Configuring BPM Users 
To enable users to access tasks in the universal worklist (UWL) and to execute tasks within a BPM process, you need to assign them BPM portal roles. To enable administrators to view, monitor, and manage processes and tasks and to start and debug processes, you need to assign BPM and other administration UME roles to users and user groups. UME actions are assigned to every predefined UME role.
For steps which are not driven by a user through a UI, the process server uses the service user SAP_BPM_Service. This user is already pre-configured. If any special roles or actions are needed for steps which are executed automatically by the system then check in the user management the assigned roles and actions. If necessary, configure this user as described below.
For administration of users, groups, and roles, use the identity management for user administration on the SAP NetWeaver Application Server (AS) Java. Identity management is a Web Dynpro application for managing users on the AS Java. It is integrated in the SAP NetWeaver Administrator and in the System Administration role of the SAP NetWeaver Portal.
More information: Identity Management,User Management of the Application Server
Prerequisites
Identity management requires that you have at least read access to the principals users, groups, or roles.
More information: Managing Users, Groups, and Roles
Procedure
You can start the identity management from the SAP NetWeaver Administrator and from the System Administration role of the SAP NetWeaver Portal. It is also possible to start this tool as a stand-alone console. In the following description we start the identity management from the SAP NetWeaver Administrator. For the other possibilities, see Starting Identity Management.
Further we assume that the users and user groups are already created. We just need to assign the necessary roles for BPM.
For information about all roles you need to assign when developing a composite application, see the Guidelines for Developing Composite Applications, section Prerequisites.
Open SAP NetWeaver Administrator in a browser using the path http://<host>:<HTTPport>/nwa, and log on with administrator rights.
Choose
Operation Management 
Identity Management 
.Select the search criteria User or Group depending on who you want to assign roles to.
Enter the user or group name or a part of the name of the user or group to whom you want to assign the BPM roles and choose Go.
Select the user or group entry from the table and choose Assigned Roles tab page.
Choose Modify.
Assign the necessary roles to the selected user or group.
Portal Roles for BPM Business Users
In the Available Roles area, select the search criteria Portal Roles. You need to assign the following portal roles to enable users to access tasks in the UWL.
BPEM End User
Enables the user to see and access processes and tasks within a BPM process in portal applications as the UWL
Standard User Role
Enables the user to see the default portal page, which contains the UWL
Administrator UME Roles Used for BPM Administration
In the Available Roles area, select the search criteria All Data Sources. You need to assign the following UME roles to enable users to access BPM administration views and manage and monitor processes and tasks.
SAP_BPM_Navigation
Enables the display of all process and tasks administration views in the SAP NetWeaver Administrator and to edit the processes and tasks for which the user or group is assigned as administrator.
SAP_BPM_SuperDisplay
Enables the display of all process and tasks administration views in the SAP NetWeaver Administrator.
SAP_BPM_SuperAdmin
Enables the display of all process and tasks administration views and edit processes and tasks in the process and task management tools integrated in the SAP NetWeaver Administrator. Enables also to start, troubleshoot and debug processes.
NWA_SUPERADMIN
Enables the display and editing of all views in the SAP NetWeaver Administrator (including starting processes).
NWA_READONLY
Enables the display of all views in the SAP NetWeaver Administrator (including the Process Repository).
UME actions are assigned to every predefined UME role for BPM administration. For more information about the UME actions assigned to the roles, see Authorizations and Roles.
To additionally restrict authorizations for administration, you can assign UME actions to various roles, which you can assign to UME users and groups.