In SAP Gateway, users and their authentication are managed using standard SAP mechanisms as well as consumer-specific server tools.
You can import users’ data such as, roles, users and their authorizations from your SAP back-end system to the SAP Gateway host, or you can use SAP NetWeaver Identity Management Center to manage users’ data between your SAP systems.
SAP Gateway utilizes the user and role administration functions of SAP NetWeaver AS ABAP. Each user has a user master record that contains all the information about that user.
In addition, the user master record consists of the authorizations included in roles and profiles that limit the scope of action of the user in the system.
The tools for user and role maintenance are as follows:
For user maintenance, use transactions SU01, or SU10.
For role maintenance, use transaction PFCG.
In Central User Administration, you can use the transactions PFCG, SM59, SU01, SCUA, SCUM, SCUG, SUGR, and SCUL.
The following is an overview of the user management in SAP Gateway:
SAP Gateway uses local ABAP user management.
SAP Gateway users can be synchronized from a central User Management system such as, the SAP Identity Provider (SAP IDM) or an external LDAP server.
SAP Gateway users should have user names that are identical to their user names in the SAP Business Suite system.
Scenarios with external user mapping:
SAP Gateway user name is defined in the user store of the LDAP server.
SAP Gateway user name is identical to the NameID attribute value in the SAML assertion.
Scenarios with user mapping on SAP Gateway:
NameID attribute value in SAML assertion is mapped to the SAP Gateway user name.
X.509 client certificate’s subject is mapped to the SAP Gateway user’s name.