Skip to Content
Author's profile photo Marty McCormick

Creating a Read Only User Admin Role

I’ve decided start blogging on SDN about common requests I get from SAP customers.  Although the information is available online, it is often not step by step and could take some digging.  Although short, hopefully you find this short “how-to’s” useful.

In this blog, we’ll cover how to create a read only version of the User Administration role.  For example, this could be useful to assign to help desk personnel who should be able to check role assignments but not modify any information.

This can be accomplished by customizing UME actions that reside on the J2EE Engine.  UME actions are very useful and allow you to customize your roles to your specific needs instead of just assigning the standard user_admin role.

To read more about the UME Actions, you can find information here: 

To start, we will copy the user admin role by navigating to it under Content Administration.  Portal Content–>Portal Administrators–>User Administrators.  Right click on User Admin role and select the Copy option.


Next, we are going to paste this role into our own customer Portal Content Directory (PCD) folder by navigating the PCD to the folder and selecting Paste as Delta Link.


After confirming the Paste Dialog box, the next step would be to change the pcd id and rename the role to something more meaningful, like User Admin Read Only.



In addition, we are going to remove the Import and Activity Reports functionality from our new role since we only want to give users ability to view user information.






Now we are ready to adjust our UME Action and remove the ability for role assignees to modify users and set it to Read Only.

UME Actions are modified through the Identity Management utility.  Browse to User Administration tab and pull up the role in Edit mode.


Navigate to the Assigned Actions tab.  You’ll notice, that by default, the role has the Manage_All action, which allows Admins to modfiy users.


We are going to remove the Manage_All action and assign the Read_All action as shown below:


After saving the role, you can assign it to your target user population.  When they log into the portal, they will get a User Administration Read Only tab and the Modify button will be disabled!



As shown in this simple blog, UME Actions are a powerful tool that can be used to create a variety of customized roles for your NetWeaver J2EE implementation.

Assigned tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Hi Marty
      Is there any real advantage in making the read only admin role a delta link to the SAP supplied role? What exactly is being delta linked? If someone accidentally deletes the original role, will the copied one still work? The same question also applies with new content being added to the original role?

      (maybe I need to read the new book to find out all about this!)

      Author's profile photo Marty McCormick
      Marty McCormick
      Blog Post Author
      Hi Michael-

      Thanks for your reply.  You raise a good question and I guess out of habit I used delta link copy as there are typically many advantages to this (such as any changes to the role in places where you haven't modified).  In addition, iView properties would be inherited. 

      However, in this case I really dont think there is an advantage or disadvantage since any changes to the underlying Web Dynpro would still be reflected if the "copy" method.