Assign Roles


There are a number of application cases that can be combined as follows, depending on the start time of the process:

Role Assignment Using ABAP

Ў        Manually in the Central User Administration (CUA) central system with transaction SU01 or automatically using Organizational Management

Ў        In the application system with BAPIs that are called by the CUA or an external identity management system

Advantages and Disadvantages



Automatic role assignment from the CUA side using transaction SU01

Complete preconfiguration in the SAP delivery is not possible: the customer needs to make the assignments of portal roles to UME groups

No modification of the CUA and the composite roles is required

Consistent maintenance of the CUA composite roles and portal role is required (manually, with no tool)

Works both for portals with the ABAP persistence option and for assigning authorizations for an integrated or separately installed SAP NetWeaver Exchange Infrastructure system, or for any other add-in J2EE Engine.

No tool for common assignment of functional roles (portal and ABAP) and organizational roles (derived ABAP roles)

Works for system landscapes in which external identity management systems (Sun, Siemens, CA, IBM, and so on) perform user administration by BAPI call

No direct user-role assignment is possible in the portal

A directory can only be connected through the ABAP-LDAP synchronization for users (background processing, only a few times a day). This means that there is no common password for the SAP system landscape and the directory.

Role Assignment Using the Portal/UME

Ў        With the user interface of the SAP NetWeaver Portal or the UME

Ў        With service calls of an external identity management system

Advantages and Disadvantages



(Semi)automatic role creation of ABAP roles from portal roles, including updates

Manual steps required

Role assignment in the portal (including groups)

Requires you to switch to defining roles in the portal, if you have existing role definitions in the CUA.

Assigning Roles Using ABAP Tools

You already have a CUA with ABAP roles and want to connect a portal to this CUA. You use the ABAP roles for system-specific authorization assignment and, where appropriate, the structuring of the respective local SAP Easy Access menu.

You may also already have CUA composite roles to combine system-specific ABAP roles for functional authorizations. There are usually other derived ABAP roles with data authorizations and responsibilities.


       1.      If not all ABAP users of the CUA are to become portal users, we recommend that you perform the following optional step: create a new client for the portal as a CUA child system.

       2.      For users and groups, connect the portal to the CUA central system or to the new client.

       3.      Create a matching ABAP single role for every portal role These ABAP roles only have to exist. They do not have a menu and contain no authorizations.

In the Portal, the ABAP single roles are displayed as (unchangeable) UME user groups.

       4.      Assign these groups to the corresponding Portal roles (this is usually 1:1 relationships).

       5.      Optional: In the CUA, incorporate the ABAP roles for functional authorizations and the single roles associated with the portal roles into CUA composite roles.

       6.      Take appropriate organizational actions so that derived ABAP roles can be assigned for data authorizations and responsibilities (matching the functional CUA composite roles).

       7.      If you change the portal role (user interface) or the ABAP roles (authorizations) or the CUA composite role (combination of the functional authorizations, you need to adjust the other roles in each case. If you created the ABAP roles with the WP3R process, you can also use it now to make the adjustments.

       8.      If you now assign this CUA composite role to users, they are automatically assigned the appropriate portal roles through ABAP single roles associated with the portal roles.

Assigning Roles Using the Portal or UME

If the description under Assigning Roles Using ABAP Tools does not apply to your system landscape, assign roles using the Portal or UME, especially if one of the following criteria applies:

·        You do not yet have Central User Administration.

·        You want to use an LDAP server.

·        You also want to use the portal for non-SAP systems.

·        You intend to use the portal as the main tool for role administration in the future.


You have created portal roles (see Creating Portal Roles) and distributed them in the ABAP systems.


In the portal, assign the user to a group (to which at least one role is assigned) or directly assign a role to the user (see Assigning Roles to Users and Groups).

Distribute the user-Portal role assignment ( Transferring User Assignments).

The administrators of the CUA central system select corresponding single roles or derived roles and assign these to the users. If there is a 1:1 relationship between portal and ABAP roles for each system (that is, no derived roles exist), this process can run automatically (set the indicator for automatic assignment on the initial screen of WP3R).

The following restrictions apply for the generated user-role assignments:

Ў        The user groups are resolved before the transfer; that is, the generation runs at the level of individual users and not user groups.

Ў        User-role assignments are only generated if the users in the portal have the same names as those in the backed systems.

The user mapping (see User Mapping) is taken into account when doing so. However, the user-role assignments can only be generated if a portal user is not mapped to multiple ABAP users in the various backend systems. Otherwise, it is not possible to determine which user belongs to which ABAP backend system.

       1.      In the CUA central system (or – if you do not use a CUA - in the individual ABAP systems), call transaction WP3R to complete the role assignment.

If you change the role assignments, you need to distribute these again, one or more times per day.