Implementing a Multitenant Portal 
A multitenant portal is an extension of SAP NetWeaver Portal, enabling several customers to run independently on the same portal infrastructure hosted by a service provider. The service provider sets up logical partitions in a single portal installation so that each partition is a portal used exclusively by a different customer. A tenant refers to each logical partition on the hosting portal.
In this scenario variant, the portal administrator structures the portal so that customers have a highly individualized and unique gateway to their customized content, branded with their corporate identity.
Each customer accesses and works only with the data, applications and services belonging to their tenant.
Getting Started
For basic
information on using the portal, see the 
Portal section in
Getting
Started – Using SAP Software. See also the scenario variant Providing Uniform
Content Access.
For a list of
multitenant portal terminology used in this scenario variant, see Glossary.
System Landscape
A multitenant
portal requires that users are stored in an ABAP system (see Client Concept).
Each tenant must be defined as a separate ABAP client in the SAP system.
Together, the clients may exist in either one or several SAP
systems. The users for each tenant must be defined in the same client. The
same user cannot exist in more than one tenant.
When a user from a
tenant makes a request in the portal, the user is authenticated in the Central User
Administration (CUA) system, which also checks the authorization level of
the user for the requested data. After the request is authenticated and the
user has permission for the requested data, the information is presented in
the portal using the branding and corporate identity of the user's assigned
tenant.
The following figure provides an example of a multitenant portal system landscape comprising four SAP systems accessible from the portal: two Human Resources (HR) systems, one Business Intelligence (BI) system, and a CUA system. These systems present information to the following tenants: Tenant 1, Tenant 2, and Tenant 3. The portal users of each tenant have been defined in separate ABAP clients, or in the CUA.
Example: System Landscape for Multitenant Portal
Tools
The following design-time tools are used by administrators to fully configure and administer a multitenant portal.
Tool |
Task |
J2EE Config Tool |
Activating the User Management Engine (UME) to support multitenancy in the portal. |
System Landscape Wizard and Editor |
● Creating a portal tenant system for each tenant. In the system you specify the details for connecting to the specific ABAP client containing the tenant users’ data. To create portal tenant systems, you must use the standard system template, Portal Tenant System, which is shipped with the portal. ● Create portal systems to enable iView connectivity to data-specific backend systems. |
Tenant Management screen |
● Creating, editing, and viewing tenants with their respective properties. ● Enabling and disabling tenants. |
Portal Content Studio |
● Creating, editing and managing multitenant portal content (iViews, pages, worksets, and roles). ● Delegating administration tasks. |
SAP NetWeaver Developer Studio |
● Creating customized portal content. ● Creating customized portal logon screen for each tenant. |
Permission Editor |
Configuring portal permission for portal content and security zones. |
UME Administration Console (portal) |
Managing users, groups, and UME roles directly in the portal. Tasks include the following: ● Creating users ● Assigning tenant users and groups to portal roles ● Assigning users to groups ● Viewing and editing user profiles ● Locking and unlocking users ● Importing and exporting user data ● Mapping users
The UME ABAP connection must be configured as read/write so that changes made in the portal can be written to the ABAP client. |
User Maintenance tool (SAP system) |
Performing user maintenance tasks directly in the SAP system, such as: ● Viewing, creating, editing, deleting, and copying users. ● Locking and unlocking unlock users. ● Changing passwords. |
Portal Desktop Editor |
Creating, editing and managing customized portal desktops for tenants. |
Theme Editor |
Creating, editing and managing customized portal themes for tenants. |
Portal Display Rules Editor |
Creating, editing and managing customized portal display rules for tenants. |
Search and Replace Wizard Content Mirroring tool |
Performing mass operations in the portal, such as: ● Searching for and replacing property values in portal objects. ● Duplicating mass content, such as business packages, while maintaining direct relationships between the original and copied objects. |
Monitor and Trace tool Portal Activity Report tool |
Monitoring usage of the portal, such as portal performance, content usage, and the details of users that are logged onto the portal. |
UME Administration Console |
● Managing users, groups, and UME roles. ● Exporting user data and mapping users. |
Prerequisites
● You have installed the following SAP NetWeaver usage types:
○ Application Server Java (AS-Java)
○ Enterprise Portal (EP)
○ Developer Infrastructure (DI)
Usage type DI is required only if you intend to self-develop applications and content for the portal.
●
After installing
usage type EP, you have performed the mandatory initial configuration tasks
that are documented in Initial Configuration
Tasks. Optional and recommended tasks should also be considered.
Make sure you adhere to the portal permission configuration guidelines as described in the aforementioned documentation reference. By not doing so, you run the risk that a tenant may lack the correct runtime permissions when it is created and be unable to access its assigned initial content.
Limitations
For a list of known limitations when working with multitenancy in SAP NetWeaver Portal, see the relevant sections in SAP Note 853509.
For other information, such as known integration issues, workarounds, documentation corrections, and late documentation not included in this release, see SAP Note 863837.
Tasks
This section outlines the flow of tasks which administrators must perform to implement a multitenant portal environment. These tasks are performed by either cross-tenant or tenant-specific administrators:
● Cross-tenant administrators do not belong to a specific tenant; typically, they perform cross-tenant tasks. Cross-tenant administrators are employees of the multitenant portal service provider.
● Tenant administrators belong to a single tenant and are stored in the ABAP user client of the tenant; they manage content and users assigned to their tenant only. Tenant administrators are employees of either the multitenant portal service provider or the tenant customer.
The super administrator is responsible for deciding which tasks are delegated to tenant administrators. To ensure that tenant users only see content assigned to their tenant, permissions and roles must be assigned appropriately.
Note that the following process flow relates to a single portal tenant. Repeat the steps for each additional tenant.
Configuring the Multitenant Portal
...
1. The system administrator sets up the multitenant portal environment:
a. Set up the ABAP user store of the tenant.
The users of each tenant must be stored in an SAP system to synchronize their authentication and authorization in all backend systems. All user data created for each tenant must be defined in a separate ABAP client.
For more
information, see Setting Up the User
Store for a Multitenant Portal.
b. Set up the system landscape. For example:
■
Establish a trust
relationship between the various J2EE Engine components running on each SAP
system in the system landscape, and to ensure inclusion of tenant information
in logon tickets. For more information, see Setting Up Trust
Between SAP Systems.
■
Configure
content-centric backend systems and connect them to the portal. For more
information, see Portal Security
Guide.
■
Secure the system
landscape; for example, configure HTTP services and firewalls for external
access or special domains. For more information, see Portal Security
Guide.
c. Activate the User Management Engine (UME) to support portal multitenancy. This step only needs to be performed once; it is applicable to all tenants.
For more
information, see Enabling UME to
Support a Multitenant Portal.
2. Create a portal tenant system in the portal.
The portal tenant system is a portal object in which you define the UME connection strings to the specific ABAP client where user data for the tenant is stored. Each tenant requires a unique portal tenant system.
For more
information, see Creating a Portal
Tenant System and Defining UME Data
Source Properties in a Portal Tenant System.
3. Create a tenant in the portal.
The portal tenant, includes basic information about the tenant, such as name and description, and advanced settings, such as the unique logon ticket number used to authenticate users of the tenant, the tenant's portal URL alias, the unique portal tenant system, and paths to the tenant's branding elements.
For more
information, see Creating a Portal
Tenant.
Creating Multitenant Portal Content
...
1. The super administrator distributes administration tasks to cross-tenant and tenant-specific administrators.
Tenant administrators must only be assigned to the standard content and user administration roles. The standard system administration role contains tools and capabilities that can compromise the security and confidentiality of data across tenants. You may however create a new tenant administration role or extend an existing one to include certain system administration tools, such as the Portal Desktop Editor and Theme Editor.
For more
information, see Delegating
Administration Tasks. For information on logging on as a portal tenant
user, see Logging on as a Tenant
User.
2. Content administrators and developers create content in the portal:
○ Cross-tenant content administrators create cross-tenant content, such as iViews, pages, worksets, and roles.
A content or super administrator may also be involved in assigning permissions so that delegated tenant content administrators can access initial content, such as iView templates.
For more
information, see Content Administration
for Portal Tenants.
○ Cross-tenant and tenant-specific content administrators create tenant-specific content, such as iViews, pages, worksets, and roles.
Cross-tenant administrators may import business packages to the portal which cross-tenant content administrators can configure and distribute to delegated tenant administrators.
For more
information, see Content Administration
for Portal Tenants.
○ Content developers develop custom-made content applications and deploy them to the portal (optional).
To ensure overall portal security, only cross-tenant administrators should be permitted to deploy portal applications.
For more
information, see Content Administration
for Portal Tenants.
3. Developers create a customized logon screen for the tenant to suit their branding and corporate identity (optional). A cross-tenant system administrator must deploy it to the portal.
For more
information, see Configuring a Logon
Screen for a Tenant.
4. Cross-tenant and tenant-specific content administrators (user and system administrators) customize the portal runtime display settings for tenant users. This involves creating tenant-specific portal themes, framework pages, portal desktops, and display rules. The portal look and feel should adhere to the branding, corporate identity, and requirements of the tenant.
For more
information, see Configuring and
Assigning Portal Desktops for Tenants.
Maintaining the Multitenant Portal
The following steps are necessary for maintaining a multitenant portal. The steps are performed on a need-to-do basis:
● Adjust portal content for the tenant.
Cross-tenant and tenant-specific content administrators update existing portal content and adapt it for the tenant. New content can be added and assigned to tenant users. Single sign-on for content can be defined for users using the user mapping tool
For general
information, see Content
Administration in the Portal Administration
Guide.
● Cross-tenant and tenant-specific user administrators manage the users of the tenant. For example, adding and deleting users in the tenant's user store, and assigning users to roles.
For more
information, see Managing Users,
Groups, and Roles.
● Assign portal permissions to tenant users.
System administrators must set and update the permissions for portal content and security zones to ensure that users of the tenant see and access their content only.
For more
information, see Creating Content and
Assigning Permissions for Tenants. For general information about portal
permissions, see Portal Permissions
in the Portal Administration Guide.
● Monitor and report the portal performance, users, and content.
Cross-tenant system administrators can use advanced tools available in the portal and supporting components to monitor the performance of the portal and trace runtime bottlenecks, and to provide data about the use of portal pages, iViews, and activities of tenant users.
As a result of usage patterns and problems reported by users, portal administrators must adjust portal content and solve the reported problems to ensure efficient running of the portal.
For more
information, see Monitoring.
● Cross-tenant system administrators administrate all tenants in the portal.
This includes tasks, such as viewing tenants, updating tenant properties, creating tenants, and enabling/disabling tenants. These activities can be performed in the Tenant Management screen in the portal.
For more
information, see Managing Portal
Tenants and Creating Tenants in
the Portal.