Constraints for UME
with ABAP Data Source
When you use an AS ABAP as the data source for user management data, the following constraints apply when using the tools of the AS Java.
Password Management
Due to the security policy of the AS ABAP, users can change their passwords only once per day. This is true, even if an administrator resets the user’s password. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.
Read-Only and Read-Write Access to the ABAP User Management
The file dataSourceConfiguration_abap.xml grants the UME read-write access to the AS ABAP by default. Write access to the AS ABAP system fails if one of the following is true for the system user communication between the UME and the AS ABAP (default name SAPJSF):
· The user has no ABAP role
● The user is assigned to an ABAP role with read-only access
When the AS Java starts, the UME checks the roles assigned to the system user and if it finds no roles or only the role SAP_BC_JSF_COMMUNICATION_RO, the UME switches to read-only access for users located in the ABAP system.
● If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name, and last name. You can modify attributes stored in the UME database, like street. Even if read-only access is assigned, users can still change their own passwords.
● If the UME has read-write access, you can create users using the AS Java tools. They are stored as users in the AS ABAP. Extended user data that cannot be stored in the standard AS ABAP user record is stored in the database of the UME.
To enable read-write access to the system user, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for the System User for UME-ABAP Communication.
You can activate the self-registration and maintain-own-profile functions provided by the UME. In this way users can change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration.
UME User Attributes and the AS ABAP
The following table shows the list of user attributes, which can be read from or written to the AS ABAP. This list is fixed and cannot be extended. Attributes without an entry for Field Name in the Identity Management User Interface do not appear in the user interface and are only available from the UME API. Attributes which do not appear in this table are only stored in the database of the AS Java. For example: Street, City, State/Province, ZIP/Postal Code.
UME User Attributes Stored and the AS ABAP
Logical Name of the UME Attribute |
Field Name in the Identity Management User Interface |
Comments and Field Name in ABAP User Management |
department |
Department |
Department |
E-Mail Address |
E-Mail Address |
|
fax |
Fax |
Fax |
firstname |
First Name |
First name |
islocked |
User Account Locked |
|
ispassworddisabled |
Disable Password |
Can only be reset by assigning a new password. |
j_password |
Editable when entering passwords. |
|
jobtitle |
Position |
Function |
lastname |
Last Name |
Last name |
locale |
Language |
See Locale and Language Mapping below. |
lockreason |
|
Only administrative locks can be set explicitly. Locks due to failed logon attempts are set implicitly. |
logonalias |
Logon Alias |
Alias |
mobile |
Mobile |
Mobile Phone |
passwordchangerequired |
|
Cannot be set explicitly. Implicitly changed by assigning a new password or by user-based password change. |
referenceuser |
|
Reference User |
salutation |
Form of Address |
Title |
SecurityPolicy |
Security Policy |
User Type |
sncname |
|
SNC name |
telephone |
Telephone |
Telephone |
timezone |
Time Zone |
Time zone |
title |
|
Academic Title |
validfrom |
Start Date of Account Validity |
Valid from |
validto |
End Date of Account Validity |
Valid to |
Limitations When Searching for Users
When you use the tool for user management, certain limitations apply:
Limitations of User Search Criteria
User Search Criteria |
Limitations |
Creation Date Date of Last Password Change |
The search only considers actions performed using the AS Java tools. |
Street City State/Province Zip/Postal Code |
The search only considers data stored in the UME tables of the AS Java database. This data is different from the data stored in the ABAP user master data. |
Country Disable Password End Data of Account Validity Fax Form of Address Language Mobile Start Date of Account Validity Telephone Time Zone |
You cannot search for users on these criteria. |
Contrasting Users in the AS ABAP and the Local Database of the AS Java
The file dataSourceConfiguration_abap.xml enables you to create users only in the ABAP system. Once the UME is configured to use the AS ABAP as a data source, you cannot create users in the database of the AS Java; though you can still delete and edit existing users. ABAP roles determine your write access to the ABAP user management. If you have read-only access, you cannot create any users. The UME does not default to creating users in the local database of the AS Java. Nor can you edit or delete users in the AS ABAP without read-write access.
Group and Role Management
AS ABAP roles appear as groups in UME applications. You cannot change these groups or the user assignments to these groups. To change these groups, use the transaction PFCG to change the ABAP roles they represent on the AS ABAP.
New groups created with the UME are stored as UME groups in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UME groups. You can also assign the groups that represent ABAP roles to UME groups.
Like groups, new roles created with the UME are stored as UME roles in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UME roles. You can also assign the groups that represent ABAP roles to UME roles.
Limited Operations for the System User
The system user for UME-ABAP communication cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user, no user management operations in the UME are possible.
UME Security Policy Configuration
To prevent a conflict between the UME and AS ABAP security policies, the UME ignores its own security policy to some extent when the AS ABAP is the data source.
For more information about the security policy in the AS Java, see Security Policy.
For more information about the security policy settings in the AS ABAP, see Profile Parameters for Logon and Password (Login Parameters).
Changing Data Source
Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.
For more information about other data source configuration files, see Data Source Configuration Files.
Language of the System User
The system user (default: SAPJSF) is configured to use a specific language in the AS ABAP. The language setting used for the system user, determines the value of the user attribute salutation returned from the AS ABAP. We recommend that you configure the language of the system user to match the language preferred by a majority of the UME or portal users. Only make changes to the attribute salutation in the AS ABAP. For details, see SAP Note 866367.
Delay in the Display of ABAP Roles in the UME
If you create a new ABAP role or change the description of an existing ABAP role in the AS ABAP, these changes may not be visible in the UME for up to 30 minutes. The UME reads this data from the AS ABAP every 30 minutes. When the information appears is dependent upon when the UME last read the data. To force the UME to read the data from the AS ABAP, you must restart the AS Java.
Time Zone Mapping
The AS ABAP and AS Java use different concepts for displaying time zones. The AS ABAP uses generic regional designations, such as Central European Time (CET). The AS Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.
There is a default mapping of these two systems installed, which you cannot change, but you can override. To override the default mapping or add additional mappings, enter the time zone pairs under the property ume.r3.connection.<adapterid>.TimeZoneMapping.
More information: UME Properties for an AS ABAP Data Source.
Locale and Language Mapping
Users in the AS Java use a locale, which consists of a language and a country. The way the AS Java and AS ABAP handle this information, depends on whether you are reading from the AS ABAP or writing to the AS ABAP.
Reading from the AS ABAP
The UME uses the Language of the Person to determine the language part of the locale. If this attribute is empty, the UME uses the Logon Language attribute.
To fill the country portion of the locale, the AS Java uses a function that attempts to map the ABAP language code to a country. For example, the code for simplified Chinese is mapped to the country China. If the language code does not specify a country and the attribute Country for name format rule has been configured, the AS Java constructs a new locale, which includes this country. If the resulting locale is not known to the Java runtime system, the AS Java uses the locale constructed from the language alone and does not include a country in the locale.
Writing to the AS ABAP
The locale is converted into a language using a mapping function that is aware of the most common cases for which the ABAP language code implies a country. The mapping function also considers the changes in the ISO codes of certain languages, which resulted in the former update issue for those languages (for example, Hebrew, the code was changed from iw to he). The AS ABAP sets the result as the Language of the Person.
If the locale specified a country and the language that was determined above does not imply the same country, the AS ABAP sets the country in the Country for name format rule. If the Format name is not initial and the value set for Country for name format rule does not include the country specified in the locale, the conversion is only partially successful and the country is ignored.
More information: SAP Note 1130120.
Password Lock
A password lock occurs when a user attempts to log on and enters the wrong password too many times. You cannot unlock a password lock from the AS Java user management application, like you can when the data source is the database of the AS Java. The back-end AS ABAP does not support this unlock function. Instead you must assign a new initial password to the user. The user can then log on with the new password.
More Information