The user management engine (UME) provides a centralized user management for all Java applications and can be configured to work with user management data from multiple data sources. It is seamlessly integrated in the SAP NetWeaver Application Server (AS) Java as its default user store and can be administrated using the administration tools of the AS Java.
The UME adds business value by enabling you to leverage your existing system infrastructure by accessing user-related data on an existing LDAP directory, an AS ABAP system, a database of the AS Java, or any combination of these. In addition it reduces administrative overhead by allowing you to perform centralized user administration.
The UME runs as a service in the AS Java and is the default user store.
Multiple Data Sources
The UME can be configured to read and write user-related data from and to multiple data sources, such as Lightweight Directory Access Protocol (LDAP) directories, the system database of the AS Java, and user management of an AS ABAP.
The following figure illustrates the architecture of the UME.
In the figure, user data is stored in one or more data sources. Each type of data source has its own persistence adapter. The persistence manager consults the persistence adapters when creating, reading, writing, and searching user management data. The application programming interface (API) is a layer on top of the persistence manager.
In the persistence manager, you configure which data is written to or read from which data source, so that the applications using the API do not have to know any details about where user management data is stored.
Identity management enables administrators to perform routine administration tasks such as creating or searching for users and groups, and assigning users and groups to roles. You can also configure the UME for e-mail notification. E-mails are automatically sent to users or administrators on specific events. For example, if an administrator locks a user account, the user receives an e-mail informing him or her of the change.
You can define a password policy including settings such as minimum and maximum length of passwords, number of failed logons before the system locks a user, and so on.
UME provides self-service scenarios that allow users to register themselves as new users or to change their own data (address, password, and so on). It is also possible to set up an approval workflow, whereby administrators approve newly registered users.
The UME logs important security events, such as successful and failed user logons, and creation or modification of users, groups, and roles.
Import and Export of User Data
The UME enables you to import and export user data from and to external systems.
The UME enables you to define virtual groups based on the content of a user attribute.
Enables you to support delegated user administration.
Simple Search Configuration
You can configure what attributes the simple search targets.
The UME APIs support access using the Service Provisioning Markup Language (SPML). For more information, see service.sap.com/security → Security in Detail → Secure User Access → Identity Management → SAP Identity Management APIs.
SAP Identity Management Identity Centeruses the SPML interface to access the UME.
Here you can find information on configuring the data sources that UMEuses to read and write user management data, and other configuration options.
The UME provides an administration console called, identity management, for performing administrative tasks such as searching for and creating users, groups, and roles.
This section also includes information about configuring the emergency user.
This includes information on the UMEproperties and configuration files.