Segregation of Duties 
SAP NetWeaver Application Server (AS) Java enables you to create user administrators with separate role creation and role assignment capabilities. Not only is this important for compliance reasons, but also to ensure the security of your system. An all-powerful administrator can create and assign roles as he or she pleases, leaving your system exposed to abuse by a single individual. By separating role creation and role assignment, two administrators must cooperate to abuse their powers.
The Function of the Role Administrator and the Role Assigner
The table below lists the user management engine (UME) actions required to configure segregation of duties.
Technical Name |
Description |
|---|---|
Manage_Role_Assignments_SoD |
Use this action to enable a role assigner to assign roles to anyone but him or her self within his or her company. |
Manage_Roles_SoD |
Use this action to enable a role administrator to create and edit roles. Role administrators cannot add actions to roles of which they are a member. |
Caution
Do not combine either of these actions with the Manage_Users, Manage_Groups, Manage_Roles, or Manage_All_Companies UME actions. For example, with Manage_Users, the administrator can create a user, assign or edit the appropriate roles, and then log on as that user.