Show TOC Start of Content Area

Background documentation Constraints for UME with ABAP Data Source  Locate the document in its SAP Library structure

When you use an AS ABAP as the data source for user management data, the following constraints apply when using the tools of the AS Java.

Password Management

Due to the security policy of the AS ABAP, users can change their passwords only once per day. This is true, even if an administrator provides a new password. However, if the administrator provides a new password, the user can and must change his or her password the next time he or she logs on.

Read-Only and Read-Write Access to the ABAP User Management

The file dataSourceConfiguration_abap.xml grants the UME read-write access to the AS ABAP. Write access to the AS ABAP system fails if one of the following is true for the system user communication between the UME and the AS ABAP (default name SAPJSF):

        The user has no ABAP role

      The user is assigned to an ABAP role with read-only access

When the AS Java starts, the UME checks the roles assigned to the system user and if it finds no roles or only the role SAP_BC_JSF_COMMUNICATION_RO, the UME switches to read-only access for users located in the ABAP system.

      If the UME has read-only access, you cannot modify user attributes stored in the ABAP system, like first name, and last name. You can modify attributes stored in the UME database, like street. Even if read-only access is assigned, users can still change their own passwords.

      If the UME has read-write access, you can create users using the AS Java tools. They are stored as users in the AS ABAP. Extended user data that cannot be stored in the standard AS ABAP user record is stored in the database of the UME.

To enable read-write access to the system user, assign the system user the ABAP role SAP_BC_JSF_COMMUNICATION. For more information, see Requirements for the System User for UME-ABAP Communication.

Note

You can activate the self-registration and maintain-own-profile functions provided by the UME. In this way users can change their e-mail address, which they cannot change using the tools provided in the ABAP system. For more information, see User Profile and Self-Registration.

UME User Attributes and the AS ABAP

The following table shows the list of user attributes, which can be read from or written to the AS ABAP. This list is fixed and cannot be extended. Attributes without an entry for Field Name in the Identity Management User Interface do not appear in the user interface and are only available from the UME API. Attributes, which do not appear in this table, are only stored in the database of the AS Java. (For example: Street, City, State/Province, Zip/Postal Code.)

UME User Attributes Stored and the AS ABAP

Logical Name of the UME Attribute

Field Name in the Identity Management User Interface

Comments and Field Name in ABAP User Management

company

Company

User Group for Authorization Check

CREATED_BY

 

Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier.

department

Department

Department

email

E-Mail Address

E-Mail Address

fax

Fax

Fax

firstname

First Name

First name

islocked

User Account Locked

 

ispassworddisabled

Disable Password

Can only be reset by assigning a new password.

j_password

Editable when entering passwords.

 

jobtitle

Position

Function

LAST_MODIFIED_BY

 

Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier.

lastname

Last Name

Last name

lastsuccessfullogon

 

Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier.

locale

Language

The UME uses the Logon Language attribute to determine the language part of the locale. If this attribute is empty, the UME uses the Language of the Person. The UME uses the Country attribute of the user’s Company to determine country part of the locale.

Note

When the UME writes a locale to the back end, the language part of the locale is written to the Logon Language attribute. However, the UME cannot write to the Country attribute. You must change this manually in the ABAP back-end system.

lockreason

 

Only administrative locks can be set explicitly. Locks due to failed logon attempts are set implicitly.

logonalias

Logon Alias

Alias

mobile

Mobile

Mobile Phone

passwordchangerequired

 

Cannot be set explicitly. Implicitly changed by assigning a new password or by user-based password change.

PRINCIPAL_CREATION_DATE

Date of Account Creation

Read-Only. Not filled when back end is SAP NetWeaver 7.0 or earlier.

PRINCIPAL_MODIFY_DATE

 

Read-Only.

referenceuser

 

Reference User

salutation

Form of Address

Title

SecurityPolicy

Security Policy

User Type

sncname

 

SNC name

telephone

Telephone

Telephone

timezone

Time Zone

Time zone

title

 

Academic Title

validfrom

Start Date of Account Validity

Valid from

validto

End Date of Account Validity

Valid to

 

Contrasting Users in the AS ABAP and the Local Database of the AS Java

The file dataSourceConfiguration_abap.xml enables you to create users only in the ABAP system. Once the UME is configured to use the AS ABAP as a data source, you cannot create users in the database of the AS Java; though you can still delete and edit existing users. ABAP roles determine your write access to the ABAP user management. If you have read-only access, you cannot create any users. The UME does not default to creating users in the local database of the AS Java. Nor can you edit or delete users in the AS ABAP without read-write access.

Limitations When Searching for Users

When you use the tool for user management, certain limitations apply:

Limitations of User Search Criteria

Field name or Logical Attribute Name of the UME User Record

Limitation

Creation Date

Date of Last Password Change

The search only considers actions performed using the AS Java tools.

Street

City

State/Province

Zip/Postal Code

The search only considers data stored in the UME tables of the AS Java database. This data is different from the data stored in the ABAP user master data.

Country

Disable Password

End Data of Account Validity

Fax

Form of Address

Language

Mobile

Start Date of Account Validity

Telephone

Time Zone

You cannot search for users on these criteria.

E-Mail Address

Only the first 20 characters are used for searches.

j_password

lastsuccesfullogon

lockreason

passwordchangerequired

sncname

title

You cannot search for users on these attributes.

CREATED_BY

LAST_MODIFIED_BY

PRINICIPAL_MODIFY_DATE

referenceuser

You can search for users on these criteria with the UME API, but not with the search function of the identity management user interface. These attributes do not appear in the user interface of identity management.

 

Group Management

You cannot change the names of groups that represent roles in the AS ABAP, but you can change user assignments to these groups. To create new groups or change existing groups within the AS ABAP, use the transaction PFCG in the AS ABAP.

The following limitations exist for UME groups that represent roles in the AS ABAP:

      You can only assign ABAP users to UME groups that represent ABAP roles.

      The UME cannot show a user-group assignment, when the current date is outside the validity period of the corresponding user-role assignment in the AS ABAP.

If you try to assign a UME group to a user, when the user is already assigned to the corresponding ABAP role, but the current date is outside the validity period, you receive an error message.

      If a role assignment to a user in ABAP is by means of a collective role or organizational management, you cannot unassign the user from the corresponding UME group.

      If a role assignment to a user in ABAP is by means of an indirect assignment through a reference user (visible in transaction SU01), you cannot unassign the user from the corresponding UME group.

      If a role assignment to a user in ABAP is by means of direct and indirect assignment simultaneously, you cannot unassign the user from the corresponding UME group.

Example

Alain the user administrator has assigned user FGOMEZ to the roles Z_DIRECT and Z_COLLECT. Z_COLLECT is a collective role including the role Z_DIRECT. When Alain uses identity management of the AS Java, he cannot unassign FGOMEZ from the UME group Z_DIRECT, because this ABAP role is also assigned indirectly by the ABAP role Z_COLLECT.

New groups created with the UME are stored as UME groups in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UME groups. You can also assign the groups that represent ABAP roles to UME groups; however, such indirect role assignments are not written to the back-end ABAP system. So a user is a member of the indirectly assigned group based on the ABAP role, but that user does not have the ABAP authorizations contained in that role.

Example 

Alain the user administrator has assigned the UME group Z_DIRECT (based on the ABAP role of the same name) to the UME group Everyone. When Alain looks at the details of any user in the system, he sees that the user is a member of the group Z_DIRECT. When Alain checks the user in the AS ABAP, none of the users have the authorizations associated with that ABAP role.

 

Role Management

Like groups, new roles created with the UME are stored as UME roles in the local database of the AS Java. With the UME, you can assign users from the AS ABAP to these UME roles. You can also assign the groups that represent ABAP roles to UME roles.

Delay in the Display of ABAP Roles in the UME

If you create a new ABAP role or change the description of an existing ABAP role in the AS ABAP, these changes may not be visible in the UME for up to 30 minutes. The UME reads this data from the AS ABAP every 30 minutes. When the information appears is dependent upon when the UME last read the data. To force the UME to read the data from the AS ABAP, you must restart the AS Java.

Limited Operations for the System User

The system user for UME-ABAP communication cannot log on to the UME. This prevents the system user from being locked out due to failed logon attempts. For this system user, no user management operations in the UME are possible.

UME Security Policy Configuration

To prevent a conflict between the UME and AS ABAP security policies, the UME ignores its own security policy to some extent when the AS ABAP is the data source.

For more information about the security policy in the AS Java, see Security Policy.

For more information about the security policy settings in the AS ABAP, see Profile Parameters for Logon and Password (Login Parameters).

Changing Data Source

Once you have chosen this data source configuration, you cannot change to any other data source configuration. For details, see SAP Note 718383.

For more information about other data source configuration files, see Data Source Configuration Files.

Language of the System User

The system user for UME-ABAP communication is configured to use a specific language in the AS ABAP. The language setting used for the system user determines the value of the user attribute Form of Address returned from the AS ABAP. We recommend that you configure the language of the system user to match the language preferred by a majority of the UME or portal users. Only make changes to the attribute Form of Address in the AS ABAP. For details, see SAP Note 866367.

Time Zone Mapping

The AS ABAP and AS Java use different concepts for displaying time zones. The AS ABAP uses generic regional designations, such as Central European Time (CET). The AS Java designates time zones by region and city, such as Europe/Rome and Europe/Berlin.

You can configure a mapping between these time zone concepts. The AS Java gets this information from the AS ABAP through the RFC destination I18NBackendConnection. In an AS ABAP + AS Java combined installation, this destination is configured automatically. If you configure an AS Java to use an AS ABAP as a data source, you must configure this destination manually. Assign the connection user (default name SAPJTIME) the ABAP role SAPI18N. For more information, see Maintaining RFC Destinations.

Password Lock

A password lock occurs when a user attempts to log on and enters the wrong password too many times. You cannot unlock a password lock from the AS Java user management application, like you can when the data source is the database of the AS Java. The back-end AS ABAP does not support this unlock function. Instead you must assign a new initial password to the user. The user can then log on with the new password.

ABAP Messages in the UME User Interface

The ABAP back-end system reports error messages or warnings to the UME user interface localized for the user currently logged on.

For back-end systems with a release SAP NetWeaver 7.0 or earlier, these messages appear in a technical nonlocalized notation.

More Information

Constraints for the UME and Central User Administration

End of Content Area