Standard UME Actions in Portal

Standard UME Actions

The following table lists the UME actions delivered with the user management engine (UME). These actions are defined in the file UMErole.xml.

 Note:

In the identity management application, you can search for actions by entering either the UME action ID, such as Logon_Help, or the name of the relevant service or application, such as com.sap.security.core.ume.service.

UME actions available by default in the SAP NetWeaver Application Server (AS) :

Actions of the User Management Engine

UME Action ID	Description
AclSuperUser	(Relevant for SAP NetWeaver Portal only) Provides Owner permissions on all objects in the Portal Content Catalog. You cannot remove this permission in the permission editor. This action is designed for super administrators. Be restrictive with this action, as it provides extensive permissions on portal content. Only assign it to the Super Administration role in the portal. Do not assign it to any other roles.
Batch_Admin	Provides permissions to use the import and export functions using identity management. To import users, groups, or roles, or to import user, group, or role assignments, you must also have the permissions to change the relevant principals. To export, you must have read permissions for the relevant principals.
Logon_Help	Provides permissions to access the logon help Web Dynpro application.
Manage_All	Provides permissions required by an overall user administrator. These include: Administration of users belonging to any company and the possibility of assigning users to companies Group management Role management User mapping Import and export of user data UME configuration Consistency check and repair tools Refresh the user cache Full access to the Service Provisioning Markup Language (SPML) interface To set up delegated user administration, overall user administrators must belong to a role to which the Manage_All action is assigned. In portal installations, any role that includes the Manage_All action automatically has Role Assigner permissions on all portal roles in the portal installation.
Manage_All_Companies	Provides permissions to manage users in all companies.
Manage_All_User_Passwords	Provides permissions required by a user to change the password of other users independent of company. This also enables the user to view all user profiles.
Manage_Groups	Provides permissions to view, add, modify, and delete groups. To assign users or roles to a group, you must have permission to modify users or roles.
Manage_My_Password	Provides non administrator users with permissions to change their own personal password in their user profile. The action Manage_My_Profile includes this action. You must also set the Allow Users to Change Their Own Password radio button in the security policy. For more information, see Configuring the Security Policy for User ID and Passwords.
Manage_My_Profile	Provides nonadministrator users with permissions to display and change their own personal user profile.
Manage_Role_Assignments	(Relevant for SAP NetWeaver Portal only) Provides permissions to assign portal roles, for which you have Role Assigner permissions, to users within your company. With this action, you can neither assign roles to groups, nor change the actions assigned to a role. This is a default role for delegated user administration for the portal.
Manage_Roles	(Not relevant for SAP NetWeaver Portal) Provides permissions to view, add, modify, and delete UME roles. To assign users or groups to a role, you must have permission to modify users or groups. Be careful to whom you assign this action. Users with this action can assign themselves the Administrator role, which gives them wide-ranging administrator rights on the AS Java.
Manage_User_Passwords	With this action a user can manage the passwords of users belonging to his or her company. The user with this action can view the user profiles of other users in his or her company and even lock and unlock their accounts. Use this action to create a delegated password administrator.
Manage_Users	Provides permissions to manage users belonging to the same company as the administrator (such as search, create, modify, delete, lock, unlock, reset password, approve new user requests, and deny new user requests). To assign groups or roles to a user, you must have permission to modify groups or roles.
Read_All	Enable a user to read user, group, and role profiles in all companies. It also provides the permissions to refresh the user cache of the AS Java.
Read_Basic	For internal use only.
Read_My_Profile	Provides nonadministrator users with permission to display their own personal user profile.
Remote_Producer_Read_Access	(Relevant for federated portal only) Provides permissions for remote users to read roles available on this producer portal.
Remote_Producer_Write_Access	(Relevant for federated portal only) Provides permissions for remote users to assign roles available on this producer portal. Does not include read-access.
Selfregister_User	Provides permissions for users to enter data in the self-registration forms.
Spml_Read_Action	With this action a user can conduct searches and read the schema of the SPML interface.
Spml_Write_Action	Provides full access to the SPML interface.
System_Admin	Provides a system administrator with permission to change the UME configurations in the Web Dynpro user administration application, and the permissions to run the consistency check and repair tool.
User_Viewer	Provides permissions for users to view the public profiles of other users belonging to their own company with the user viewer iView.
User_Viewer_All_Companies	Provides permissions for user to view the public profiles of all other users with the user viewer iView. Source: sap.help.com