Show TOC Start of Content Area

Background documentation Service User  Locate the document in its SAP Library structure

Service user do not log on interactively. A service user is used, for example, to connect to a remote system with certain rights. Although a service user does not log on interactively, it is authenticated and the attributes contain a valid ticket. User mapping can be defined for a service users as well as assigning a role and general attributes to a service user.

Service users are defined as regular users with their own namespace.

ServiceUserFactory

The ServiceUserFactory can be accessed as follows:

    UMFactory().getServiceUserFactory()

 

The ServiceUserFactory provides the method getServiceUser(String uniqueName). The ServiceUserFactory verifies that the specifies user is a service user and if so, returns an IUser object with a ticket attached to a transient attribute.

For a service user only the user profile is stored, not the user itself. This has following advantages:

·        No interactive log on possible

authentication will first check in the store of accounts and will not find a user account for a service user no special coding necessary for authentication process

·        Initial service users can be provided when the UME tables are created. After creating the UME tables, following users, in this case Knowledge Management service users, are automatically added:

"index_service" ,

"subscription_service",

"ice_service",

"collaboration_service",

"timebasedpublish_service",

"notificator_service",

"cmadmin_service",

"action_inbox_service"

Security of Service Users

Service users have the rights that are needed to perform a certain task, for example, all necessary permissions to perform all actions, like delete and modify, on an Access Control List (ACL).

Permission check example:

    IUser createServiceUser(String uid) {
        SecurityManager secman= UMFactory.getSecurityManager();
        
if (secman != null) {
            ProtectedCallPermission p=
                
new ProtectedCallPermission(createServiceUser, uid);
            secman.checkPermission();
        }
    }

The call name acts as target and the user name as action. With this granularity, you can specify exactly which application can instantiate which service users.

Example for a permissions:

codeBase ${portal.home}\WEB-INF\portal\…\private\lib\km.jar {
 grant ProtectedCallPermission createServiceUser IndexService,QueueService; 
} 

 

End of Content Area