Applications and components deployed on SAP NetWeaver Application Server for Java can use the following approaches to authorization checking:
Applications deploy authorizations in Java EE security roles or user management engine (UME) actions depending on the decision of the developer. The JEE security roles and UME actions can be bundled by the developer or the administrator into UME roles. The administrator then assigns these roles to the users.
ACLs limit access to individual objects. The AS Java does not provide a user interface to manage ACLs, but it does provide APIs for reading, writing, and authorization checks of ACLs.