Identity Management

Identity Management for System Landscapes

SAP Identity Management

Integration of User Management in Your System Landscape

Adding an ABAP System to Your System Landscape

Adding an AS Java System to Your System Landscape

Administration of User Data

Integrated Role and User Administration

Using ABAP-Centered Role Administration

Using Portal-Centered Role Administration

Using ABAP-Centered Role Assignment

Using the Portal-Centered Role Assignment

User and Role Administration of Application Server ABAP

AS ABAP Authorization Concept

Organizing Authorization Administration

Assigning Authorizations

From the Programmed Authorization Check to a Role

Editing Authorization Default Data (Development System)

Editing Authorization Default Data (Customer System)

Maintaining Authorizations in SAP Example Roles

Maintaining Authorizations in Roles for Productive Use

Trace for Authorization Checks

Maintaining Authorization Default Values Using Trace Evaluation in Transaction SU22 or SU24

Maintaining Authorization Fields Using Trace Evaluation in Transaction PFCG

Maintaining Role Menus Using Trace Evaluation in Transaction PFCG

Using the System Trace to Record Authorization Checks (Transaction STAUTHTRACE)

Glossary

Configuration of User and Role Administration

First Installation Procedure

Setting Up User and Authorization Administrators

Configuring User Group as Required for User Master Records

Interaction of Required User Groups and Central User Administration

Enabling Movement Activity for S_USER_GRP

Setting Up the Role Administration Tool

Defining the Scope of Authorization Checks

Preparatory Steps

Globally Deactivating Authorization Checks

Reducing Authorization Checks in Applications

Searching for Deactivated Authority Checks

Editing Templates for General Authorizations

Check Indicators

Logon and Password Security in SAP NetWeaver Application Server ABAP

Implementation of Password and Logon Protection with Security Policies and Profile Parameters

Password Hash

Initial Password

Password Checks

Password Rules

Profile Parameters for Logon and Password (Login Parameters)

List of Customizing Switches for Generated Passwords

Security Policy Attributes for Logon and Passwords

Defining Security Policies

Rules for User Names

Protecting Special Users

Securing User SAP* Against Misuse

Securing User DDIC Against Misuse

Security in System Groups

Role Administration

Role Administration Functions

Changing Standard Roles

Creating Single Roles

Role Menu

Merge Function for the Authorization Data of PFCG Roles

Editing Predefined Authorizations

Symbols and Status Text in Authorization Administration

Copying Authorizations From Templates

Assign User

Assign MiniApps

Personalization Tab Page

Creating Derived Roles and Copying Authorizations

Authorization Checks when Adjusting Derived Roles

Comparing and Adjusting Role Menus

Creating Composite Roles

Generating Authorization Profiles

Regenerate the Authorization Profile Following Changes

Performing a Mass Generation of Profiles

Transporting Authorization Components

Transporting and Distributing Roles

Transporting Manually-Created Profiles

Transporting Manually-Created Authorizations

Transporting Check Indicators and Field Values

Loading or Storing Check Indicators and Authorization Default Values

Transporting Templates

Analyzing Authorization Checks

Analyzing Authorizations Using the System Trace

Authorization Error Analysis Functions

Indirect Role Assignment Using Organizational Management (OM)

Assigning a Role Indirectly

Indirect Role Assignment in a System Landscape

Distribution of the Organizational Management Model

Creating an Organizational Management Distribution Model in the Sending System

Generating Partner Profiles of the OM Distribution Model

Creating an Outbound Filter with Customer Exit

Activating Change Pointers

Writing Change Pointers for Infotype 0105

Distributing the Organizational Management Model (Initial Distribution)

Distributing Changes to the Organizational Management Model

Central User Administration

Setting Up Central User Administration

Creating an Administration User

Setting Up Logical Systems

Defining/Setting Up a Logical System

Assigning a Logical System to a Client

System Users and RFC Destinations

Defining Authorizations for System Users

Determining Existing RFC Destinations and System Users

Creating System Users

Creating an RFC Destination for the Target System

System Users and RFC Destinations with Trusted Systems

Creating RFC Destinations for the Target System with a Trusted System

Advantages and Disadvantages of Trusted RFC Destinations

Creating the Central User Administration

Set Up Field Distribution Parameters

Synchronizing and Distributing Company Addresses

Synchronizing User Groups

Transferring Users from New Systems

Displaying and Processing Distribution Logs

Error Analysis in Central User Administration

Checking the Setup of Central User Administration

Avoiding Termination when Saving the System Landscape

Creating an ALE Model Including Partner Profiles Manually

Creating the ALE Distribution Model

Generating Partner Profiles

Checking Partner Profiles

Correcting Errors in Partner Profiles

Distributing the Model View

Other Error Sources

Activated Background Processing

Changing Partner Profiles with Active Background Processing

Creating a Background User

Removing Central User Administration

Removing a Child System from Central User Administration

Removing Central User Administration Completely

Glossary

Application Link Enabling (ALE)

ALE Landscape

ALE Integrated System

User Master Record

Authorization

Authorization Profile

Background Processing

IDoc

System User

Logical System

Partner Profile

Profile

Profile Generator

Remote Function Call (RFC)

Role

Child System

Distribution Model

Central User Administration (CUA)

Central System

DBMS User Management

Configuring DBMS User Management for SAP HANA

Central Repository for Personalization Data

Using the Generic Storage Table

Implementing a Dialog

Integrating External Tables

Registering Personalization Objects

Directory Services

LDAP Connector

Maintaining the Directory Server

Configuring the LDAP Connector

Configuring Connection Data for the Directory Service

Defining the System User of the Directory Service

LDAP Connector Interface

Logging On to the Directory Service

Calling LDAP Protocol Functions

Synchronization of SAP User Administration with an LDAP-Compatible Directory Service

Mapping SAP Data Fields to Directory Attributes

Mapping and Synchronization Process

Schema Extension

Generating a Schema Extension

Mapping SAP Data Fields to Directory Attributes

Mapping with a Function Module (Linking Type)

Mapping Indicator Versus Synchronization Indicator

Setting Mapping Indicators

Setting Synchronization Indicators

Preparing and Starting Synchronization

Synchronization Report RSLDAPSYNC_USER: Examples

Administering the Synchronization Log

Checking for Changes in Authorizations After Upgrades

Generated Role SAP_NEW

Migrating Report Trees

Customizing Scenario-Based Authorizations

Scenario-Based Authorization Checks

Transporting Active Scenarios to Follow-On Systems

Saving Scenarios to the Local File System

Uploading Active Scenarios to SAP NetWeaver Application Server ABAP

Checking the Consistency of Active Scenarios

Displaying an Overview of Scenarios

Administration of Users and Roles

User Administration

User Administration Functions

Creating and Editing User Master Records

Logon Data Tab

Password Status

Assigning Security Policies to Users

DBMS Tab

SNC Tab Page

Roles Tab Page

Profiles Tab

Groups Tab Page

Personalization Tab Page

Licence Data Tab Page

Copying Users

Personalizing Users or Roles

Changing the Standard Company Address

Assigning Roles

Assign a Standard Role to a User

Mass Changes

Logging Off Inactive Users

Editing User Defaults and Options

Comparing User Master Records

Creating and Editing Internet Users

User Administration with DBMS User Management

Changes in Behavior When DBMS User Management is Active

Password Management with DBMS User Management

Constraints in DBMS User Management

Removing Inconsistent Mappings in DBMS User Management

Mass Maintenance with DBMS User Management

Maintaining User Mappings of Many DBMS Users

Maintaining Role Assignments for Many DBMS Users

Operating Central User Administration

User Administration with Active Central User Administration

Assigning Passwords with Active Central User Administration

Sending User Master Data to a Child System

Performing a Text Comparison with Target System Specification

Displaying Change Documents for Security Policies

User Information System

Determining Users with the Users Node

Determining Cross-System Information

Users by Complex Selection Criteria (RSUSR002)

By Logon Date and Password Change (RSUSR200)

With Critical Authorizations (RSUSR008_009_NEW)

Analyzing Users with Critical Authorizations

Analyzing Users with Critical Combinations of Authorizations

Additional Selection Criteria

Evaluation of the Result List

Examples of Using Critical Authorizations and Combinations

Determining Roles, Profiles, Authorizations, and Authorization Objects

Determining Transactions (RSUSR010)

Comparing Cross-System Users, Authorizations, Roles, and Profiles (RSUSR050)

Creating Where-Used Lists in the User Information System

Creating Where-Used Lists for Roles (RSUSR002)

Creating Where-Used Lists for Profiles (RSUSR002)

Creating Where-Used Lists for Authorizations (RSUSR002)

Creating Where-Used Lists for Authorization Values (RSUSR002)

Creating Where-Used Lists for Authorization Objects (RSUSR002)

Determining Change Documents

Displaying Change Documents for Users

Displaying Change Documents for Role Assignments

Displaying Change Documents for Roles

Displaying Change Documents for Profiles

Displaying Change Documents for Authorizations

Displaying Change Documents for Authorization Defaults

Displaying Change Documents for Security Policies

Displaying Change Documents for CUA Configurations

Creating a User-Specific Result List

Troubleshooting

Cleaning Up User Tables

Reference Documentation for User and Role Administration

Authorization Objects Checked in Role Administration

Role Administration: Example

Role Administration: Tips and Tricks

Creating Roles

Organization Without the Profile Generator

Creating and Maintaining Authorizations/Profiles Manually

Line-Oriented Authorizations

Administration Tasks

Maintaining Authorization Profiles

Einzel- und Sammelprofile

Defining Profiles and Authorizations

Alternative Authorizations

Choosing Authorization Objects

Maintaining Composite Profiles

Activate Profiles

Naming Convention for Predefined Profiles

Maintaining Authorizations and Their Values

Special Authorizations Requiring Protective Measures

Authorization Profile SAP_ALL

Generated Role SAP_APP

Developer Documentation for User and Role Administration

Authorization Checks

Authorization Checks in Your Own Developments

Creating Authorization Fields

Assigning an Authorization Object to an Object Class

Programming Authorization Checks

Transporting Authorization Objects and Classes

Programmatically Checking Passwords Against the Password Rules

Performing Authorization Checks Based on Scenarios

Creating Scenario Definitions for Authorization Checks

Activating Scenarios for Testing

Automatically Adding Authorization Objects to Scenarios

Manually Adding Authorization Objects to Scenarios

Transporting Scenarios Definitions

Switchable Authorization Check Framework Overview

Authorizations Required For Scenario-Based Authorizations

User Management of the Application Server Java

User Management Engine

Authorization Concept of the AS Java

Architecture of Security Roles

Permissions, Actions, and UMERoles

Integration of UMERoles with ABAP Roles

Configuring User Management

First Steps in User Management

UMEData Sources

Selecting the UMEData Source

Database Only as Data Source

LDAP Directory as Data Source

Organization of Users and Groups in LDAP Directory

Configuring the UME to Use an LDAP Directory as Data Source

Configuring High Availability of the LDAP Data Source

UME Connection Pool for LDAP Directory

Customizing a UME Data Source Configuration

Accessing Data Source Configuration Files Offline

Accessing Data Source Configuration Files Online

Data Source Types

Home Data Source

Data Partitioning Scenarios

Namespaces

Structure of a Data Source Configuration File

<dataSources>

<homeFor> and <notHomeFor>

<responsibleFor> and <notResponsibleFor>

<attributeMapping>

<privateSection>

Examples of Data Source Configuration Files

Example: Attribute Mapping for Client Certificates

Example: Attribute Mapping for Custom Attributes

Example: Configuration of Multiple LDAP Data Sources

Example: Attribute-Based Data Partitioning

Example: Type-Based Data Partitioning

Example: User-Based Data Partitioning

Example: Multiple Object Classes for a Principal Type

Example: Negative User Filter

Example: Self-Managed Passwords

Example: User Mapping with LDAP and Tickets

User Management of Application Server ABAP as Data Source

Constraints for UMEwith ABAP Data Source

Constraints for the UME and Central User Administration

Data Source Configuration Files

Configuring the UME to Use an AS ABAP as Data Source

Configuring the UMEto Use the Current User for Change Operations

Changing the AS ABAP Back-End System for the UME

Changing the ABAP Client for the UME After a Client Copy

Changing the Password of the User for UME-ABAP Communication

Requirements for the System User for UME-ABAP Communication

Configuring the UMEfor Directory Service Sync with AS ABAP

Customizing a Directory Service Configuration File

Editing UME Properties

Editing UME Properties Online

Editing UME Properties Offline

Configuring the Security Policy for User IDs and Passwords

Global Properties for Security Policies

Integration of the UME Security Policy With External Data Sources

Default Security Policy Profiles

Notification by E-Mail

Configuring E-Mail Notification

Changing the Texts of Notification E-Mails

Configuring Self-Registration

Configuring Self-Management

Enabling Users to Reset Their Own Password

Configuring Logon Help

Configuring the Logon Screen

Configuring Delegated User Administration Using Companies

Companies

Company Group

Companies and Self-Registration with Approval

Disabling Companies for an ABAP Data Source

Types of User Administrator

Configuring Virtual Groups

Allowing Users to View the Contact Information of Other Users

Adding Custom Attributes to the User Profile

Additional Configuration Options

Configuring Users' Display Name

Configuring Groups' Name, Display Name, and Description

Configuring Simple Search

Configuring Search Options for the UME

Configuring the List of Available Languages

Configuring E-Mail Signatures

Enabling E-Mail Signatures

Creating and Modifying Corporate Signatures

Creating and Modifying Personalized Signatures

Defining a Pattern for User E-Mail Addresses

Optimizing Performance With the UME Cache

Configuring the Notification of Failed Logon Attempts

Administration of Users and Roles

Identity Management

UMEGroups

User Profile

Managing Users, Groups, and Roles

Assigning Principals to Roles or Groups

Segregation of Duties

Password Management

Locking or Unlocking Users

Approving or Rejecting Users

Creating a Technical User

Changing the Logon Alias of Users

Configuring User Mappings on the Behalf of Users

Self-Registration

Moving a User to Another Company

Maintaining the User's Certificate Information

Exporting User Management Data

Importing User Management Data

Monitoring the Performance of the UMECache

Troubleshooting

Activating the Emergency User

Logging and Tracing

Directory Server Access Log

Directory Server Connection Pool Log

Checking the Consistency of Entries in the UME Database

Repairing Inconsistencies of Entries in the UME Database

Refreshing the User Caches of the AS Java

Downloading the UME Configuration

Reference Documentation for User Management

Logical Attributes

Standard Users

Default Security Policy Profiles

Standard User Groups

Standard UMERoles

Standard UME Actions

Standard Java EE Security Roles

UMEProperties

UMECache

Import Format for UME Principals

User Data Import Format

Group Data Import Format

Role Data Import Format

Developer Documentation for User Management