Authorizations and Roles

Authorizations and roles define which objects users can access and which actions they can perform. There are several relevant authorizations and roles in SAP NetWeaver Business Process Management (BPM):

Process roles
A process role defines a set of rights and obligations for a number of principals. In BPM we need process roles for several purposes: processing tasks, processing activities, and administering business processes.

Process roles exist in all BPM components, in the process composer, in the process server, and in the process desk.

Caution
Every user who processes a task in the process, can see the whole process context.

End of the caution.

More information: Process Roles
UME roles and actions
The user management engine (UME) provides a centralized user management for all Java applications and can be configured to work with user management data from multiple data sources. It is integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java. The actions are listed in the user management administration console, where you can group them together into roles. Permissions for BPM tools and objects are available as UME actions that can be displayed in the user management administration console.

For an overview of the BPM relevant roles and actions, see the sections below.
Portal roles
As a component of SAP NetWeaver Business Process Management, the universal worklist (UWL) is based on the portal platform. UWL provides a set of predefined portal roles that enable access to various functions of the framework – for example, administration.

More information: Portal Roles, UME Roles and Portal Roles

For steps which are not driven by a user through a UI, the process server uses the service user SAP_BPM_Service. This user is already pre-configured. If any special roles or actions are needed for steps which are executed automatically by the system then check in the user management the assigned roles and actions. If necessary, configure this user as described here, Configuring BPM Users.

UME Roles for Administration

The following table lists the predefined administration roles used in BPM and their access to administration tasks and views.

Administration UME Role	Authorization	Comment
SAP_BPM_Navigation	Display all process and task administration views in the SAP NetWeaver Administrator Edit processes and tasks for which the user is assigned as administrator	Data source: UME database
SAP_BPM_SuperDisplay	Display all process and task administration views in the SAP NetWeaver Administrator Read-only permission for all views.	Data source: UME database
SAP_BPM_SuperAdmin	Display all process and task administration views in the SAP NetWeaver Administrator Edit processes and tasks in the process and task management tool Start processes Troubleshoot and debug processes and tasks	Data source: UME database
NWA_SUPERADMIN	Display and edit all views in the SAP NetWeaver Administrator (including start a process)	SAP NetWeaver Administrator specific
NWA_READONLY	Display all views in the SAP NetWeaver Administrator (including the process and task specific views, for example the view to start a process)	SAP NetWeaver Administrator specific

UME actions are assigned to every predefined UME role for BPM administration. The UME actions allow detailed refinement of access to various administration views and task. To additionally restrict authorizations for administration you can assign UME actions to various roles, which you can assign to UME users and groups.

The following table lists the UME actions and their use in BPM.

UME Action	Description
NWA_READONLY_BPM_TMMNT	Display authorization for the Manage Tasks application
NWA_SUPERADMIN_BPM_TMMNT	Super administrator authorization for the Manage Tasks application
NWA_READONLY_BPM_RRViewer	Display authorization for the Process Repository application
NWA_SUPERADMIN_BPM_RRViewer	Super administrator authorization for the Process Repository application
SAP_BPM_SuperDisplay	Display authorization for all BPM applications integrated in SAP NetWeaver Administrator
SAP_BPM_SuperAdmin	Super administrator authorization for all BPM applications integrated in SAP NetWeaver Administrator
NWA_READONLY_BPM_Log	Display authorization for the process server log in the Troubleshooting application
NWA_SUPERADMIN_BPM_Log	Super administrator authorization for the process server log in the Troubleshooting application
NWA_READONLY_BPM_TRBShoot	Display authorization for Troubleshooting application
NWA_SUPERADMIN_BPM_TRBShoot	Super administrator authorization for the Troubleshooting application

More information: Standard UME Actions

Portal Roles

The processors of a task need the following portal roles assigned to access the tasks in the universal worklist (UWL), which is integrated in the portal.

Portal Role	Description	Comment
Standard User Role	Enables the user to see the default portal page, which contains the UWL	Data source: portal role
BPEM End User	Enables the user to access processes and tasks and their details within a BPM process in portal applications as the UWL	Data source: portal role

More Information

SAP NetWeaver Application Server Java Security Guide

Configuring BPM Users

Identity Management