Show TOC

Security Aspects of User Self ServiceLocate this document in the navigation structure

Use
Note

This documentation is applicable for both IW_BEP and SAP_GWFND component.

In addition to managing your company’s users using the User Management tools, SAP Gateway allows you to enable your customers to register themselves as users in your SAP system using the User Self Service functionality.

Implementation Considerations

To implement user self service, you must have users with proper authorizations to create and to maintain the users, in SAP NetWeaver AS ABAP.

The following are the different types of users:

User

User Type

SAP Gateway Hub

SAP Business Suite (with IW_BEP)

Service User

Service

Yes

Yes

Admin User

Dialog

No

Yes

Reference User

Reference

Yes

Yes

The section below explains how to setup the different users.

Users, Roles, and Authorizations for User Self Service

Following are the types of user to create:

  • Service User

    Service user is used by anonymous users to create requests to Create Users, or to Reset the password for the users created.

    Service user is an Internet user created both in the SAP Gateway hub, and in the SAP Business Suite System with IWBEP Add-On.

    • Setting Up the Service User in the SAP Gateway Hub:

      1. Create a user of type, Service, for example, gwusssrv, with the following role template, /IWFND/RT_GW_USR.

      2. Assign to your newly created service user, roles for creating, and unlocking users, as well as changing passwords for users, in SAP NetWeaver AS ABAP.

      3. Allow access to execute the OData Service /IWBEP/USERREQUESTMANAGEMENT_0001.

        You can restrict access to execute only the service, /IWBEP/USERREQUESTMANAGEMENT_0001, by maintaining the values for the authorization object S_SERVICE, which is part of the role template /IWFND/RT_GW_USR.

        For the role and authorization assignments mentioned above, refer to the role template, /IWBEP/RT_USS_SRVUSR on Business Suite system containing the component IW_BEP or SAP_GWFND.

        It contains the authorizations to create the users in SAP NetWeaver system.

        To make the authorizations more restrictive with respect to the roles and profiles to be assigned to the newly created users, specify the authorizations objects, S_USER_AG, and S_USER_PRO, for the roles and their corresponding profiles to be assigned to the users to be created.

        By default, the role template, /IWBEP/RT_USS_SRVUSR does not contain any values for authorization objects, S_USER_AGR, and S_USER_PRO.

        To use unlocking functionality, the service user requires authorization object, S_USER_GRP, with ACTVT 3(Display) and 5(Lock).

    • Setting Up Service User in the SAP Business Suite with IW_BEP Add-On

      1. Create a user of type service.

        The name of the user should match with the name of the service user created in SAP Gateway Hub.

      2. Create a role from the role template, /IWBEP/RT_USS_SRVUSR, and assign it to service user.

        The template contains the authorizations to create users in SAP NetWeaver AS ABAP.

      3. Edit the authorization objects, S_USER_AGR, and S_USER_PRO, by adding the roles and profiles copied from the Reference user.

        Manually edit the values of the authorization objects, S_USER_AGR, by assigning the role name to the field, ACT_GROUP, and S_USER_PRO and by assigning the profile value in the field, PROFILE.

  • Admin User

    The Admin User is required in SAP Gateway with IW_BEP Add-On for:

    • Maintaining activation URL, using SPRO in the implementation guide.

    • Executing transaction /IWBEP/URM_CLEANUP, to clean up the User Request Store and secure store.

    To setup:

    1. Create an Admin User, , for example, gwussadm, of type Dialog in the SAP Business Suite system with IW_BEP Add-On.

      The Admin user is required for administration tasks related to User self Service in SAP Gateway.

    2. Assign to the service user, the role template, /IWBEP/RT_USS_ADMUSR.

  • Reference user

    The reference users should be created in both SAP Gateway Hub and SAP Business Suite System (with IW_BEP Add-On).

    The reference users are used as a reference to create named users in SAP NetWeaver AS ABAP.

    The following are the steps for setting up the reference user in SAP Gateway Hub:

    1. Create a user of type, Reference User, for example, MGW_UM_USR,

      This user is used by the user management service to create users in the system.

    2. Provide an alias for the Reference User.

      Using transaction SPRO, open the implementation guide and maintain the activity, User Category.

      Maintain user profile, using the roles tab in theUser Management tool (SU01) in SAP NetWeaver AS ABAP.

      Assign the set of roles that are required for the users to be created out of reference user.

    3. Enable changing of password, using the roles in theUser Management tool in SAP NetWeaver AS ABAP.

    The following are the steps for setting up the reference user in SAP Business Suite System (with IWBEP):

    1. Create a user of type Reference User , for example MGW_UM_USR

      This user is used by the user management service to create users in the system.

    2. Provide an alias for the Reference User.

      Using transaction SPRO, open the implementation guide and maintain the activity, User Category.

      The reference user name should be identical to the reference user created in SAP Gateway Hub.

    3. Maintain user profile, using the roles tab in the User Management tool (SU01) in SAP NetWeaver AS ABAP.

    4. Create a role out of role template /IWBEP/RT_USS_INTUSR and maintain the authorization object values present in the role.

    5. Assign the role to the Reference user.

Password Policy Check

The default implementation of the User Self Service BAdI /IWBEP/BD_MGW_UM_USER_MANAGER is enhanced to check the password against the security policy which is either directly assigned to the users (see http://help.sap.com/saphelp_nw73ehp1/helpdata/en/30/28875d5b174869912857b6eafca2c7/content.htm for more information) or to the reference user (which is used to create the user). There are multiple ways to check the password against the security policies. For User Self Service, the check happens in the following sequence:

  1. First against the security policy assigned to the user.

  2. If the security policy assigned to the user is empty, security policy of the reference user is checked against.

  3. If security policy of the reference user is also empty, the password is checked against the security policy defined in the system profile parameters.