IDM SAP User naintenance
Short Description
IDM SAP User naintenance...
Description
SAP NetWeaver 2004s SPS 4 Security Guide
User Administration and Authentication Document Version 1.00 – October 24, 2005
SAP AG Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20 www.sap.com
© Copyright 2005 SAP AG. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and
The information contained herein may be changed without prior
other SAP products and services mentioned herein as well as their
notice.
respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other
Some software products marketed by SAP AG and its distributors
product and service names mentioned are the trademarks of their
contain proprietary software components of other software vendors.
respective companies. Data contained in this document serves informational purposes only. National product specifications may
Microsoft, Windows, Outlook, and PowerPoint are registered
vary.
trademarks of Microsoft Corporation. These materials are subject to change without notice. These materials IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
are provided by SAP AG and its affiliated companies ("SAP Group")
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
for informational purposes only, without representation or warranty of
xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity,
any kind, and SAP Group shall not be liable for errors or
Tivoli, and Informix are trademarks or registered trademarks of IBM
omissions with respect to the materials. The only warranties for SAP
Corporation in the United States and/or other countries.
Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any.
Oracle is a registered trademark of Oracle Corporation.
Nothing herein should be construed as constituting an additional warranty.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Disclaimer Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
Some components of this product are based on Java™. Any code
VideoFrame, and MultiWin are trademarks or registered trademarks of
change in these components may cause unpredictable and severe
Citrix Systems, Inc.
malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts
Any Java™ Source Code delivered with this product is only to be used
Institute of Technology.
by SAP’s Support Services and may not be modified or altered in any way.
Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used
Documentation in the SAP Service Marketplace
under license for technology invented and implemented by Netscape.
You can find this documentation at the following Internet address: service.sap.com/securityguide
MaxDB is a trademark of MySQL AB, Sweden.
Typographic Conventions Type Style
Description
Example Text
Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Cross-references to other documentation
Example text
Emphasized words or phrases in body text, graphic titles, and table titles
EXAMPLE TEXT
Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE.
Example text
Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools.
Example text
Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation.
Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system.
EXAMPLE TEXT
Keys on the keyboard, for example, F2 or ENTER.
Icons Icon
Meaning Caution Example Note Recommendation Syntax
Additional icons are used in SAP Library documentation to help you identify different types of information at a glance. For more information, see Help on Help → General Information Classes and Information Classes for Business Information Warehouse on the first page of any version of SAP Library.
User Administration and Authentication
Contents User Administration and Authentication ........................................5 1 User Management ...............................................................................5 2 Integration of User Management in Your System Landscape ........6 2.1 Selecting the System Landscape.......................................................... 7 2.1.1 System Landscape with LDAP Directory......................................................................9 LDAP Directory with J2EE Engine(s) ..................................................................................9 LDAP Directory with ABAP System(s) ..............................................................................10 2.1.2 System Landscape with CUA .....................................................................................13 CUA System Landscape with J2EE Engine(s) .................................................................13
2.2 Installing a J2EE Engine...................................................................... 15 2.2.1 J2EE Engine with DB Data Source.............................................................................15 2.2.2 J2EE Engine with LDAP Data Source ........................................................................16 2.2.3 J2EE Engine with ABAP Data Source ........................................................................17
2.3 Defining Role Administration .............................................................. 19 2.3.1 Creating Portal Roles..................................................................................................19 2.3.2 Assign Roles ...............................................................................................................21
3 User Authentication and Single Sign-On........................................24
4
October 2005
User Administration and Authentication 1 User Management
User Administration and Authentication For an overview of how the SAP NetWeaver platform supports an integrated approach for user administration and authentication, see the following sections: •
User Management [Page 5] In this section, we provide an overview of the tools available for user management within the SAP NetWeaver platform.
•
Integration of User Management in Your System Landscape [Page 6] In this section, we provide our recommendations on integrating the various user management tools in your system landscape.
•
User Authentication and Single Sign-On [Page 24] In this section, we provide an overview of the user authentication and Single Sign-On mechanisms available with the SAP NetWeaver products.
1 User Management User Management Tools SAP NetWeaver provides user management tools for both application platforms, Java and ABAP. See the table below. User Management Tools Tool
Detailed Description
User Management for the ABAP Engine (transaction SU01)
Use the user management transaction SU01 to maintain users in ABAP-based systems.
Profile Generator (transaction PFCG)
Use the profile generator to create roles and assign authorizations to users in ABAP-based systems.
Central User Administration (CUA)
Use the CUA to centrally maintain users for multiple ABAP-based systems. Synchronization with a directory server is also supported.
User Management Engine (UME) administration console
Use the Web-based UME administration console to maintain users, roles and authorizations in Javabased systems that use the UME for the user store, for example, the SAP J2EE Engine and the Enterprise Portal. The UME also supports various persistency options, such as the ABAP Engine or a directory server.
SAP J2EE Engine user management using the Visual Administrator
Use the Visual Administrator to maintain users and roles on the SAP J2EE Engine. The SAP J2EE Engine also supports a pluggable user store concept. The UME is the default user store.
October 2005
5
User Administration and Authentication 2 Integration of User Management in Your System Landscape
User Types It is often necessary to specify different security policies for different types of users. For example, your policy may specify that individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under which background processing jobs run. Therefore, we classify different users types in the different products. The primary classification consists of either individual users or technical users, however, the exact classification depends on the tool used. For user types on the ABAP Engine, see the topic User Types [SAP Library] for ABAP. On the J2EE Engine, the user types are classified according to the group assignment and security policies. See the topic User Types [SAP Library] for the J2EE Engine.
Standard Users See the individual security guides for each of the SAP NetWeaver products you use as well as for the operating system and database platforms for a list of the standard users delivered and the corresponding security recommendations.
Additional Information For more information about user management within SAP NetWeaver, see: •
Identity Management [SAP Library]
•
Security guides for the individual products used
2 Integration of User Management in Your System Landscape In a system landscape containing a combination of ABAP and Java components, it makes sense to integrate your user management so that you can use the same user data across different systems and can administer this data centrally. SAP NetWeaver provides both ABAP and Javabased user management solutions. The user management solution that you should use to administer your user data depends on factors such as the type of systems that are running in your landscape. This section outlines some options on how to integrate user management across a system landscape and provides recommendations for when to use which option. For an introduction to the available user management tools, see SAP NetWeaver Security Guide → User Administration and Authentication → User Management [Page 5].
See Also See also the following sections of SAP Library:
6
•
SAP NetWeaver → Security → Identity Management → Users and Roles (BC-SEC-USR) → Central User Administration [SAP Library]
•
SAP NetWeaver → Security → Identity Management → Directory Services (BC-SEC-DIR) [SAP Library] → Synchronization of SAP User Administration with an LDAP-Compatible Directory Service [SAP Library]
•
SAP NetWeaver → People Integration → Portal → Administration Guide → Content Administration → Roles and Worksets → Portal Roles and ABAP-based SAP-Systems → Role and User Distribution to the SAP System [SAP Library]
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
2.1 Selecting the System Landscape Before you define a user administration, you need to decide on a system landscape. Among other things, this depends on how you want to administer your users. Another important consideration with regard to your (future) system landscape is which systems you are already using. The graphic below shows a complete view of technically meaningful system combinations: an LDAP directory integrates external non-SAP systems, any number of J2EE Engines, and ABAP systems with connected J2EE Engines.
LDAP Directory
ABAP Central System
LDAP Synchroniz ation for User Data
ALE Distribution of the User Data
LDAP Data Source
NonSAP
J2EE J2EE J2EE
ABAP Child System
ABAP Child System
ABAP Child System
ABAP Data Source
J2EE
The following table shows the combinations of the components that are important for the system landscape. Part-system landscapes in accordance with your requirements result from this, for which you can obtain more detailed information using the links. System Landscapes with Specific Components With CUA With Directory
Without Directory
LDAP Directory with ABAP System(s) [Page 10]
CUA System Landscape with J2EE Engine(s) [Page 13]
Without CUA •
LDAP Directory with ABAP System(s) [Page 10]
•
J2EE Engine with LDAP data source [Page 16]
•
J2EE Engine with DB Data Source [Page 15]
•
J2EE Engine with ABAP Data Source [Page 17]
For user administration, you must above all define whether you want to store the user data in an ABAP system or an LDAP directory. In the case of a mixed system landscape, which also contains non-SAP systems, we recommend that you use an LDAP directory. A typical usage case for an LDAP directory is, for example, SAP Enterprise Portal.
October 2005
7
User Administration and Authentication 2 Integration of User Management in Your System Landscape The figure below clarifies the decision process for a part-system landscape.
Yes
No
Is there an LDAP directory?
Yes
Access to non-SAP systems using EP?
Set up an LDAP directory
Yes
No
Set up a dedicated CUA child system
No Is there a CUA?
Yes
LDAP directory w ith ABAP system(s)
Is there an ABAP system?
LDAP directory w ith ABAP system(s)
No
CUA system landscape with J2EE Engine(s)
J2EE Engine w ith LDAP data source
This helps you to address the following questions: ...
1. Is there an LDAP directory in your system landscape? Yes. See step 3. No. See step 2. 2. Are non-SAP systems accessed using the Enterprise Portal? Yes. Set up an LDAP directory, and read on from step 3. No. Set up a dedicated CUA child system. For more information, see CUA System Landscape with J2EE Engine(s) [Page 13]. 3. Is there a CUA in your system landscape in addition to the LDAP directory? Yes. For more information, see LDAP Directory with ABAP System(s) [Page 10]. No. See step 4. 4. Are there one or more ABAP systems in your system landscape? Yes. For more information, see LDAP Directory with ABAP System(s) [Page 10]. No. For more information, see J2EE Engine with LDAP Data Source [Page 16]. For information about creating and administering user and role data when using an Enterprise Portal, see Roles in the Enterprise Portal [SAP Library].
8
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
2.1.1 System Landscape with LDAP Directory An LDAP directory service is suited to integrating external systems and SAP systems (ABAP and Java) into a heterogeneous system landscape. There are the following options for including J2EE Engines in the system landscape: •
LDAP Directory with J2EE Engine(s) [Page 9] J2EE Engine without associated ABAP system (such as an Enterprise Portal), which is connected directly to the LDAP directory.
•
LDAP Directory with ABAP System(s) [Page 10] J2EE Engine with associated ABAP system, which is connected to the LDAP directory using Central User Administration (such as Employee Self-Service).
LDAP Directory with J2EE Engine(s) Description In this scenario, you are operating any number of SAP Web AS Java with User Management Engine (UME), where the respective UME uses the LDAP directory as the data source. This means that the user data is also, for example, made available to external systems. An Enterprise Portal may be set up on one of the J2EE Engines. For more information about using an LDAP directory as the data source of the UME, see LDAP Directory as Data Source [SAP Library].
LDAP Directory
ALE Distribution of the User Data
LDAP Data Source
NonSAP
ABAP Central System
LDAP Synchroniz ation for User Data
J2EE J2EE J2EE
ABAP Child System
ABAP Child System
ABAP Child System
ABAP Data Source
J2EE
October 2005
9
User Administration and Authentication 2 Integration of User Management in Your System Landscape
Administration Administration of the User Data Without an Enterprise Portal Object User
UME roles and J2EE security roles
Recommended Tool •
If you already administer the users with an LDAP directory with an LDAP administration tool, you can continue to use this tool.
•
Alternatively, you can use the UME tools.
Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator [SAP Library]. Both tools are part of SAP Web AS Java.
Administration of the User Data with an Enterprise Portal Object User
Recommended Tool •
If you already administer the users with an LDAP directory with an LDAP administration tool, you can continue to use this tool.
•
Alternatively, you can use the Portal Tools [SAP Library].
UME roles and J2EE security roles
Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator [SAP Library]. Both tools are part of SAP Web AS Java.
Portal roles and userrole assignments
Use the Portal Tools [SAP Library].
Installation •
Set up the LDAP directory and the non-SAP systems.
•
Set up the J2EE Engines [Page 16]
LDAP Directory with ABAP System(s) Description Data synchronization is set up between the LDAP directory and the ABAP CUA central system. The synchronization direction depends on whether the directory service or the CUA central system is the leading system. The ABAP CUA central system distributes the data to the ABAP CUA child systems. In this example, a J2EE Engine is connected to a CUA child system (either as a standalone or as an Add-In) and a non-SAP system is connected to the LDAP directory.
10
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
LDAP Directory
ABAP Central System
LDAP synchronization for user data
ALE distribution of the user data LDAP data source
J2EE J2EE J2EE
NonSAP
ABAP Child System
ABAP Child System
ABAP Child System
ABAP data source
J2EE
If you only have one ABAP system in your system landscape, you do not need to use central user administration, since you can connect every ABAP system directly to the LDAP directory. However, you must perform a synchronization of the user data for each ABAP system. The system-specific ABAP authorization role assignments are also usually not administered using the LDAP directory. We therefore recommend that you administer multiple ABAP systems with a CUA and only to connect the CUA central system directly to the LDAP directory. You can then distribute the synchronized data from the central system to the child systems and use the central system to administer the system-specific ABAP authorization role assignments. See Synchronization of SAP User Administration with an LDAP-Compatible Directory Service [SAP Library]. The user password is not transferred from the SAP Web AS to the LDAP directory during the synchronization of the user data. You must therefore maintain the user password with one of the following options: •
You specify the passwords centrally in the LDAP server. The users must log on using the UME, are authenticated with the LDAP server, receive a logon ticket and can then access all systems with Single Sign-On. In this case, all systems must be configured so that they accept logon tickets.
•
You specify the passwords in a decentralized way, both in the CUA and in the LDAP directory (or in the UME). In this case, the CUA systems do not need to accept logon tickets.
October 2005
11
User Administration and Authentication 2 Integration of User Management in Your System Landscape
Prerequisites The configuration of the ABAP data source must be supported (see J2EE Engine with ABAP Data Source [Page 17]). Administration of the User Data Without an Enterprise Portal Object User
Recommended Tool •
If you already administer the users in an LDAP directory with an LDAP administration tool, you can continue to use this tool.
•
Use the user maintenance (transaction SU01) of the CUA central system (see User Maintenance with Active Central User Administration [SAP Library]). Note that no passwords are synchronized during the synchronization of user data from the CUA central system to an LDAP directory.
ABAP roles
Role administration [SAP Library] (transaction PFCG) of the CUA child systems
UME roles and J2EE security roles
Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator [SAP Library]. Both tools are part of SAP Web AS Java. You can integrate the Java-based authorizations of the J2EE security roles and the UME roles with the ABAP roles (see Integration of UME Roles with SAP Roles [SAP Library]).
Role assignment
Assign ABAP roles to the users in the CUA central system (see Assigning Roles [SAP Library]).
Administration of the User Data with an Enterprise Portal Object User
Recommended Tool •
If you already administer the users in an LDAP directory with an LDAP administration tool, you can continue to use this tool.
•
Alternatively, you can use the Portal Tools [SAP Library].
ABAP roles
Role administration [SAP Library] (transaction PFCG) of the CUA child systems
UME roles and J2EE security roles
Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator [SAP Library]. Both tools are part of SAP Web AS Java.
Portal roles and userrole assignments
Use the Portal Tools [SAP Library].
If J2EE Engines are also connected to the ABAP systems, these are administered using the tools described under J2EE Engine with ABAP Data Source [Page 17].
12
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
Installation •
If necessary, set up the Central User Administration [SAP Library]
•
Set up an LDAP directory in accordance with the product documentation.
•
Set up the synchronization of the user data between the directory and the CUA central system [SAP Library]
•
Set up the J2EE Engines [Page 17]
2.1.2 System Landscape with CUA If you are only using SAP solutions and do not want to include any external systems in your system landscape in the future, you can administer your ABAP systems with Central User Administration and, if required, also connect J2EE Engines to the CUA child systems. See also: •
Central User Administration [SAP Library]
•
Setting Up Central User Administration [SAP Library]
•
User Maintenance with Active Central User Administration [SAP Library]
CUA System Landscape with J2EE Engine(s) Description In this scenario, you are operating a Central User Administration to administer the user data for all SAP systems. You can connect a J2EE Engine to one or more child systems. For example, you can connect an Enterprise Portal that only runs SAP applications to a dedicated child system (which contains all users of the Enterprise Portal).
If you have an SAP Web AS Java in your system landscape that runs an application that integrates a large number of backend systems, we recommend that you use the ABAP data source for the User Management Engine of the SAP Web AS Java.
October 2005
13
User Administration and Authentication 2 Integration of User Management in Your System Landscape For more information about using an ABAP system as the data source of the UME, see SAP Web AS ABAP User Management as Data Source [SAP Library].
LDAP Directory
ABAP Central System
LDAP Synchronization for User Data
ALE Distribution of the User Data LDAP Data Source
NonSAP
J2EE J2EE J2EE
ABAP Child System
ABAP Child System
ABAP Child System
ABAP Data Source
J2EE
Prerequisites •
The configuration of the ABAP data source must be supported (see J2EE Engine with ABAP Data Source [Page 17]).
Administration Administration of the User Data Without an Enterprise Portal Object
Recommended Tool
User
User maintenance [SAP Library] (transaction SU01) of the CUA central system
ABAP roles
Role maintenance [SAP Library] (transaction PFCG) in the CUA child systems
ABAP role assignment
Role assignment [SAP Library] in the CUA central system
J2EE security roles and UME roles
Administer the UME roles with the UME administration console and the J2EE security roles with the Visual Administrator of the SAP Web AS Java. Both tools are part of SAP Web AS Java. You can integrate the Java-based authorizations of the J2EE security roles and the UME roles with the ABAP roles (see Integration of UME Roles with SAP Roles [SAP Library]).
14
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape Administration of the User Data with an Enterprise Portal Object
Recommended Tool
User
Transaction SU01 of the CUA central system
ABAP roles
Generate these roles from portal roles (see Role and User Distribution to the SAP System [SAP Library]).
ABAP role assignment
Use the portal tools and then distribute the assignments.
J2EE security roles and UME roles
Administer the UME roles with the portal tools and the J2EE security roles with the Visual Administrator of the SAP Web AS Java.
You can only change the attributes of the ABAP users in the UME of the J2EE Engine to a restricted degree. This depends on whether the J2EE Engine is connected to a CUA child system and how the field maintenance is configured for this child system. You can, however, create users with the UME, change the passwords of the users, and lock and unlock users.
Installation •
Set Up the Central User Administration [SAP Library]
•
Choose the ABAP system as the data source during the installation of the J2EE Engine (see J2EE Engine with ABAP Data Source [Page 17]).
2.2 Installing a J2EE Engine During the installation of a single J2EE Engine, you define which data is stored where. The following storage possibilities exist for user data: •
J2EE Engine with DB Data Source [Page 15]
•
J2EE Engine with LDAP Data Source [Page 16]
•
J2EE Engine with ABAP Data Source [Page 17]
2.2.1 J2EE Engine with DB Data Source Description Use this installation to run dedicated Java applications on a SAP Web AS Java, which access neither an ABAP system, nor a non-SAP system, and which do not use user data of an external system. In this case, the data source of the User Management Engine (UME) is the SAP Web AS database. Examples of this scenario are an SAP Web AS Java as a development platform, or a Java application that is connected to SAP backend systems using a small number of service users, but which does not use the same user data as the SAP backend system.
October 2005
15
User Administration and Authentication 2 Integration of User Management in Your System Landscape The default installation is an SAP Web AS Java with UME and Enterprise Portal.
J2EE
DB
Administration Administer all user data with the UME administration console or the Visual Administrator. If you are using the portal, you can administer the portal roles and user-role assignments with the portal tools.
Installation Select the database as the data source during the installation of the J2EE Engine. See also: •
UME Data Sources [SAP Library]
•
SAP Notes 780679 and 718383
2.2.2 J2EE Engine with LDAP Data Source Description You are operating any number of SAP Web AS Java with User Management Engine (UME), where the respective UME uses the LDAP directory as the data source. This means that the user data is also, for example, made available to external systems. For more information about using an LDAP directory as the data source of the UME, see LDAP Directory as Data Source [SAP Library].
16
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
LDAP Directory
ALE Distribution of the User Data
LDAP Data Source
J2EE J2EE J2EE
NonSAP
ABAP Central System
LDAP Synchroniz ation for User Data
ABAP Child System
ABAP Child System
ABAP Child System
ABAP Data Source
J2EE
Administration Use the administration tools of the User Management Engine. Alternatively, you can also administer the users with the tools of the LDAP directory.
Installation First select the database of the J2EE Engine as the data source during the installation of the J2EE Engine. Then change this configuration by replacing the database with the LDAP directory. See also: •
UME Data Sources [SAP Library]
•
Configuring UME to Use an LDAP Server as Data Source [SAP Library]
•
SAP Notes 780679 and 718383
2.2.3 J2EE Engine with ABAP Data Source Description If you are running a Java application on an SAP Web Application Server Java, which accesses services of the same SAP Web AS ABAP and only uses user data of this SAP Web AS ABAP, we recommend that you configure the User Management Engine of the Java application so that it uses the ABAP user management of the SAP Web AS ABAP. The ABAP or Java part can belong to the same SAP Web AS installation, or to two separate installations.
If the Java application does not use any services of the SAP Web AS ABAP, configure the User Management Engine of the Java application so that it uses a database as a data source [Page 15] for the user data. Do not install the SAP Web AS ABAP exclusively to administer the user data.
October 2005
17
User Administration and Authentication 2 Integration of User Management in Your System Landscape An example of this scenario is an Employee Self-Service, which is operated as a Web Dynpro application on the SAP Web AS Java, and which uses the user data of an ABAP system (such as SAP Human Resources). The UME of the SAP Web AS Java uses the ABAP system as the data source. For more information about using an ABAP system as the data source of the UME, see SAP Web AS ABAP User Management as Data Source [SAP Library].
LDAP Directory
ALE distribution of the user data
LDAP data source
NonSAP
ABAP Central System
LDAP synchronization for user data
J2EE J2EE J2EE
ABAP Child System
ABAP Child System
ABAP Child System
ABAP Data Source
J2EE
Prerequisites You choose a configuration for which the ABAP data source is supported (see Installation).
Administration You can integrate the Java-based authorizations of the J2EE security roles and the UME roles with the ABAP roles (see Integration of UME Roles with SAP Roles [SAP Library]).
Installation Select the ABAP system as the data source for the J2EE Engine during the installation. See also:
18
•
SAP Notes 780679 and 718383
•
SAP Web AS ABAP User Management as Data Source [SAP Library]
•
UME Data Sources [SAP Library]
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape
2.3 Defining Role Administration Purpose You can configure role administration in accordance with your requirements and prerequisites. The decision you make depends on where the original of the relevant object is to be.
Recommended Options for Role Administration •
The users are stored in an LDAP directory connected to the Portal and the original roles are in the Portal (roles were created there or migrated there from ABAP systems). Roles are assigned in the Portal and distributed to the connected ABAP systems using WP3R.
•
The users are stored in the ABAP system and the original roles are in the Portal (roles were created there or migrated there from ABAP systems). Roles are assigned in the Portal and distributed with WP3R.
•
The users are stored in the ABAP system and the original roles are in the ABAP system. Roles are assigned in the ABAP system. (The ABAP roles are displayed as UME groups in the J2EE Engine and assigned to the relevant Portal roles there.)
Role administration consists of two parts that are usually implemented by different teams: role creation and assigning the roles to users. The role creation [Page 19] is independent of the role administration scenario chosen above. The role administration affects only the assigning of roles.
2.3.1 Creating Portal Roles Use You need to assign portal roles to your users, so that they can access the content of the SAP Enterprise Portal that is relevant to them. This procedure describes how you create portal roles. The figure below illustrates the process of role creation: Central User Administration (ABAP) SAP Enterprise Portal
Central System
UME (Web AS Java)
r xt pa T e om C
R P3 W
Transport
Development Transport System
October 2005
Child System
on is
...
...
Test System
19
User Administration and Authentication 2 Integration of User Management in Your System Landscape The portal roles are transferred to the ABAP development system and postprocessed with transaction WP3R. These roles are then transported to the ABAP test system. After a successful test, the roles are transported from the development system to the production child system of the CUA. This child system forwards the role names to the CUA central system using a text comparison.
Procedure ...
1. Create portal roles in the Enterprise Portal using on the following options: {
Download the roles and worksets published by iView Studio (see www.iviewstudio.com).
{
Create roles and worksets yourself (see Creating and Changing Roles and Worksets [SAP Library]and Roles and Worksets [SAP Library]).
Manual double maintenance: Part of the roles is maintained as ABAP roles in the ABAP system and part of the roles as portal roles in the portal. This is useful, for example, if you already have a CUA that is functioning well and a sophisticated authorization system to which an Enterprise Portal is to be added. {
Import the ABAP roles from the ABAP systems (as of EP 6 SP 4, by Uploading Roles from ABAP-Based Systems [SAP Library]).
When you do so:
The existing ABAP roles (single and composite roles) are automatically converted into portal roles or worksets
MiniApps are converted into non-Java iViews
Transactions, BW queries, Crystal Reports, URLs, and so on are converted to iViews
Optionally, user-role assignments are generated (if the user names are identical and portal roles have been generated)
In this way, you obtain a functioning portal application and can use the ABAP authorizations that were defined on the basis of the ABAP roles that originally existed. However, you need to manually generate the pages with generated iViews and derived ABAP roles are not migrated. The portal content is also less attractive, for example, due to generated entry points. 2. Distribute the portal roles from the Enterprise Portal to the ABAP development systems (see Role and User Distribution to the SAP System [SAP Library]). A regular synchronization is planned later, so that all changes to the portal role are transferred to the ABAP role. You can also distribute the role assignment can also in this way. The assignment of the user to an ABAP role is generated from the assignment of the user to a portal role or to a UME group. Caution: The WP3R is not provided with data during the role upload. Single roles in ABAP systems based on portal roles: {
20
A dedicated iView allows the transfer of a portal role into a (logical) ABAP system. This is not normally the same ABAP system in which the ABAP role is later used productively.
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape 3. All iViews of the portal role that relate to a specific ABAP system are converted into a single role. {
Delta links ensure that only the iViews that a user can see are transferred.
{
In the ABAP system, all iViews are displayed as transactions or services in a list in the menu.
The administrators of the ABAP system add the single role authorization data and create derived roles, if necessary, based on the generated single roles, which contain specific authorization data. 4. The ABAP roles are then transported from the development system into the production ABAP system.
If you change or add portal roles, you must replicate these in the ABAP systems again.
2.3.2 Assign Roles Use There are a number of application cases that can be combined as follows, depending on the start time of the process:
Role Assignment Using ABAP {
Manually in the CUA central system with transaction SU01 or automatically using HR org
{
In the application system with BAPIs that are called by the CUA or an external IM system
Advantages and Disadvantages Advantage
Disadvantage
Automatic role assignment from the CUA side using transaction SU01
Complete preconfiguration in the SAP delivery is not possible: the customer needs to make the assignments of portal roles to UME groups
No modification of the CUA and the composite roles is required
Consistent maintenance of the CUA composite roles and portal role is required (manually, with no tool)
Works both for portals with the ABAP persistence option and for assigning authorizations for an integrated or separately installed Exchange Infrastructure system (XI system), or for any other add-in J2EE Engine.
No tool for common assignment of functional roles (portal and ABAP) and organizational roles (derived ABAP roles)
October 2005
21
User Administration and Authentication 2 Integration of User Management in Your System Landscape
Advantage
Disadvantage
Works for system landscapes in which external IM systems (Sun, Siemens, CA, IBM, and so on) perform user administration by BAPI call
No direct user-role assignment is possible in the portal
A directory can only be connected through the ABAP-LDAP synchronization for users (background processing, only a few times a day). This means that there is no common password for the SAP system landscape and the directory.
Role Assignment Using the Portal/UME {
With the user interface of the Enterprise Portal or the UME
{
With service calls (SPML) of an external IM system
Advantages and Disadvantages Advantages
Disadvantages
(Semi-) automatic role creation of ABAP roles from portal roles, including updates
Manual steps required
Role assignment in the portal (including groups)
Requires you to switch to defining roles in the portal, if you have existing role definitions in the CUA.
Assigning Roles Using ABAP Tools You already have a Central User Administration (CUA) with ABAP roles and want to connect an Enterprise Portal to this CUA. You use the ABAP roles for system-specific authorization assignment and, where appropriate, the structuring of the respective local SAP Easy Access menu. You may also already have CUA composite roles to combine system-specific ABAP roles for functional authorizations. There are usually other derived ABAP roles with data authorizations and responsibilities. ...
1. If not all ABAP users of the CUA are to become Portal users, we recommend that you perform the following optional step: create a new client for the Enterprise Portal as a CUA child system. 2. For users and groups, connect the Portal to the CUA central system or to the new client. 3. Create a matching ABAP single role for every Portal role These ABAP roles only have to exist. They do not have a menu and contain no authorizations. In the Portal, the ABAP single roles are displayed as (unchangeable) UME user groups. 4. Assign these groups to the corresponding Portal roles (this are usually 1:1 relationships). 5. Optional: In the CUA, incorporate the ABAP roles for functional authorizations and the single roles associated with the Portal roles into CUA composite roles. 6. Take appropriate organizational actions so that derived ABAP roles can be assigned for data authorizations and responsibilities (matching the functional CUA composite roles).
22
October 2005
User Administration and Authentication 2 Integration of User Management in Your System Landscape 7. If you change the Portal role (user interface) or the ABAP roles (authorizations) or the CUA composite role (combination of the functional authorizations, you need to adjust the other roles in each case. If you created the ABAP roles with the WP3R process, you can also use it now to make the adjustments. 8. If you now assign this CUA composite role to users, they are automatically assigned the appropriate Portal roles through ABAP single roles associated with the Portal roles.
Assigning Roles Using the Enterprise Portal or UME If the description under Assigning Roles Using ABAP Tools does not apply to your system landscape, assign roles using the Enterprise Portal or UME, especially if one of the following criteria applies: •
You do not yet have Central User Administration.
•
You want to use an LDAP server.
•
You also want to use the Enterprise Portal for non-SAP systems.
•
You intend to use the Enterprise Portal as the main tool for role administration in the future.
Prerequisites You have created Portal roles (see Creating Portal Roles [Page 19]) and distributed them in the ABAP systems.
Procedure ...
1. In the Enterprise Portal assign the user a group (to which at least one role is assigned) or directly assign a role to the user (see Assigning Roles to Users and Groups [SAP Library]). 2. Distribute the user-Portal role assignment (Transferring User Assignments [SAP Library]). The administrators of the CUA central system select corresponding single roles or derived roles and assign these to the users. If there is a 1:1 relationship between portal and ABAP roles for each system (that is, no derived roles exist), this process can run automatically (set the indicator for automatic assignment on the initial screen of WP3R). The following restrictions apply for the generated user-role assignments: {
The user groups are resolved before the transfer; that is, the generation runs at the level of individual users and not user groups.
{
User-role assignments are only generated if the users in the portal have the same names as those in the backed systems.
The user mapping (see User Mapping [SAP Library]) is taken into account when doing so. However, the user-role assignments can only be generated if a portal user is not mapped to multiple ABAP users in the various backend systems. Otherwise, it is not possible to determine which user belongs to which ABAP backend system. 3. In the CUA central system (or – if you do not use a CUA - in the individual ABAP systems), call transaction WP3R to complete the role assignment.
If you change the role assignments, you need to distribute these again, usually once or more per day.
October 2005
23
User Administration and Authentication 3 User Authentication and Single Sign-On
3 User Authentication and Single Sign-On User Authentication For user authentication in SAP systems within the SAP NetWeaver platform, the following mechanisms are available: •
User ID and Password User ID and password is the standard mechanism supported by all SAP NetWeaver products. However, the verification routines used depend on the underlying technology as follows: {
For cases where HTTP is used as the transport protocol, the standard HTTP Basic Authentication and form-based authentication mechanisms are supported.
When using Basic Authentication, the user’s information is passed to the server over the HTTP connection in a header variable as a base-64 encoded string. With form-based authentication, the information is passed as a URL parameter.
When using user ID and password authentication in productive environments, the preferred authentication method is form-based authentication. {
For cases where the SAP protocols (dialog and RFC) are used, SAP routines are used.
In all cases, the user ID and password are only encoded when transported across the network. Therefore, we recommend using encryption at the network layer, either by using the Secure Sockets Layer (SSL) protocol for HTTP connections, or Secure Network Communications (SNC) for the SAP protocols dialog and RFC. For more information, see Network and Communication Security [SAP Library]. •
Client Certificates Many of the SAP NetWeaver products also support the use of the SSL protocol and client certificates for user authentication. In this case, the authentication takes places using the underlying protocols and no user intervention is necessary, which also provides for a Single Sign-On environment. Users need to receive their client certificates from a Certification Authority (CA) as part of a public-key infrastructure (PKI). If you do not have an established PKI then you can alternatively use a Trust Center Service to obtain certificates. The CA you choose to use must be designated as a trusted CA on the Web server.
24
October 2005
User Administration and Authentication 3 User Authentication and Single Sign-On
Integration Into Single-Sign On Environments Single Sign-On provides for an environment where users are allowed access to multiple systems based on an initial authentication. The available mechanisms for SAP systems within the SAP NetWeaver platform include: •
Logon Tickets To provide for Single Sign-On to multiple systems, a user can be issued a logon ticket after being authenticated on the SAP system. This ticket can then be presented to other systems (SAP or non-SAP) as an authentication token. Instead of having to provide a user ID and password for authentication, the user is allowed access to the system after the system has verified the logon ticket.
When using logon tickets for authentication with Web applications, the user's ticket is stored as a non-persistent cookie in the user's Web browser. This cookie contains the information necessary to log the user on to additional systems without having to provide an explicit password authentication. Therefore, you should protect the logon ticket from being compromised or manipulated during transfer by using SSL between Internet-enabled components. See Network and Communication Security [SAP Library]. •
Client Certificates When using client certificates for user authentication, the user is re-authenticated with each request using the SSL protocol. However, no user intervention is necessary, which provides for a Single Sign-On environment for the end user.
•
Additional Mechanisms Additional mechanisms are also available with the SAP NetWeaver products, depending on the underlying technology used, for example, using RFC trusted systems between two ABAP Engines. For such scenarios, see the security guide for the specific product.
Using External Authentication Mechanisms In addition, the use of external authentication mechanisms is also supported by the SAP NetWeaver products.
When using external authentication mechanisms, the level of security you have for the authentication depends on the security of the mechanism you use. Therefore, you should inform yourself of any vulnerabilities and if necessary, apply corresponding transport layer security. The following mechanisms are supported. •
Secure Network Communications With SNC, user authentication and Single Sign-On is supported for connections between the SAP GUI for Windows or SAP GUI for Java and the SAP Web AS (ABAP Engine). In this scenario, the user authentication is performed by an external security product. Supported external security products are certified by the SAP Software Partner Program. For more information, see the SNC User’s Guide available on the SAP Service Marketplace at http://service.sap.com/security.
October 2005
25
User Administration and Authentication 3 User Authentication and Single Sign-On •
Pluggable Authentication Services (PAS) PAS is available as a service on the Internet Transaction Server (ITS) that supports external authentication for Web-based applications. A variety of external mechanisms are supported, for example, password checking on the Windows domain controller or authentication on a directory server that uses the Lightweight Directory Access Protocol (LDAP). After successful authentication, the user is issued a logon ticket for Single SignOn access to successive systems. For more information, see Pluggable Authentication Services for External Authentication [SAP Library].
•
Using Header Variables or Integrated Windows Authentication The SAP Web Application Server Java supports the use of header variables for Single Sign-On. This means that you can delegate user authentication to any external product which authenticates the user and returns an authenticated user ID as part of the HTTP header. Users only have to authenticate once against the external product and can then access applications on the Web AS Java, such as the portal, with Single Sign-On. There are security measures to take when using header variables for Single Sign-On. See: Using Header Variables or Integrated Windows Authentication for User Authentication [SAP Library].
•
Java Authorization and Authentication Service (JAAS) The J2EE Engine supports the use of external authentication mechanisms using the JAAS specification. In this case, you can include external modules in the SAP J2EE Engine's login module stack. For more information, see Authentication on J2EE Engine [SAP Library].
•
Security Assertion Markup Language The J2EE Engine also supports the use of SAML assertions for user authentication. For more information, see Authentication on J2EE Engine [SAP Library].
26
October 2005
View more...
Comments