Show TOC

Example: Negative User FilterLocate this document in the navigation structure

The negative user filter enables you to define that certain users and accounts are not displayed on the user interface and are not taken into account by the user management engine (UME).

By specifying the ume.ldap.negative_user_filter property for directory service data sources in the data source configuration file, you can define that all users and accounts that match the defined conditions are filtered out by the UME application programming interface (API).

Users that are defined in the filter are:

  • Not displayed in any UME user interfaces, such as identity management or the user mapping function in the SAP Enterprise Portal
  • Not displayed in any applications that use the UME API
  • Ignored by functions such as user export
  • Not able to log on to any applications that use programmatic authentication with the UME API

Marcus Kopp wants to filter out all users with the last name Murphy. He must edit the <privateSection> subsection of the directory service section of the data source configuration file. Marcus adds the attribute ume.ldap.negative_user_filter with the following syntax:


It is a list of one or more conditions separated by semicolons. Each condition is a directory service attribute, and a list of one or more values for this attribute separated by commas and contained in brackets. The attribute must be a physical attribute in the directory service and not a logical attribute as used by the UME API. If the user meets any one of the conditions, the UME filters it out.

Marcus defines that all users with the last name Murphy are filtered out.

<dataSources>     ...     </dataSource>     <dataSource id="CORP_LDAP">         ...         <privateSection>             ...             <ume.ldap.negative_user_filter>                 sn=[Murphy]             </ume.ldap.negative_user_filter>         </privateSection>     </dataSource> </dataSources>


Marcus defines that all users with the last name Murphy or Smith are filtered out.

            <ume.ldap.negative_user_filter>                 sn=[Murphy,Smith]             </ume.ldap.negative_user_filter>


The following example applies for Microsoft Active Directory Server (ADS). Here, all user accounts that are disabled on ADS or that have the object class computer are filtered out.

            <ume.ldap.negative_user_filter>                 useraccountcontrol=[514];objectclass=[computer]