Authorization Concept of the AS
Java 
You control the access of users to applications and resources by assigning permissions to user accounts. You assign these authorizations using J2EE standard methods or extended methods provided by SAP.
The SAP NetWeaver Application Server (AS) Java supports the following types of authorizations:
● Roles
Used to assign activities to users either directly or indirectly by using groups.
● Access Control Lists (ACL)
Used to control the use of objects.
Roles
The AS Java uses J2EE security roles and user management engine (UME) roles.
Security Roles
The application
developer deploys security roles together with the J2EE application in
accordance with the J2EE specification. The deployment descriptors for the
role are included in the WAR file for Web modules or the JAR file for EJB
modules. For more information, see 
Architecture of
Security Roles. Use the visual administrator to manage security
roles.
To concentrate security roles, you can assign security roles to J2EE server roles.
You can assign a security role to only one server role. You can assign multiple security roles to a single server role.
UME Roles
UME consist of
actions which are in turn collections of permissions used for Web Dynpro
applications. UME actions are deployed with your applications and defined in
the file actions.xml. For more information, see Permissions, Actions,
and UME Roles. Use the identity management tool to manage UME
roles.
Access Control Lists
ACLs limit access to individual objects. The portal is one application that uses ACLs to control access to objects on the AS Java. One example of this is the portal content directory (PCD). The UME also provides APIs for maintaining ACLs on the AS Java.
For more
information, see Access Control List
(ACL).
Authorization Checks
The AS Java supports the following authorization checks:
● Activity-related access control with security roles for applications (J2EE standard)
The developer defines these role in the development descriptors for his or her application. The administrator maps the users to the corresponding roles.
● Instance-related access control with roles (UME roles)
Using these roles, you specify which activities a user can execute on the AS Java. You can also specify which instances a user can access.
● Instance-related access control with access control lists
Access control lists are suitable for protecting a very large number of objects (that is, instances). In this case, you define an access control matrix that contains a subject (role), a predicate (type of access), and the object (instance to be protected). Only users that are mapped to at least one of these roles can access this resource. There are two ways to use the access control lists:
○ J2EE server roles
The developer or administrator defines the role using the corresponding API, the administrator uses the Security Roles tab page in the Visual Administrator to map users to the role. The administrator also manages the authorizations for accessing resources by assigning roles in the corresponding access control lists (in Resource Management).
○ UME access control lists
You can only manage these ACLs in the application context.