Show TOC

Procedure documentationCreating Roles in SAP NetWeaver Locate this document in the navigation structure

 

A role is a set or group of privileges that can be granted to users or other roles. Roles are part of the Security section in the navigation bar.

The following standard roles are provided with SAP CPS:

  • scheduler-administrator - can perform all actions, except manage isolation groups

  • scheduler-event-operator - can raise events

  • scheduler-job-administrator - can create/edit/delete event definitions, job definitions, job chains and modify jobs

  • scheduler-user - has access to SAP CPS only, cannot see any objects

  • scheduler-viewer - read only access to all objects

  • scheduler-isolation-administrator - can create/edit/delete isolation groups and add users to these

  • scheduler-screen-reader - indicates that you are using a screen reader

These are the standard roles, it is not possible to create roles directly in SAP CPS, or edit the standard roles. You create a role with the corresponding name in the UME, assign it the redwood.com/Scheduler.AccessScheduler action and grant it to SAP CPS users. Once you grant these roles to users in the UME, the users will get the corresponding SAP CPS roles granted and have the privileges granted to these roles as soon as they log on or the isolation administrator adds them to an isoation group.

The UME also allows you to grant SAP CPS privileges directly to roles via the following actions:

  • redwood.com/Scheduler.AccessScheduler - read-only access, all roles that you want to use in SAP CPS must have this action assigned.

  • redwood.com/Scheduler.ManageScheduler - scheduler Administrator (same as scheduler-administrator role)

  • redwood.com/Scheduler.ManageSchedulerIsolation - isolation group administrator (same as scheduler-isolation-administrator role); you are not allowed to grant the redwood.com/Scheduler.ManageScheduler action to the same role.

SAP strongly recommends you start by creating the above roles in the UME and assign them the redwood.com/Scheduler.AccessScheduler action. Once that is done, you grant these roles to users. If the roles do not exactly suit your needs, create custom roles (with names that do not match the above roles) in the UME and assign them the same action; these roles will be editable in SAP CPS and allow you to extend privileges of users.

Granting Privileges

You can grant privileges to custom roles. Custom roles are recognizable by the name (it is not allowed to be one of the above) as well as the description and comment fields, which contain Created automatically on first login.

Some privileges are not dependent on a partition or isolation group, these are known as global Privileges.

You grant specific privileges to roles for each object type; available privileges are dependent on the object. These privileges are known as system privileges and are granted via the role object. There are two levels at which you can grant system privileges, Access and Admin. Privileges granted with the Admin level allow the grantee to grant the privileges to other users.

You can also grant privileges for specific objects on object-level to users or roles, these are known as object privileges and are granted via the Security tab on the object.

The following topics in the Security Guide and Administration Guide provide more information on privileges and how you grant them:

Prerequisites

  • The URL to the NetWeaver UME. Usually http://<host>:<port>/useradmin

  • An account with sufficient privileges to create a role and add members to the role.

  • The username and password of a user you add to the role.

  • A Scheduler Manager user account for SAP CPS

Procedure

Creating a role to map to a SAP CPS role

  1. Connect to the UME in SAP NetWeaver where SAP CPS was installed.

  2. Choose Role in the drop-down box for Search Criteria.

  3. Choose Create Role and enter a name of one of the SAP CPS roles into the Unique Name field.

  4. Choose the Assigned Actions tab.

  5. Search for scheduler and choose the action name redwood.com/Scheduler.AccessScheduler, choose Add and Save.

  6. Log out of the UME.

Creating a custom role to manage isolation groups in the UME

  1. Connect to the UME in SAP NetWeaver where SAP CPS was installed.

  2. Choose Role in the drop-down box for Search Criteria.

  3. Choose Create Role and enter a role name in the Unique Name field, SAP recommends to prefix the role name with scheduler as it will be easier to distinguish the role fro other roles in the UME .

  4. Choose the Assigned Actions tab.

  5. Search for scheduler and choose the action names AccessScheduler and ManageSchedulerIsolation.

  6. Choose Add and Save.

  7. Log out of the UME.

Editing a custom role in SAP CPS

  1. Navigate to   Security → Roles  .

  2. Choose Edit from the context menu of an editable role.Editable roles have a description: Created automatically on first login.

  3. On the Assign Privileges tab, choose an Object definition and then Next.

  4. Choose the desired range of the privileges.

  5. Choose a Rank with the desired privileges. Admin privileges allow the user to perform the action and to grant the privilege to others as well. Access privileges allow the user to perform the actions.

Assigning a user to a role

  1. Connect to the UME in SAP NetWeaver where SAP CPS was installed.

  2. Fill in the Search Criteria field and locate the user.

  3. Choose the user, and choose the Assigned Roles tab.

  4. Search for one of the roles previously created, and choose Add.

  5. Choose Add and Save.

  6. Log out of the UME.

Values

Assign Privileges

  • Object Definition - The role name.

  • Grantable - If this option is selected, the user can grant this role to any other user.

Assigned Global Privileges

  • Granted Subject - The privilege name.

  • Grantable - If this option is selected, the user can grant this privilege to any other user.

Example

  • The URL to the NetWeaver UME http://sapnwprd.masalan.com:50200/useradmin

  • The account with sufficient privileges to create a role and add members to the role is Administrator

  • The username and password of the user to add to the role is masalan and process1 respectively, created previously.

  • The Scheduler Manager user account is ProcAdmin.

Creating a role that maps to the scheduler-event-operator SAP CPS role

  1. Connect to http://sapnwprd.masalan.com:50200/useradmin using the Administrator login

  2. Choose Role in the drop-down box for Search Criteria.

  3. Choose Create Role and enter scheduler-event-operator into the Unique Name field.

  4. Choose the Assigned Actions tab.

  5. Search for scheduler and choose the action name AccessScheduler, choose Add and Save.

  6. Log out of the UME.