Skip to Content

User Management with SAP NetWeaver Administrator

As an administrator, you control who has access to applications by creating users and providing these users with a means of authenticating themselves to an application.In SAP NetWeaver Application Server Java, the User Management Engine (UME ) provides you with the functions to manage users, groups, and roles. The UME functionalities are integrated into SAP NetWeaver Administrator, starting with release NetWeaver 2004.This part of the application is dedicated to user administrators. It provides the functions they need to manage users, groups, roles, and user-related data for Java systems in the User Management Engine (UME).Just go to SAP NetWeaver Administrator => System Management => Administration =>Identity Management


 General Information


To simplify user administration, users can be collected in groups according to:

  • Users’ functions in a company
  • Department they work in
  • And so on







Roles define the users’ authorizations. You can assign roles to either single users or groups.

Roles contain a set of ‘Actions’. You can use these actions to create new custom roles. Roles are the powerful part of User Management. Therefore, always search for a role and add users or groups, not the other way round.

SAP provides four different predefined roles for use with SAP NetWeaver Administrator:




Local roles enable the management of the local system where the SAP NetWeaver Administrator runs.
Central roles enable the management of the entire landscape that is available from SLD.

The read-only roles do not allow any changes in the managed system such as start/stop or configuration changes, whereas the other roles allow full control.

If you want to create new Java users in a Java system, you can use the User Management plug-in in SAP NetWeaver Administrator. This is the case for standalone Java systems and double-stack systems (ABAP and Java).

The user management engine (UME) can also use an SAP NetWeaver Application Server (AS) ABAP as its data source for user management data (double-stack-system). This enables you to take advantage of the following:

  • Users of the ABAP system are visible as users in the UME and can log on with their passwords from the ABAP system.
  • User and role assignments in the ABAP system appear as user and group assignments in the UME.
  • You can use the ABAP roles for authorization management in the UME, by adding the groups representing the ABAP roles to the UME roles.


Create a restricted role within Local SAP NetWeaver Administrator

 =>permission to view logs

Local System Administration:

Go to System Management and choose the working center: Administration => Identity Management

Choose “Role” in the search criteria and then choose image . Now fill out the important details.

General Information:
Give the new role a unique name like “LoggingADM”. This is a mandatory input field.




Assigned Groups: From the list, choose groups to which the new role should be assigned.

Assigned Users: From the list, choose users to which the new role should be assigned.

Assigned Actions: You can restrict the role here by selecting only the actions required for the new role.

In this case, select “Logs_Display”, “Logs_Configure” and “WebAdmin_Local” from the set of available actions.





You need to assign either tc~lm~webadmin~permissions.WebAdmin_Central or
tc~lm~webadmin~permissions.WebAdmin_Local, plus the action which you want this role to allow, for example tc~lm~webadmin~permissions.Logs_Display





After you have created the new Logging ADM Role, you can add this role right away or later on to certain users or groups, if you haven´t already done this. The result is that all added users or groups will have limited local administration access.


Adding users or groups to a role:

Choose local system administration mode:

System Management → Administration → Identity Management and select, for example, your newly-created role to modify it.

Keep in mind, that the role is the powerful part. Therefore, select Role from the drop-down list of search criteria.

You can now modify the new role with regard to users or groups. You open details by clicking the specific role and choosing “Modify” in the details section.





You can now filter for users or groups to which you want to assign permission for certain actions. To complete the user management, choose Add and then Save.

With SAP NetWeaver Administrator, SAP provides you a central entry point to administer your Java system landscape. The interface allows seamless navigation to other SAP NetWeaver administration tools like User Management Engine so you can save time and get space for other things to do!

You can check for further information in

=>Administration of Users, Groups and Roles

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Sandeep kumar

    I had created a role as u specificed,
    buit its data source is as UME, so how can i get that role in to portal, i had serched entire portal and even i back end, i could not fine.can u pls tell me how to show that role 2 the assigned user?

    1. Former Member
      The role that Heidrun created won’t be visible in the portal content directory because it is not a portal role.

      You can create a similar portal role to the one Heidrun built by using the following steps.

      First you make a portal role somewhere in the PCD. It doesn’t need any content.

      Then in the drop down in the Property Editor area section on the right, select Permissions.
      You will see a list of all the actions which can be assigned to this PCD role. A minor problem is that the names are not the same as you see in the user admin tool role editor 🙁 THe “real” name for an entry can be seen by expanding the little arrow in front of the permission name…

  2. Former Member
    Some comments…

    I have found calling the tool “Identity Management” strange, when it is unrelated to SAP’s IdM solution!

    There is no easy way I know of to find which roles contain a specific action.

    I don’t think NWA is now recommended for central management of multiple Java systems. That should be done by Solution Manager.


Leave a Reply