Show TOC

Procedure documentationConfiguring Attribute Mapping for the ABAP User ID Locate this document in the navigation structure

 

If users have different IDs in the LDAP directory and in the connected ABAP systems, the J2EE user management must be configured to use ABAP user IDs from the LDAP directory. You can use an existing attribute in your LDAP directory to store the users’ ABAP user IDs. As a result, administrators or users do not have to define user mapping for each user.

Caution Caution

The ABAP user IDs are stored in the LDAP directory in unencrypted form. To prevent manipulation of these IDs, you must make sure that no unauthorized users have write-access to the LDAP directory, in particular to the attribute containing the ABAP user ID.

If these IDs are manipulated, users' logon tickets could contain a different user ID. Thus a malicious user could gain access to ABAP systems as a different user with more extensive authorizations in the ABAP system.

End of the caution.

Prerequisites

You are using an LDAP directory as a data source. In the LDAP directory, one of the user attributes is defined to contain the user’s ABAP user ID.

Note Note

The LDAP object class that contains the user attribute for the ABAP user ID must already be assigned to the users, otherwise you cannot save user mapping data for users.

End of the note.

Procedure

  1. Choose the Data Sources tab.

  2. Choose Data Source and download the configuration file you have selected with the file download function.

  3. Open the data source configuration file in an editor and change it as follows:

    Note Note

    The REFERENCE_SYSTEM_USER attribute appears twice in the XML file. You must check the first appearance of this attribute and change the attribute name in the second appearance.

    End of the note.

    1. Check that the logical user attribute REFERENCE_SYSTEM_USER is in the <responsibleFor> section of the LDAP data source:

      Example Example

      ...

      <dataSources>

        ...

        <dataSource id="CORP_LDAP" ...>

          ...

          <responsibleFor>

            ...

            <principal type="user">

              ...

                <nameSpace name="$usermapping$">

                  <attributes>

                    <attribute name="REFERENCE_SYSTEM_USER"/>

                  </attributes>

                </nameSpace>

              ...

            </principal>

            ...

          </responsibleFor>

          ...

        </dataSource>

      </dataSources>

      End of the example.

    2. Define the attribute mapping from the logical attribute REFERENCE_SYSTEM_USER to the physical attribute that actually stores the ABAP user ID in your LDAP directory.

      Example Example

      ...

       <dataSources>

         ...

         <dataSource id="CORP_LDAP" ...>

           ...

           <attributeMapping>

             <principals>

             ...

               <principal type="user">

               ...

               <nameSpace name="$usermapping$">

                 <attributes>

                   <attribute name="REFERENCE_SYSTEM_USER">

                     <physicalAttribute name="r3user"/>

                   </attribute>

                 </attributes>

               </nameSpace>

                 ...

               </principal>

             </principals>

           </attributeMapping>

           ...

         </dataSource>

       </dataSources>

      End of the example.

    3. Optional: If the attribute for the ABAP user ID is in an additional object class, declare this object class in the data source configuration.

      Note Note

      When you use the User Management Engine to create a user, this object class is assigned to the new user. However, you should make sure that existing users in the LDAP directory are already assigned this object class.

      End of the note.

      Example Example

      In the following example, the sapuser object class contains the r3user attribute, which contains the user's ABAP user ID.

      ...

       <dataSources>

          ...

         <dataSource id="CORP_LDAP" ...>

            ...

           <privateSection>

             ...

            <ume.ldap.access.auxiliary_objectclass.user>

               sapuser

            </ume.ldap.access.auxiliary_objectclass.user>

             ...

           </privateSection>

         </dataSource>

       </dataSources>

      End of the example.

  4. Upload the modified configuration file on the Data Source tab page.

  5. Change the UME properties listed below:

    1. ume.usermapping.refsys.mapping.type = attribute.

      This property defines that the UME gets the user's ABAP user ID from the LDAP directory in the logical user attribute REFERENCE_SYSTEM_USER.

    2. ume.r3.mastersystem = UME Internal Reference System

      This property is set to allow users to access all ABAP systems in which they have the same user ID as in the ABAP central instance of the Enterprise Search appliance using logon tickets.

    3. Optionally, you can also change the property ume.usermapping.admin.pwdprotection.

      This property defines whether administrators have to enter a password when they change a user’s user mapping data.

    Proceed as outlined in Editing UME Properties in the SAP NetWeaver 7.0 documentation.