Show TOC Start of Content Area

 Integrated Role and User Administration  Locate the document in its SAP Library structure

Purpose

In a complex system landscape with an SAP NetWeaver Portal and any number of ABAP systems, you must decide how you are going to manage roles and assign them to users. You can choose to have one system as the leading system to maintain your original roles and user assignments. Then you transfer this information to the other systems and make the necessary adjustments. For consistency and to reduce overhead, we recommend that you designate one system as the leading system. Otherwise, you can choose to manage roles and user assignments on each system independently.

The principal tasks in integrated role and user administration are as follows:

      Creation and modification of roles

      Assignment of roles to users

Often different teams perform these tasks. You can decide which system is the leading system for each the tasks above. Use the table below to help you decide which system to use as the leading system.

Administration Options for Integrated Role and User Administration

 

ABAP-Centered

Portal-Centered

Role Administration

When to use: You are adding a portal to an ABAP system landscape with an established authorization concept.

You can leverage the ABAP roles in your existing authorization concept to create portal roles.

You must manually upload roles from each ABAP production system to the portal.

Using ABAP-Centered Role Administration

When to use: You are adding new ABAP systems to an existing landscape with a portal.

You can leverage existing portal roles to create ABAP roles, including updates.

There is no automatic export of updated portal roles. You must manually redistribute updated portal roles to all affected ABAP systems.

Using Portal-Centered Role Administration

Role Assignment

When to use: You want to use SU01 or other ABAP user management tools.

With SU01, you can assign ABAP roles directly and portal roles indirectly.

There is no direct relationship between the portal roles and the ABAP roles with the required authorizations. You must have an existing authorization concept to keep track of what portal role requires which ABAP authorizations.

Using ABAP-Centered Role Assignment

When to use: Where possible, you want to use the portal to assign roles.

You can assign portal roles directly, but you must still perform some work with ABAP user management.

When you change role assignments in the portal, you must redistribute portal roles to the ABAP systems. (Use portal-centered role administration described above).

Using Portal-Centered Role Assignment

 

You can also use an external identity management system to perform role assignment.

End of Content Area