Constraints for UMEwith ABAP Data Source
When you use an AS ABAP as the data source for user management data, the following constraints apply when using the tools of the AS Java.
Due to the security policy of the AS ABAP, users can change their passwords only once per day. This is true, even if an administrator provides a new password. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.
The file dataSourceConfiguration_abap.xml grants the UME read-write access to the AS ABAP. Write access to the AS ABAP system fails if one of the following is true for the system user communication between the UMEand the AS ABAP (default name SAPJSF):
- The user has no ABAP role
- The user is assigned to an ABAP role with read-only access
When the AS Java starts, the UME checks the roles assigned to the system user and if it finds no roles or only the role SAP_BC_JSF_COMMUNICATION_RO, the UMEswitches to read-only access for users located in the ABAP system.
- If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name, and last name. You can modify attributes stored in the UMEdatabase, like street. Even if read-only access is assigned, users can still change their own passwords.
- If the UME has read-write access, you can create users using the AS Java tools. They are stored as users in the AS ABAP. Extended user data that cannot be stored in the standard AS ABAP user record is stored in the database of the UME.
To enable read-write access to the system user, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for the System User for UME-ABAP Communication .
You can activate the self-registration and maintain-own-profile functions provided by the UME. In this way users can change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration .
The following table shows the list of user attributes, which can be read from or written to the AS ABAP. This list is fixed and cannot be extended. Attributes without an entry for Field Name in the Identity Management User Interface do not appear in the user interface and are only available from the UME API. Attributes, which do not appear in this table, are only stored in the database of the AS Java. (For example: Street, City, State/Province, Zip/Postal Code.)
UME User Attributes Stored and the AS ABAP
| Logical Name of the UME Attribute | Field Name in the Identity Management User Interface | Comments and Field Name in ABAP User Management |
|---|---|---|
|
company |
Company |
User Group for Authorization Check |
|
CREATED_BY |
|
Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier. |
|
department |
Department |
Department |
|
|
E-Mail Address |
E-Mail Address |
|
fax |
Fax |
Fax |
|
firstname |
First Name |
First name |
|
islocked |
User Account Locked |
|
|
ispassworddisabled |
Disable Password |
Can only be reset by assigning a new password. |
|
j_password |
Editable when entering passwords. |
|
|
jobtitle |
Position |
Function |
|
LAST_MODIFIED_BY |
|
Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier. |
|
lastname |
Last Name |
Last name |
|
lastsuccessfullogon |
|
Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier. |
|
locale |
Language |
The UME uses the Logon Languageattribute to determine the language part of the locale. If this attribute is empty, the UME uses the Language of the Person. The UMEuses the Country attribute of the user's Company to determine country part of the locale.
When the UME writes a locale to the back end, the language part of the locale is written to the Logon Language attribute. However, the UME cannot write to the Country attribute. You must change this manually in the ABAP back-end system. |
|
lockreason |
|
Only administrative locks can be set explicitly. Locks due to failed logon attempts are set implicitly. |
|
logonalias |
Logon Alias |
Alias |
|
mobile |
Mobile |
Mobile Phone |
|
passwordchangerequired |
|
Cannot be set explicitly. Implicitly changed by assigning a new password or by user-based password change. |
|
PRINCIPAL_CREATION_DATE |
Date of Account Creation |
Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier. |
|
PRINCIPAL_MODIFY_DATE |
|
Read-Only. |
|
referenceuser |
|
Reference User |
|
salutation |
Form of Address |
Title |
|
SecurityPolicy |
Security Policy |
User Type |
|
sncname |
|
SNC name |
|
telephone |
Telephone |
Telephone |
|
timezone |
Time Zone |
Time zone |
|
title |
|
Academic Title |
|
validfrom |
Start Date of Account Validity |
Valid from |
|
validto |
End Date of Account Validity |
Valid to |
The file dataSourceConfiguration_abap.xml enables you to create users only in the ABAP system. Once the UME is configured to use the AS ABAP as a data source, you cannot create users in the database of the AS Java; though you can still delete and edit existing users. ABAP roles determine your write access to the ABAP user management. If you have read-only access, you cannot create any users. The UMEdoes not default to creating users in the local database of the AS Java. Nor can you edit or delete users in the AS ABAP without read-write access.
When you use the tool for user management, certain limitations apply:
Limitations of User Search Criteria
| Field name or Logical Attribute Name of the UME User Record | Limitation |
|---|---|
|
Creation Date Date of Last Password Change |
The search only considers actions performed using the AS Java tools. |
|
Street City State/Province Zip/Postal Code |
The search only considers data stored in the UMEtables of the AS Java database. This data is different from the data stored in the ABAP user master data. |
|
Country Disable Password End Data of Account Validity Fax Form of Address Language Mobile Start Date of Account Validity Telephone Time Zone |
You cannot search for users on these criteria. |
|
E-Mail Address |
Only the first 20 characters are used for searches. |
|
j_password lastsuccesfullogon lockreason passwordchangerequired sncname title |
You cannot search for users on these attributes. |
|
CREATED_BY LAST_MODIFIED_BY PRINICIPAL_MODIFY_DATE referenceuser |
You can search for users on these criteria with the UME API, but not with the search function of the identity management user interface. These attributes do not appear in the user interface of identity management. |
You cannot change the names of groups that represent roles in the AS ABAP, but you can change user assignments to these groups. To create new groups or change existing groups within the AS ABAP, use the transaction PFCG in the AS ABAP.
The following limitations exist for UMEgroups that represent roles in the AS ABAP:
- You can only assign ABAP users to UME groups that represent ABAP roles.
- The UME cannot show a user-group assignment, when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP.
If you try to assign a UME group to a user, when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you receive an error message.
- If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding UME group.
- If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding UMEgroup.
- If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding UME group.Tip
Alain the user administrator has assigned user FGOMEZ to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When Alain uses identity management of the AS Java, he cannot unassign FGOMEZ from the UMEgroup Z_DIRECT, because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.
New groups created with the UME are stored as UMEgroups in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UMEgroups. You can also assign the groups that represent ABAP roles to UME groups; however, such indirect role assignments are not written to the back-end ABAP system. So a user is a member of the indirectly assigned group based on the ABAP role, but that user does not have the ABAP authorizations contained in that role.
Alain the user administrator has assigned the UMEgroup Z_DIRECT (based on the ABAP role of the same name) to the UME group Everyone. When Alain looks at the details of any user in the system, he sees that the user is a member of the group Z_DIRECT. When Alain checks the user in the AS ABAP, none of the users have the authorizations associated with that ABAP role.
Like groups, new roles created with the UME are stored as UME roles in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UME roles. You can also assign the groups that represent ABAP roles to UMEroles.
If you create a new ABAP role or change the description of an existing ABAP role in the AS ABAP, these changes may not be visible in the UMEfor up to 30 minutes. The UMEreads this data from the AS ABAP every 30 minutes. When the information appears is dependent upon when the UMElast read the data. To force the UME to read the data from the AS ABAP, you must restart the AS Java.
The system user for UME-ABAP communication cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user, no user management operations in the UME are possible.
To prevent a conflict between the UME and AS ABAP security policies, the UMEignores its own security policy to some extent when the AS ABAP is the data source.
For more information about the security policy in the AS Java, see Security Policy .
For more information about the security policy settings in the AS ABAP, see the AS ABAP documentation.
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
For more information about other data source configuration files, see Data Source Configuration Files .
The system user for UME-ABAP communication is configured to use a specific language in the AS ABAP. The language setting used for the system user determines the value of the user attribute Form of Address returned from the AS ABAP. We recommend that you configure the language of the system user to match the language preferred by a majority of the UME or portal users. Only make changes to the attribute Form of Address in the AS ABAP. For details, see SAP Note 866367.
The AS ABAP and AS Java use different concepts for displaying time zones. The AS ABAP uses generic regional designations, such as Central European Time (CET). The AS Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.
You can configure a mapping between these time zone concepts. The AS Java gets this information from the AS ABAP through the RFC destination I18NBackendConnection. In an AS ABAP + AS Java combined installation, this destination is configured automatically. If you configure an AS Java to use an AS ABAP as a data source, you must configure this destination manually. Assign the connection user (default name SAPJTIME) the ABAP role SAPI18N. For more information, see Maintaining RFC Destinations .
A password lock occurs when a user attempts to log on and enters the wrong password too many times. You cannot unlock a password lock from the AS Java user management application, like you can when the data source is the database of the AS Java. The back-end AS ABAP does not support this unlock function. Instead you must assign a new initial password to the user. The user can then log on with the new password.
The ABAP back-end system reports error messages or warnings to the UMEuser interface localized for the user currently logged on.
For back-end systems with a release SAP NetWeaver 7.0 or earlier, these messages appear in a technical nonlocalized notation.