the user profiles of other users in his or her company and even lock and unlock their accounts. Use this action to create a delegated password administrator. |
Manage_Users |
Provides permissions to manage users belonging to the same company as the administrator (such as search, create, modify, delete, lock, unlock, reset password, approve new user requests, and deny new user requests). To assign groups or roles to a user, you must have permission to modify groups or roles. |
Read_All |
Enable a user to read user, group, and role profiles in all companies. It also provides the permissions to refresh the user cache of the AS Java. |
Read_Basic |
For internal use only. |
Read_My_Profile |
Provides nonadministrator users with permission to display their own personal user profile. |
Read_User_Mapping_Credentials |
Only this action in consultation with SAP Support. |
Remote_Producer_Read_Access |
(Relevant for federated portal only) Provides permissions for remote users to read roles available on this producer portal. |
Remote_Producer_Write_Access |
(Relevant for federated portal only) Provides permissions for remote users to assign roles available on this producer portal. Does not include read-access. |
Selfregister_User |
Provides permissions for users to enter data in the self-registration forms. |
Signature_Administration |
Provides permissions for users to manage the content of the corporate signature and the personalized signatures of all users. |
Signature_Enduser_Modify |
Provides permissions for users to create, view, and modify the content of their own personalized signatures. |
Signature_Enduser_Readonly |
Provides permissions for users to view their own personalized signature. |
Signature_Support |
Provides permissions for users to view the content of the corporate signature and the personalized signatures of all users. |
Spml_Read_Action |
With this action a user can conduct searches and read the schema of the SPML interface. |
Spml_Write_Action |
Provides full access to the SPML interface. |
System_Admin |
Provides a system administrator with permission to change the UME configurations in the Web Dynpro user administration application, and the permissions to run the consistency check and repair tool. |
User_Viewer |
Provides permissions for users to view the public profiles of other users belonging to their own company with the user viewer iView. |
User_Viewer_All_Companies |
Provides permissions for user to view the public profiles of all other users with the user viewer iView. |