SAP Web
AS ABAP User Management as Data Source
Purpose
The User Management Engine (UME) can use an SAP Web AS ABAP (AS-ABAP) as its data source for user management data. This enables you to take advantage of the following:
· Users of the ABAP system are visible as users in the UME and can log on with their passwords from the ABAP system.
· Roles of the ABAP system are visible as groups in the UME. The hierarchy between collective roles and single roles is realized as nested group structures. New groups created with the J2EE Engine are created in the Java database.
Because of the different interpretations of the “contains in” relationship between ABAP and the UME, the visual order of the groups is reversed. A group representing a collective role is a child element of the group representing a single role. In the ABAP system, the single roles are displayed as child elements of collective roles.
· User and role assignments in the ABAP system are shown as user and group assignments in the UME. You can use the ABAP roles for authorization management in the UME, by adding the groups representing the ABAP roles to the UME roles.
Prerequisites
The AS-ABAP must have release 6.20 SP25 or higher.
Constraints
When you use an ABAP system as the data source for user management data, the following constraints apply when using the tools of the J2EE Engine.
Password Administration
Due to the security policy of the AS-ABAP system, users can change their passwords only once per day. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.
Read-Only and Read-Write Access to the ABAP User Management
The file dataSourceConfiguration_abap.xml grants the UME read-write access to the ABAP system by default. However, as long as the system user that is used for communication between the UME and the AS for ABAP system (default user name SAPJSF_<SID>) has no ABAP role, or is assigned to an ABAP role with read-only access, write access to the ABAP system will fail.
When the J2EE Engine starts, the UME checks the roles assigned to the system user and if it finds no roles or only the role SAP_BC_JSF_COMMUNICATION_RO, the UME switches to read-only access for users located in the ABAP system.
● If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name and last name. You can modify attributes stored in the UME database, like street. Even if read-only access is assigned, users can still change their own passwords.
● If the UME has read-write access, you can create users using the tools of the J2EE Engine. Users created in this way are stored as users in the ABAP system. Extended user data that cannot be stored in the standard ABAP user record is stored in the database of the UME.
To enable read-write access to the system, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for Communication User SAPJSF_<SID> in ABAP Systems.
You can activate the self-registration and self-management functions provided by the UME. In this way, users can set and change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration.
User Administration
When you use the user administration tools of the J2EE Engine, certain limitations apply:
Limitations of User Search Criteria
User Search Criteria |
Limitations |
Creation date Date of last password change |
The search only considers actions performed using the J2EE Engine tools.. |
Street City State/Province Zip/Postal code |
The search only considers data stored in the UME tables of the J2EE Engine database. This data is different from the data stored in the ABAP user master data. |
Country Fax Form of address Language Mobile Telephone Time zone |
You cannot search for users based on these criteria. |
Group Management
You cannot change groups that represent roles in the AS-ABAP system or change user assignments to these groups. To create new groups or change existing groups within the AS-ABAP system, use the transaction PFCG in the AS-ABAP system. New groups created with the UME are stored in the local database. You can assign users from the AS-ABAP system to these groups.
Limited Operations for the System User
The system user for communication with the AS for ABAP system cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user no user management operations in the UME are possible.
UME Security Policy Configuration
We recommend that you configure the UME security policy to be the same as the settings in the AS-ABAP. The only exception is the setting for locking users after invalid logon attempts. You should deactivate this setting in the UME so that the AS-ABAP system is responsible for locking users. For more information, see Security Policy. During the installation of a combined AS-ABAP and AS-Java installation, these values are configured automatically.
For more information about the security policy settings in the AS-ABAP system, see Profile Parameters for Logon and Password (Login Parameters).
Changing Data Source
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
For more information about other data source configuration files, see Data Source Configuration Files.
Language of the System User
The system user (SAPJSF_<SID>) is configured to use a specific language in the AS-ABAP system. The language setting used for the system user determines the value of the user attribute salutation returned from the AS-ABAP system. For details, see SAP Note 866367.
Delay in the Display of ABAP Roles in the UME
If you create a new ABAP role or change the description of an existing ABAP role in the AS-ABAP system, these changes may not be visible in the UME for up to 30 minutes. The UME reads this data from the AS-ABAP system every 30 minutes. When the information appears is dependent upon when the UME last read the data. To force the UME to read the data from the AS-ABAP system, you restart the AS-Java system.
Time Zone Mapping
The AS-ABAP and AS-Java systems use different concepts for displaying times zones. AS-ABAP uses generic regional designations, such as Central European Time (CET). AS-Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.
There is a default mapping of these two systems installed, which you cannot change, but you can override. To override the default mapping or add additional mappings, enter the time zone pairs under the UME property ume.r3.connection.<adapterdid>.TimeZoneMapping. See SAP ABAP-Based System as Data Source.
Configuring the UME Against the Central System of a CUA
The UME can connect to the central system of an AS-ABAP Central User Administration (CUA). The UME can view all users present in any system managed by the central system; however, the AS-ABAP users can only log on to the UME if they have a system assignment in the central system. When you create new users in the UME, this assignment is created automatically.
The UME can view only the roles that are present in the central system, that is, roles that are available in the transaction PFCG. Roles known to the central system in the value help for user/role-assignment for managed systems are not visible to the UME. From the UME, you can only view those user/group assignments made for the central system.