Use virtual groups to automatically assign users to user management engine (UME) groups based on the value or values of a single attribute. In the UME properties, you define which attribute to use and which values you want to use to form groups. You can even configure virtual groups to support multiple values for when you want to enable users to have membership in more than one virtual group.
These groups exist only in the database of the SAP NetWeaver Application Server (AS) Java. The unique name and unique ID for the virtual group consists of the prefix and name, which you configure with UMEproperties.
If you change the unique name of a virtual group by either editing the prefix or the name entry itself, you create a new virtual group. Any existing role assignments to the old virtual group name are lost.
● Any mapping between the attribute in the Java database and an LDAP directory must already be configured in the data source configuration file. For more information, see Customizing a UME Data Source Configuration.
● This procedure requires you to stop the AS Java, so you should plan for the required downtime.
1. Determine the attribute to use for the basis of the virtual groups.
You can group your users by language.
2. Determine the values to use to form the virtual groups.
You do not need to create a group for every possible value the attribute can have.
3. Configure the UME properties for virtual groups.
¡ To select the attribute, configure ume.virtual_groups.user_attribute.
¡ Enter the namespace of the attribute in ume.virtual_groups.user_attribute.namespace. The namespace for the default user attributes is com.sap.security.core.
¡ Enter the values to use for the virtual groups in ume.virtual_groups.names.
Separate the names with a semicolon (;). If you want to use a semicolon in the group names, choose a new separator with the property ume.virtual_groups.group_names_separator.
To enter a more readable list of names without having to worry about spaces at the beginning and end, set the property ume.virtual_groups.trim_group_names to TRUE. If you want to have leading or trailing spaces in the name, set this property to FALSE.
Attribute names and value names for the virtual groups should match exactly.
¡ Enter the prefix to use for the virtual groups in ume.virtual_groups.name_prefix.
Using a prefix ensures the virtual groups are displayed together in a search result. The prefix also helps to ensure that the group names do not conflict with those of other established groups.
If role assignments to virtual groups exist, changing this property breaks those role assignments. The roles are assigned to groups with the old names, which no longer exist.
¡ If the attribute you configured supports multiple values, you can enable users to be members of multiple virtual groups, by setting the property ume.virtual_groups.user_attribute.multivalue to TRUE.
¡ The user attributes do not support multiple values by default, but if you mapped an attribute to an LDAP attribute with multiple values, you could read for a user the attribute department, which has the values Marketing and Distribution. This user would then belong to both virtual groups Marketing and Distribution.
For more information about editing UMEproperties, see Editing UME Properties.
4. Restart the AS Java.
The UME determines group membership at runtime assigning users to groups whenever group membership information is requested.
Lopa de Leeuw wants to create a virtual group for each campus her company has: Sheffield in the United Kingdom, and Josefiau and Lehen in Salzburg, Austria. She already mapped the location attribute in her company’s namespace to the location attribute in her company’s directory server.
1. Lopa defines the attribute and namespace to be used for the virtual groups in the UME properties:
2. Lopa defines the names to be used for the virtual groups and the prefix:
3. Lopa restarts the AS Java.
The UME calculates membership in the virtual groups Campus_Sheffield, Campus_Josefiau, and Campus_Lehen based on the contents of the attribute location for users whenever it is required.