Show TOC Entering content frame

Background documentation Users, Groups, and Roles Locate the document in its SAP Library structure

Users

In a multitenant portal, users can either be global or tenant-specific:

·        Global users: Users which do not belong to a specific tenant and are stored in the system database. An examples of such users are Administrator users; these are automatically generated upon installation of the portal.

·        Tenant users: Users which belong to a tenant and are stored in an ABAP client used by the tenant. Tenant users should only see content assigned to their tenant. To ensure this, permissions and roles must be assigned appropriately.

The IDs of tenant users have their tenant name as their prefix: <tenant_name>\<user ID>. For example, the user smithj in tenant TenantA has the following ID: TenantA\smithj. All user IDs, including their tenant prefix, must be unique within the same tenant.

A single user or group cannot exist in multiple tenants at the same time; however, different users with the same user ID can run in the same multitenant portal, as long as they each exist in a different tenant. For example, a user with the user ID smithj can exist in both TenantA and TenantB since their unique tenant prefix differentiates them from one another: TenantA\smithj and TenantB\smithj.

As in a standard portal, global and tenant-specific users can be defined as either business end users or administrators:

·        Business end users use the portal runtime environment to complete their day-to-day business tasks.

·        Administrators use the portal design-time tools to administer and manage the portal. For details about the differences between global and tenant administrators, see Administrator Types in a Multitenant Portal).

 

Groups

In a multitenant portal, groups can either be global or tenant-specific. Global groups can contain only global users and groups, while tenant groups can contain only users or groups from the same tenant as the group.

If a tenant administrator creates a group, the group is automatically assigned to the tenant of that user. If a global administrator creates a group, he or she can choose between creating it as a global group or for a specific tenant. Tenant administrators can only view and modify groups that belong to their own tenant. They have no access to global groups, except for the built-in groups like Everyone and Authenticated Users. Global administrators can view and modify all groups.

Groups created by a tenant administrator obtain the tenant name as a prefix to the unique name: <tenant_name>\<group_name>. Groups in different tenants can have the same group ID; however, within the same tenant all group IDs must be unique.

When a tenant is created in the portal, the UME automatically generates a virtual group for each tenant. For more information about this group, see Initial Folders, Content, and Permissions for Tenants. Administrators can use this group to assign permissions to all users in a tenant.

 

Roles

Like users and groups in a multitenant portal, roles can either be global or tenant-specific. Global administrators can view and modify all roles, while tenant administrators can only view and modify roles that belong to their own tenant.

If a tenant user or tenant administrator creates a role, it is automatically assigned to the tenant of that user. If a global administrator creates a role, he or she can choose between creating it for a specific tenant or as a global role.

There are two types of roles:

·         UME roles are stored in J2EE database. Tenant-specific UME roles obtain the tenant name as a prefix to the unique name: <tenant_name>.<role name>. The tenant name prefix supports characters of mixed case usage; for example, TenantA.Admin.

·         Portal roles are stored in the Portal Content Directory (PCD). Tenant-specific portal roles are stored in the tenant’s namespace in the PCD. The namespace is the tenant name converted to lowercase; for example, tenanta.admin.

For more information on these two types of roles, see UME Roles and Portal Roles.

Roles in different tenants can have the same role ID. The combination of role ID prefix and role ID must be unique, which means that within the same tenant all role IDs must be unique.

When a tenant is created in the portal, the portal automatically generates default roles for the tenant. For more information, see Initial Folders, Content, and Permissions for Tenants.

For information on role assignment, see Role Assignment in a Multitenant Portal.

 

Leaving content frame