User Mapping and the AS Java

Use

User mapping is only necessary for Single Sign-On (SSO) when users have different user IDs in the SAP NetWeaver Application Server (AS) Java and in the back-end systems.

Caution

When possible, avoid user mapping by using the same user ID in the portal and back-end ABAP systems and enable SSO with tickets. If you cannot avoid user mapping, configure the connection to the back-end system to use Secure Sockets Layer (SSL) and Secure Network Communications (SNC).

More information: Transport Layer Security

If you cannot avoid different user IDs in the AS Java and back-end systems, you can use user mapping to enable SSO. With user mapping you define systems in the destination service. Then for the defined systems you map AS Java users to back-end system users with the user management engine (UME).

When an application, which is programmed to use the destination service, attempts to connect to a back-end system, the AS Java requests the connection information from the destination service. If the system is configured for user mapping, the destination service queries the UME about any user mapping for the current user. The AS Java uses this information to establish a connection to the target system.

User Mapping with User ID and Password

This method maps a user, group, or role with a user ID in the back-end system. When the application tries to connect to the back-end system, the UME tries to map the user to a user in the remote system. The UME does this bay checking for mappings in the following order:

To the AS Java user
To any group the AS Java user is a member of
To any roles the AS Java user is directly assigned
User mapping does not support mappings to indirect role assignments

The AS Java uses the first mapping found. If the AS Java does not find any mappings that apply, the application prompts the user to enter mapping data, assuming the application developer programmed the application to do so.

Caution

If you map to a single user in the back-end system, do not map to a super user or administrative user. If you must map to a single user, we recommend mapping to a guest user with the required rights. Do not map users to back-end accounts, which would pose a security risk if the users learned the user ID and password.

Note

If you do not maintain individual user-to-user mappings, map roles or groups to a user in the back-end system. If a specific AS Java user in the role or group needs more or less authorization in the back-end system than allowed by the role-to-user or group-to-user mappings, you can create a user-to-user mapping for this kind of exception.

Instead of creating mappings to groups like Everyone, consider creating a destination with Technical User authentication. The destination uses the configured technical user regardless of the local UME user.

Do not create more than one of the same kind of mapping for the same back-end system. The AS Java uses the first mapping found. If you map two roles to different users in the same back-end system and you assign both roles to an AS Java user, you cannot be sure which mapping the AS Java will use.

Some applications require user mappings to be unambiguous. Applications such as Universal Worklist, perform inverse user mapping and thus require a 1:1 relationship between front-end and back-end users.