Exposing Roles on the Producer for 'Remote
Role Assignment' Usage
Applicable to: remote role assignment
Use
Administrators must configure portal permissions and UME actions on both the producer and consumer portals, to support the design time workflow and runtime activities for remote role assignment on the consumer portal.
Setting these portal permissions and UME actions enables the following:
● User administrators on a consumer portal to search for remote roles and assign users and groups to them.
● Business users on a portal consumer to run content embedded in a remote role.
Additional permissions are required on the consumer to fully support remote role assignment. For more information, see Assigning Administrator Permissions to Producer Objects and Assigning End-User Permission to Producer Objects and Content.
Once a remote consumer has assigned users to your roles, make sure you adhere to the following instructions to ensure availability of the remote roles:
■ Do not change the ID of the role. You can however change the role name.
■ Do not move the role to a new PCD location.
More information: 'Remote Role Assignment' Mode
Prerequisites
● The same user base exists on both producer and consumer portals.
● Roles have been created on the producer portal.
● Owner permission in the objects to which you want to assign permissions.
● Access to the Permission Editor in the portal.
● You have access to Identity Management tool on the consumer portal. It is available by default in the standard User Admin or Delegated User Admin roles in the portal.
You can also
work with the Identity Management tool as a stand-alone console or in the SAP
NetWeaver Administrator, as long as the remote producer portal is running. For
more information, see
Identity
Management.
● You have the IDs of the consumer-side user administrators and business users to which you need to assign the permissions.
In most cases, the user administrator on the producer portal should be able to provide you with this information.
Procedure
Certain portal permissions and UME actions must be assigned on the producer portal before a user administrator on the consumer can perform the remote role assignment, while other permission settings must be assigned either before or after the remote role assignment has been performed by the user administrator the consumer portal.
Permissions and UME Actions to Assign on the Producer Portal Before Remote Role Assignment is Performed
...
1. In the Permission Editor on the producer portal, the system or content administrator must assign the following permissions:
Object (on Producer) |
Target User (on Consumer) |
Permission Level |
Description |
Role (any role that you are exposing for remote usage) |
User Admin -or- Delegated User Admin |
Role assigner: enabled |
This permission setting allows the user administrator on the consumer portal to do the following in the Identity Management tool: ● Search for and view the remote role. ● Assign local users on the consumer to the remote role. This permission is still required if role assignments are being made through the use of an XML script (see Using XML to Automate FPN Tasks). |
2. In the Identity Management tool on the producer portal, the administrator must assign the following UME actions to a role to which the pcd_service user is assigned. If such a role does not exist, you need to create one and then assign the pcd_service user to it.
Target User1 |
UME Actions |
Description |
pcd_service2 |
Remote_Producer_Read_Access3 Remote_Producer_Write_Access3 |
These UME actions enable the following: ● Both UME actions are required so that a user administrator on the consumer can perform remote role assignments. ● The Remote_Producer_Read_Access action is needed for portal business users to use remote role assignment content at runtime. ● (Optional) When a role is deleted on a producer portal, the administrator performing this task must be assigned the Remote_Producer_Write_Access action (through the pcd_service user) so that all remote role assignments to that role on the respective consumer portal are automatically removed. Without this assigned action, the role assignments remain on the consumer after the source has been deleted on the consumer. |
1 Assignment of UME actions can only be done via a role; not to users directly.
2 The pcd_service
user is an internal
service user that is automatically generated when the portal starts up. More
information:
User Management
3 More information on available UME actions:
Standard UME
Actions
Permissions to Assign on the Producer Portal Before or After Remote Role Assignment is Performed
Using the Permission Editor, the system or content administrator on the producer portal must assign end user permission to portal components and any back-end systems for the remote business users logging on to the consumer portal.
If the system or content administrator on the producer already knows which business users or groups require the permissions, the permission assignments can be made before the user administrator on the consumer has performed the remote role assignments.
Object (on Producer) |
Target User (on Consumer) |
Permission Level |
Description |
Portal component* |
Business user |
End user: enabled |
Allows users to execute the iViews, pages, and layouts at runtime, which are assigned to remotely assigned roles.
In remote role assignment, all portal components are executed on the producer portal. |
System |
Business user |
End user: enabled |
If an iView on the producer uses a system object to enable access to a back-end system, the system administrator on the producer must assign end-user permission to the remote business users in these system objects. |
* The portal components correspond to the unit iViews, pages, and page layouts used by content that is embedded in the roles you are exposing. Portal components are located in the Security Zones folder in the Portal Catalog.
If you have applied SAP recommendations and guidelines with regard to initial permission settings in the portal, then in most cases there should be no need to modify your existing security zone permissions.
The guidelines are such that most of your content is probably assigned to the Low safety level, to which the Authenticated Users group has end user authorization—all non-anonymous users logging on to the portal are automatically assigned to the Authenticated Users group.