Authorizations for Global and Tenant User Administrators (SAP Library

Authorizations for Global and Tenant User Administrators

The following table summarizes the types of users, roles, and groups that global and tenant user administrators can administrate if they have the corresponding authorizations.

As a general rule, global administrators can create and modify both global and tenant-specific objects, whereas tenant administrators can only create and modify objects that belong to their tenant.

	Access Type	Global Administrators	Tenant Administrators	Required Authorization
Users	Read	Global users Tenant users (all tenants) Guest user Service users	Tenant users (same tenant) Service users	Role containing the UME action UME.Manage_All or UME.Manage_Users See also: Standard UME Actions
Users	Write	Global users Tenant users (all tenants) Guest user Service users	Tenant users (same tenant)
Groups	Read	Global groups Tenant groups (all tenants) Built-in groups (Everyone, Authenticated Users, Anonymous Users)	Tenant groups (same tenant)	Role containing the UME action UME.Manage_All or UME.Manage_Groups See also: Standard UME Actions
Groups	Write	Global groups Tenant groups (all tenants)	Tenant groups (same tenant)
Roles	Read	Global roles Tenant roles (all tenants)	Tenant roles (same tenant)	UME Roles: Role containing the UME action UME.Manage_All or UME.Manage_Roles Portal Roles: To create portal roles: Read-write permission on the folder To change portal roles: Read-write permission on the role To assign portal roles: Role assigner permission on the role See also: UME Roles and Portal Roles
Roles	Write	Global roles Tenant roles (all tenants)	Tenant roles (same tenant)

Note

§ The standard Delegated User Administration role shipped with the portal contains only the UME action UME.Manage_Users. It does not contain the actions UME.Manage_Groups and UME.Manage_Roles. As a result, by default tenant administrators cannot administrate groups and UME roles.

§ If the action UME.Manage_All is assigned to tenant users, they still only have authorizations to manage users, groups, and roles in their own tenant. It does not give tenant users authorizations to manage all users, groups, and roles.