SAP NetWeaver ASABAP
User Management as Data Source 
Purpose
User Management Engine (UME) can use an SAP NetWeaver AS for ABAP (AS for ABAP) as its data source for user management data. This enables you to take advantage of the following:
· Users of the ABAP system are visible as users in the UME and can log on with their passwords from the ABAP system.
· Roles of the ABAP system are visible as groups in the UME. The hierarchy between collective roles and single roles is realized as nested group structures. New groups created with the J2EE Engine are created in the Java database.
Because of the different interpretations of the “contains in” relationship between ABAP and UME, the visual order of the groups is reversed. A group representing a collective role is a child element of the group representing a single role. In the ABAP system, the single roles are displayed as child elements of collective roles.
· User and role assignments in the ABAP system are shown as user and group assignments in the UME. You can use the ABAP roles for authorization management in the UME, by adding the groups representing the ABAP roles to the UME roles.
The data source configuration file is dataSourceConfiguration_abap.xml.
Prerequisites
The SAP NetWeaver ASfor ABAP must have release 6.20 SPS25 or higher.
Constraints
When you use an AS for ABAP system as the data source for user management data, the following constraints apply when using the tools on the J2EE Engine.
Password Administration
Due to the security policy of the AS for ABAP system, users can change their passwords only once per day. This is true, even if an administrator resets the user’s password. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.
Read-Only and Read-Write Access to the ABAP User Management
The file dataSourceConfiguration_abap.xml grants the UME read-write access to the AS for ABAP system by default. However, as long as the system user (SAPJSF) has no ABAP role, or is assigned to an ABAP role with read-only access, the UME cannot write to the AS for ABAP system.
If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name, and last name. You can modify attributes stored in the UME database, like street. Even if read-only access is assigned, users can still change their own passwords.
If the UME has read-write access, you can create users using the J2EE Engine tools. They are stored as users in the AS for ABAP system. Extended user data that cannot be stored in the standard AS for ABAP user record is stored in the database of the UME.
To enable read-write access to the system user, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for System User SAPJSF_<SID> in ABAP Systems.
You can activate the self-registration and maintain-own-profile functions provided by the UME. In this way users can change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration.
User Administration
When you use the user administration tools of the J2EE Engine, certain limitations apply:
Limitations of User Search Criteria
User Search Criteria |
Limitations |
Creation date Date of last password change Last logon date |
The search only considers actions performed using the J2EE tools. For example, if a user last logged on using a J2EE application such as SAP NetWeaver Portal on 11/26/03 and using a SAP GUI on 11/28/03, the search determines the 11/26/03 to be the user’s last logon date. This is because UME only stores data about user actions performed using J2EE tools. |
Street City State/Province Zip/Postal code |
The search only considers data stored in the UME tables of the J2EE Engine database. This data is different from the data stored in the ABAP user master data. |
Country Fax Form of address Language Telephone Time zone |
You cannot search for users on these criteria. |
Group Management
You cannot change groups that represent roles in the AS for ABAP system or change user assignments to these groups. To create new groups or change existing groups within the AS for ABAP system, use the transaction PFCG in the AS for ABAP system. New groups created with the UME are stored in the local database. You can assign users from the AS for ABAP system to these groups.
Limited Operations for the System User
The system user for communication with the AS for ABAP system cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user no user management operations in the UME are possible.
UME Security Policy Configuration
We recommend that you configure the UME security policy to be the same as the settings in the AS for ABAP system. The only exception is the settings for locking users after invalid logon attempts. You should deactivate these settings in the UME so that the AS for ABAP system is responsible for locking users. For more information, see Security Policy. During an AS for ABAP + Java installation, these values are configured automatically.
For more information on the security policy settings in the AS for ABAP system, see Profile Parameters for Logon and Password (Login Parameters).
Changing Data Source
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
For more information about other data source configuration files, see Data Source Configuration Files.
Language of the System User
The system user (SAPJSF) is configured to use a specific language in the AS for ABAP system. The language setting used for the system user, determines the value of the user attribute salutation returned from the AS for ABAP system. We recommend that you configure the language of the system user to match the language preferred by a majority of the UME or Enterprise Portal users. Only make changes to the attribute salutation in the AS for ABAP system. For details, see SAP Note 866367.
Delay in the Display of ABAP Roles in the UME
If you create a new ABAP role or change the description of an existing ABAP role in the AS for ABAP system, these changes may not be visible in the UME for up to 30 minutes. The UME reads this data from the AS for ABAP system every 30 minutes. When the information appears is dependent upon when the UME last read the data. To force the UME to read the data from the AS for ABAP system, you must restart the AS for Java system.
Time Zone Mapping
The AS for ABAP and AS for Java systems use different concepts for displaying time zones. AS for ABAP uses generic regional designations, such as Central European Time (CET). AS for Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.
There is a default mapping of these two systems installed, which you cannot change, but you can override. To override the default mapping or add additional mappings, enter the time zone pairs under the property ume.r3.connection.<adapterid>.TimeZoneMapping. See SAP ABAP-Based System as Data Source.
Configuring the UME against the Central System of a CUA
The UME can connect to the central system of an AS for ABAP Central User Administration (CUA). The UME can view all users present in any system managed by the central system; however, the AS for ABAP users can only log on to the UME if they have a system assignment in the central system. When you create new users in the UME, this assignment is created automatically.
The UME can view only the roles that are present in the central system, that is, roles that are available in the transaction PFCG. Roles known to the central system in the value help for user/role-assignment for managed systems are not visible to the UME. From the UME, you can only view those user/group assignments made for the central system.
See also: