Permissions, Actions, and UME Roles

Definition

Authorizations are enforced in User Management Engine (UME) using permissions, actions, and roles.

Internally in their Java code, applications define Java permissions and use them for access control.

An action is a collection of permissions. Every application defines its own set of actions and specifies the permissions assigned to the actions either in an XML file or (more seldom) dynamically in the code. The actions are listed in the user management administration console, where you can group them together into roles.

UME Roles group together actions from one or more applications. You assign roles to users in the user management administration console. By assigning roles to users, you define the users’ authorizations.

Structure

The following figure illustrates the relationship between permissions, actions, and roles.

The advantage of having both actions and permissions is:

·        Application developers can define finely grained permissions, but can hide the complexity by defining only a few actions.

·        As the actions are normally defined in an XML file, they can be changed according to your requirements when you install the service.

·        Administrators can assign actions to roles in the administration console. Permissions are not visible in the administration console.

Example

The user management administration console is an application running on User Management Engine. The application defines permissions in the code for activities such as changing a user’s profile or modifying roles. In the XML file an action Manage_Roles is defined, that groups together all permissions that a user requires to administrate roles. This action includes permissions for viewing, modifying, and deleting roles.

For example, you could create a role called Role Administrator and assign the action Manage_Roles to it. Then you could assign any administrator that requires permissions to administrate roles to the Role Administrator role.

Interfaces

The corresponding UME interfaces are included in the packages:

·        com.sap.security.api

·        com.sap.security.api.acl

·        com.sap.security.api.logon

·        com.sap.security.api.ticket