Show TOC

Background documentationManaging Users, Groups, and Roles Locate this document in the navigation structure


Identity management enables you to create, modify, and delete users, groups, and roles with the user management engine (UME). This enables you to define these principals so you can then group them according to your access management strategy.


To manage users, groups, or roles, you must be assigned a role that includes the relevant actions or combination of actions. For example, to assign roles to users, your role assignments must include UME actions that enable you to change both principals, roles and users, such as Manage_Roles and Manage_Users. The figure below summarizes the UME actions available by default in SAP NetWeaver Application Server (AS).

This graphic is explained in the accompanying text.

UME Actions According to Principal and Role

Along the top of the figure is a list of role archetypes. For example, if you are an overall administrator, under Administrators All is a list of actions appropriate to that role. The rows represent the different permission areas or principals for which the actions are relevant. For example, the top row of blocks lists actions relevant to working with users, from full access to read-access to only your own profile. The last two rows refer to specific functions, such as permission to access the import and export functions, or profile-specific actions. Some actions are subsets of other actions. For example, Manage_My_Profile includes Manage_My_Password.

For more information about these UME actions, see Standard UME Actions.

Standard UME roles include such actions. The UME role Administrator includes Manage_All, which enables you to display and change everything. By default, administrator roles are only assigned to administrators.


Integration With ABAP User Management

If your system is configured to use ABAP user management, PFCG roles from the ABAP system are displayed as groups in Identity Management. You cannot change or delete these groups using the AS Java tools. The only possible action is to assign UME roles to them. You can create new groups, which are then stored in the database of the AS Java and are not created as PFCG roles in the ABAP system.

For more information, see User Management of Application Server ABAP as Data Source.

Principal Locking

Identity management locks principals you are currently editing. Other users, who attempt to edit the user, group, or role you are editing, receive a warning that the principal is being edited by another user. The lock prevents multiple users from editing the same principal and accidentally overwriting each others' work.

Note Note

This lock only applies to identity management (either stand-alone or integrated into the NetWeaver Administrator or SAP NetWeaver Portal). If you use another application or access the principal with back-end tools, such as management tools for a directory service, the lock does not apply.

End of the note.

The lock is session based.

  • If you open another browser window within the same session, for example, in Internet Explorer by typing CTRL + N, the lock does not apply. Both windows can simultaneously edit the same principal.

  • If you open another browser window in a new session, for example, by choosing the browser application from the Windows Start menu, even if you log on to the identity management application as the same user, you cannot simultaneously edit the same principal.


Identity management enables you to search for principles.

  • Search for users, groups, or roles

    Use the asterisk (*) as a wildcard. If you do not enter any text, the search function returns a list of all users, groups, actions, or roles, depending on the principal you chose.

    • Simple search for string in user ID or name

      For more information, see Configuring Simple Search.

    • Advanced search for users using user attributes as search criteria

  • Search recursively for principals assigned to other principals

    Example Example

    You perform a normal search for users assigned to a role, the search finds only the users directly assigned to the role. If you search recursively, the search finds both the users directly assigned to the role and the users that are assigned to groups that are assigned to the role, that is, users that are indirectly assigned to the role.

    End of the example.

Note Note

  • When searching for portal roles, you can only search for the URL path below the portal content directory (PCD). You cannot search for the full path.

  • You can narrow the search by selecting the data source you want to search, if there is more than one data source.

    A federated portal network adds some complexity. For roles only, you can search remote data sources, meaning remote portal systems in your network. If you search All Data Sources this includes the remote portals. For all other principals (users, groups, and actions) the search only includes the data sources relevant to your local portal.

End of the note.

For more information, see Configuring Search Options for the UME.


Use the identity management application to create, edit, and delete users, groups, and roles on the AS Java.

Deleting Users

Recommendation Recommendation

We recommend that you do not delete users, rather lock the user and set the expiration date of the account. Only delete a user after a period of time in accordance with your local auditing regulations.

End of the recommendation.

If you delete a user, you are prompted to write a reason for deleting the user. This text is sent to the user in a notification e-mail, if you enabled e-mail notification.

You cannot delete a portal role. You can only delete the group, user, and user mapping assignments. To delete the role itself you must do that with the portal content tools.