Show TOC

Background documentationSegregation of Duties Locate this document in the navigation structure


SAP NetWeaver Application Server (AS) Java enables you to create user administrators with separate role creation and role assignment capabilities. Not only is this important for compliance reasons, but also to ensure the security of your system. An all-powerful administrator can create and assign roles as he or she pleases, leaving your system exposed to abuse by a single individual. By separating role creation and role assignment, two administrators must cooperate to abuse their powers.

This graphic is explained in the accompanying text.

The Function of the Role Administrator and the Role Assigner

The table below lists the user management engine (UME) actions required to configure segregation of duties.

UME Actions for Segregation of Duties

Technical Name



Use this action to enable a role assigner to assign roles to anyone but him or her self within his or her company.


Use this action to enable a role administrator to create and edit roles. Role administrators cannot add actions to roles of which they are a member.

Caution Caution

Do not combine either of these actions with the Manage_Users, Manage_Groups, Manage_Roles, or Manage_All_Companies UME actions. For example, with Manage_Users, the administrator can create a user, assign or edit the appropriate roles, and then log on as that user.

End of the caution.