Entering content frame

Object documentation Permissions, Actions, and UME Roles Locate the document in its SAP Library structure

Definition

Authorizations are enforced in User Management Engine (UME) using permissions, actions, and roles.

Internally in their Java code, applications define Java permissions and use them for access control.

An action is a collection of permissions. Every application defines its own set of actions and specifies the permissions assigned to the actions either in an XML file or (more seldom) dynamically in the code. The actions are listed in the user management administration console, where you can group them together into roles.

UME Roles group together actions from one or more applications. You assign roles to users in the user management administration console. By assigning roles to users, you define the users’ authorizations.

Structure

The following figure illustrates the relationship between permissions, actions, and roles.

This graphic is explained in the accompanying text

The advantage of having both actions and permissions is:

·        Application developers can define finely grained permissions, but can hide the complexity by defining only a few actions.

·        As the actions are normally defined in an XML file, they can be changed according to your requirements when you install the service.

·        Administrators can assign actions to roles in the administration console. Permissions are not visible in the administration console.

Example

The user management administration console is an application running on User Management Engine. The application defines permissions in the code for activities such as changing a user’s profile or modifying roles. In the XML file, an action Manage_Roles is defined that groups together all permissions that a user requires to administrate roles. This action includes permissions for viewing, modifying, and deleting roles, and is assigned to a role called Role Administrator, for example.

Any administrator that requires permissions to administrate roles, is assigned to the Role Administrator role.

Interfaces

The corresponding UME interfaces are included in the packages:

·        com.sap.security.api

·        com.sap.security.api.acl

·        com.sap.security.api.logon

·        com.sap.security.api.ticket

 

Leaving content frame