A security consultant for portal should be able to use PFCG to create roles in the backend, and assign them to your users.

As far as the Portal is concerned, a security consultant could be granted the "user administrator" role to assign the users to GROUPS in the portal, once they have created roles. The groups in our Portal were created by an EP dev instead of a security consultant.

Hope this helps.

The authorizations to the objects in an SAP EP is role based, the role assignments determine what contents the portal user can access such as creating an iview or calling an transaction in SAP.

This role has no effect on the authorizations in the back end system. The authorizations in a portal role simply signify which contents the user can view and use in the portal.

The portal objects viz iviews, roles etc are protected using content administration. The content adminitrator use access control lists ACL to control teh access the user may to portal objects like read, read/write etc.

The portal uses the authorizations in the backend system and does not transfer the profiles to the front end.

Subra brings up a good point.

It's also important to define that "portal roles" and "roles" from the backend system are different. The content admin creates the "portal roles" which allow access to iViews, etc. in the EP.

Backend roles are classified as "groups" when administering the EP. The portal roles get assigned to the groups (backend roles) and work in conjunction to allow users to view content and have access to transactions from the backend.

So if this entire scenario is being setup by only one security consultant, they would need to have the security authorizations for the backend to create and assign roles, content admin to create portal roles and do ACL work in the EP, and the user admin to assign the portal roles and UME configuration to users in the EP.

Hope this helps.