User management with SAP NetWeaver Administrator

This is a crash course in the User Management Engine (UME) and on how it enables you to easily manage users, groups and roles.

As an administrator, you control who has access to applications by creating users and providing these users with...

a means of authenticating themselves to an application.In SAP NetWeaver Application Server Java, the User Management Engine (UME ) provides you with the functions to manage users, groups, and roles. The UME functionalities are integrated into SAP NetWeaver Administrator, starting with release NetWeaver 2004.This part of the application is dedicated to user administrators. It provides the functions they need to manage users, groups, roles, and user-related data for Java systems in the User Management Engine (UME).Just go to SAP NetWeaver Administrator => System Management => Administration =>Identity Management

General Information


To simplify user administration, users can be collected in groups according to:

  • Users' functions in a company
  • Department they work in
  • And so on



Roles define the users' authorizations. You can assign roles to either single users or groups.

Roles contain a set of ‘Actions'. You can use these actions to create new custom roles. Roles are the powerful part of User Management. Therefore, always search for a role and add users or groups, not the other way round.

SAP provides four different predefined roles for use with SAP NetWeaver Administrator:

Local roles enable the management of the local system where the SAP NetWeaver Administrator runs.
Central roles enable the management of the entire landscape that is available from SLD.

The read-only roles do not allow any changes in the managed system such as start/stop or configuration changes, whereas the other roles allow full control.

If you want to create new Java users in a Java system, you can use the User Management plug-in in SAP NetWeaver Administrator. This is the case for standalone Java systems and double-stack systems (ABAP and Java).

The user management engine (UME) can also use an SAP NetWeaver Application Server (AS) ABAP as its data source for user management data (double-stack-system). This enables you to take advantage of the following:

  • Users of the ABAP system are visible as users in the UME and can log on with their passwords from the ABAP system.
  • User and role assignments in the ABAP system appear as user and group assignments in the UME.
  • You can use the ABAP roles for authorization management in the UME, by adding the groups representing the ABAP roles to the UME roles.


Create a restricted role within Local SAP NetWeaver Administrator

 =>permission to view logs

Local System Administration:

Go to System Management and choose the working center: Administration => Identity Management

Choose "Role" in the search criteria and then choose  . Now fill out the important details.

General Information:
Give the new role a unique name like "LoggingADM". This is a mandatory input field.


Assigned Groups: From the list, choose groups to which the new role should be assigned.

Assigned Users: From the list, choose users to which the new role should be assigned.

Assigned Actions: You can restrict the role here by selecting only the actions required for the new role.

In this case, select "Logs_Display", "Logs_Configure" and "WebAdmin_Local" from the set of available actions.


You need to assign either tc~lm~webadmin~permissions.WebAdmin_Central or
tc~lm~webadmin~permissions.WebAdmin_Local, plus the action which you want this role to allow, for example tc~lm~webadmin~permissions.Logs_Display

After you have created the new Logging ADM Role, you can add this role right away or later on to certain users or groups, if you haven´t already done this. The result is that all added users or groups will have limited local administration access.

Adding users or groups to a role:

Choose local system administration mode:

System Management → Administration → Identity Management and select, for example, your newly-created role to modify it.

Keep in mind, that the role is the powerful part. Therefore, select Role from the drop-down list of search criteria.

You can now modify the new role with regard to users or groups. You open details by clicking the specific role and choosing "Modify" in the details section.

You can now filter for users or groups to which you want to assign permission for certain actions. To complete the user management, choose Add and then Save.

With SAP NetWeaver Administrator, SAP provides you a central entry point to administer your Java system landscape. The interface allows seamless navigation to other SAP NetWeaver administration tools like User Management Engine so you can save time and get space for other things to do!

You can check for further information in:



Heidrun Reichart Heidrun Reichart specializes in SAP NetWeaver system administration topics and works for SAP NetWeaver Product Management.

This content is reposted from the SAP Developer Network.
Copyright 2007, SAP Developer Network


SAP Developer Network (SDN) is an active online community where ABAP, Java, .NET, and other cutting-edge technologies converge to form a resource and collaboration channel for SAP developers, consultants, integrators, and business analysts. SDN hosts a technical library, expert blogs, exclusive downloads and code samples, an extensive eLearning catalog, and active, moderated discussion forums. SDN membership is free.

Want to read more from this author? Click here to read Heidrun Reichart's Weblog. Click here to read more about the Application Server on the SDN.


Next Steps

Get tips for the best way to implement SAP NetWeaver PI

Dig Deeper on SAP integration