Show TOC Start of Content Area

Object documentation Permissions, Actions, and UME Roles  Locate the document in its SAP Library structure


Authorizations are enforced in the user management engine (UME) using permissions, actions, and roles.

Internally in their Java code, applications define UME permissions and use them for access control. UME permissions are an implementation of Java permissions.

An action is a collection of permissions. Every application defines its own set of actions and specifies the permissions assigned to the actions either in an XML file or (more seldom) dynamically in the code. The actions appear in the user management administration console, where you can group them together into roles.

UME Roles group together actions from one or more applications. You assign roles to users in the user management administration console. By assigning roles to users, you define the users’ authorizations.


The following figure illustrates the relationship between permissions, actions, and roles.

This graphic is explained in the accompanying text

The advantage of having both actions and permissions is:

        Application developers can define finely grained permissions, but can hide the complexity by defining only a few actions.

        As the actions are normally defined in an XML file, they can be changed according to your requirements when you install the service.

        Administrators can assign actions to roles in the administration console. Permissions are not visible in the administration console.


The user management administration console is an application running on the UME. The application defines permissions in the code for activities such as changing a user’s profile or modifying roles. In the XML file an action Manage_Roles is defined that groups together all permissions that a user requires to administrate roles. This action includes permissions for viewing, modifying, and deleting roles.

For example, you could create a role called Role Administrator and assign the action Manage_Roles to it. Then you could assign any administrator that requires permissions to administrate roles to the Role Administrator role.


The corresponding UME interfaces are included in the packages:


End of Content Area