Show TOC

Setting a Logon Policy for a Policy ConfigurationLocate this document in the navigation structure

Use

Logon policies are used to set restrictions for authentication for specific policy configurations. You can set the policy configuration to use a specific logon policy. When setting a logon policy [for a policy configuration], consider the following:

  • Logon Policies

    The logon policy specifies the rules that apply for users under this policy configuration. For a successful authentication, there must be at least one successful rule. If you do not set a specific logon policy for a policy configuration, the system uses a default one that is automatically generated.

    Caution

    The default logon policy is automatically set to allow every user to log on at any time. If you decide to change its settings, make sure that you do not set restrictions that will prevent you from logging on to the whole system. If this does happen, you can log on only with the emergency user SAP* . Also, you cannot rename or delete the default logon policy.

    Caution

    If you log on with the emergency user SAP* , the system does not apply the logon policy. For more information about emergency users, see Activating the Emergency User .

  • Rules

    Each rule contains a set of conditions that specify the cases in which the user is allowed authentication. A rule is successful when all conditions of that rule allow authentication.

  • Conditions

    Each condition evaluates the current request and allows user authentication in accordance with the fulfillment of the condition and its type. A condition is fulfilled when the user complies with the value of the condition. There are four possibilities:

    Condition Type

    Condition Fulfilled

    User Authentication

    Allow

    Yes

    Allowed

    Allow

    No

    Denied

    Deny

    Yes

    Denied

    Deny

    No

    Allowed

Procedure

To configure the logon policies, proceed as follows:

  1. Set the property ume.logon.apply_logon_policies to allow the use of logon policies during authentication. You can set this configuration in SAP NetWeaver Administrator by choosing Start of the navigation path Configuration Next navigation step Authentication and Single Sign-On  Next navigation step Authentication Next navigation step Properties End of the navigation path and selecting the checkbox Apply logon policies during authentication (ume.logon.apply_logon_policies): .

    Note

    The option Apply logon policies during authentication (ume.logon.apply_logon_policies): is disabled by default.

  2. Access the logon policies window by choosing the Logon Policies link.

  3. Add a new logon policy by choosing the Add button.

  4. Add at least one rule for the logon policy.

  5. Add at least one condition for each rule.

    Each condition contains three elements:

    • Type

      • Allow

        This type allows authentication of a user that fulfills the condition. A user that does not fulfill the condition is denied authentication.

      • Deny

        This type allows authentication of a user that does not fulfill the condition. A user that fulfills the condition is denied authentication.

    • Category

      The category specifies what kind of condition the system uses. You can configure the following categories:

      Category

      Description

      User

      Defines a condition for allowing or denying the authentication of a user with a specific logon ID.

      Note

      A user with this logon ID must exist and must be unique.

      Role

      Defines a condition for allowing or denying the authentication of users that have a specific role.

      Note

      The role must exist in the user management engine (UME).

      Group

      Defines a condition for allowing or denying the authentication of users that are members of a specific group.

      Note

      The group must exist in the user management engine (UME).

      Days of Week

      Defines a condition for allowing or denying the authentication of users on specific days.

      Time

      Defines a condition for allowing or denying the authentication of users in a specific time period on the days.

      HTTP Header

      Defines a condition for allowing or denying the authentication of users in accordance with the HTTP header name and value.

      Caution

      Users submitting requests that do not contain headers , such as Web service requests , are allowed authentication by the HTTP Header condition when the type is Deny .

      IP Address

      The user can enter an Internet Protocol (IP) version 4 (IPv4) address or an IP version 6 (IPv6) address. In addition, the user has to enter a subnet prefix after the slash (/) symbol that specifies how many bits of the IP address are used for the condition.

      Caution

      Regardless of the IP address settings, in local requests all IP Address conditions of the type Allow allow authentication and all IP Address conditions of the type Deny do not allow authentication.

      Caution

      If there is a proxy in front of the server, all IP conditions will check the IP of the proxy by default. For the system to check the client's IP address, you have to do the following:

      • Configure the proxy to send the IP address of the client in the X-Forwarded-For header.

      • Configure the HTTP provider service to read the IP from this header. For more information, see HTTP Provider Service .

      • Set the property ClientIpHeaderName to X-Forwarded-For .

    • Condition Value

      Specify only one value for all categories except Days of Week and Time. To add or edit a value, choose the Modify Condition Value button.

      The following categories have specific requirements for their values:

      • HTTP Header

        You can set the value in a regular expression format. If you select the checkbox Use regular expression for the HTTP Header category, the system checks whether the header value matches the regular expression pattern.

        Example

        Michael wants to configure his system to allow HTTP requests with a header containing the value <name>@company.com. To do this, he sets the HTTP header name From with the regular expression value (.+)\Q@company.com\E and selects the regular expression checkbox. When a user John with the e-mail address john@company.com makes an HTTP request, the system finds the name-value pair From: john@company.com in the request, checks the regular expression pattern, and authenticates the user.

      • IPv4

        An IP version 4 address contains 32 bits. Each decimal number, which is in the range of 0 to 255, before or after the dot, represents an 8-bit binary number. The subnet prefix defines which most significant bits in the request must match the entered IPv4 value. If you set the maximum number 32 for the prefix, the system will check if all the bits in the IP address match.

        Example

        If you set an IPv4 address and prefix with a value 145.234.10.1/ 24 , then the system will check if the request's IP address starts with the decimal numbers 145.234.10 . The subnet prefix 24 signifies that the 24 most significant bits (145.234.10) are used for the condition validation.

      • IPv6

        An IP version 6 address contains 128 bits. Each hexadecimal number before or after the colon represents a 16-bit binary number. Furthermore, the subnet prefix defines the most significant bits that are to be checked for the IP address condition. If you set the maximum number 128 for the prefix, the system will check if all the bits in the IP address match.

        Example

        If you set an IPv6 address and prefix with a value 2012:0db8:85a3:0052:0010:8a2e:0370:7334/ 64 , the system will check whether the request's IP address starts with the hexadecimal numbers 2012:0db8:85a3:0052 . The subnet prefix 64 signifies that the 64 most significant bits (2012:0db8:85a3:0052) are used for the condition validation.

    Note

    For the default logon policy, the system generates one condition with Type Allow , Category Role , and Condition Value Everyone .

  6. Activate the rule(s) you want to apply.

    Caution

    The system ignores inactive rules.

  7. Activate the logon policy.

  8. Save your entries.

  9. Choose the Components link and select the policy configuration to which you want to assign the logon policy.

  10. Choose the Authentication Stack tab and select the logon policy.

    Caution

    If the logon policy is inactivate , the system will apply the default logon policy.

Example

Denise Smith wants to configure her system to allow all users except administrators to log on every working day of the week from 09:00 to 18:00. In addition, she wants to allow administrators to log on to the system on Mondays, Wednesdays, Fridays, Saturdays, and Sundays from 18:00 to midnight with an IPv6 address that starts with the numbers 2012:8329 . She therefore creates a logon policy users and sets two rules named userRule and adminRule .

  • For the userRule , she sets the following conditions:

    Type

    Category

    Condition Value

    Allow

    Group

    Everyone

    Deny

    Group

    Administrators

    Allow

    Days Of Week

    Monday, Tuesday, Wednesday, Thursday, Friday

    Allow

    Time

    from 09:00 to 18:00

  • For the adminRule , she sets the following conditions:

    Type

    Category

    Condition Value

    Allow

    Group

    Administrators

    Allow

    Days Of Week

    Monday, Wednesday, Friday, Saturday, Sunday

    Allow

    Time

    from 18:00 to 24:00

    Allow

    IP Address

    2012:8329:0:0:0:0:0:0 / 32

After Denise adds the users logon policy to her policy configuration, she tests her system with user Michael and administrator Julie. Michael accesses the system at 10:00 on Monday. Because he is a member of the group Everyone and he is not a member of the group Administrators , the first rule succeeds and he is able to log into the system. Julie decides to log on at the same time as Michael does with the IPv6 address 2012:8329:0000:0000:0456:ff00:0042:0db8 . The first rule userRule fails because its second condition with value Administrators does not allow authentication. The second rule also does not succeed because the condition Time does not comply. Because both rules fail, Julie is denied access to the system. She then calls Denise and asks for help. Denise advises her to try again the same day after 6 o'clock in the evening and informs her of the logon principles for administrators. When Julie tries again at 19:00, she is able to log on with the same IPv6 address, which proves to Denise that the configuration is working properly.