Show TOC

Background documentationUser Management Locate this document in the navigation structure

 

User management for SAP NetWeaver Enterprise Search uses the mechanisms provided with the SAP NetWeaver Application Server ABAP, for example, tools and user types.

We recommend replicating the ABAP users from the back-end system that is configured as the central user administration (CUA) in your system landscape to SAP NetWeaver Enterprise Search.

For more information about user management in SAP NetWeaver in general, see the SAP NetWeaver Application Server ABAP Security Guide.

Password Policy

SAP NetWeaver Enterprise Search has stricter password guidelines; all passwords must meet the following requirements:

  • They must be at least eight characters long.

  • They must contain at least one uppercase letter.

  • They must contain at least one digit.

  • They must contain at least one special character.

User Management for File Search with Authorization Checking

If you want to use the file search with authorization check with SAP NetWeaver Enterprise Search, you must connect SAP NetWeaver Enterprise Search to the MS Active Directory Server containing all users that are relevant for the file search, that is all users that are defined for the file search. The users in the LDAP of the customer's MS Active Directory are extracted for this and stored in the LDAP cache of the Application Server ABAP used by SAP NetWeaver Enterprise Search. The user cache entries are stored in the SEFS_LDAP_USER cache table and the group cache entries are stored in the SEFS_LDAP_GROUP cache table.

Crawls in the file system for which authorization checking is enabled include the authorization information of the crawled files and directories. On the basis of this data, SAP NetWeaver Enterprise Search checks the results of the search requests for authorization and displays only those results for which the user performing the search has authorization.

More information: Authorization Checking for File Search

User Management Tools for the SAP NetWeaver Enterprise Search LDAP Cache

Apart from the standard SAP NetWeaver tools used for general user administration, you can use the following tools for administrating the LDAP user and group caches:

Tool

Description

Transaction SE16

For viewing the contents of the user and group caches with the Data Browser.

Report RSEFS_LDAP_USERGROUP_UPDATE

For updating the group cache.

Report RSEFS_LDAP_USER_UPDATE

For updating the user cache.

Report RSEFS_LDAP_USER_DELETE

For deleting the user cache.

Report RSEFS_LDAP_USERGROUP_DELETE

For deleting the group cache.

More information: Managing the User Cache and Group Cache for the File Search

User Types

It is often necessary to define different security policies for different types of users. For example, one policy can specify that individual users that log on actively to the system to perform various tasks have to change their password at regular intervals, while other users that the system requires for background processing should not change their password at regular intervals.

The user types that are required for SAP NetWeaver Enterprise Search include:

  • Search users:

    Information users who enter search requests. For this user type, SAP NetWeaver Enterprise Search provides the ABAP composite role SAP_ESH_RFC_ENDUSER. Search users must be assigned this role to be able to use the SAP NetWeaver Enterprise Search search functions.

  • Administrator users:

    Hardware partners, system administrators, and business specialists working on the customer side. For this user type, SAP NetWeaver Enterprise Search provides the ABAP composite role SAP_ESH_ADMIN.

    Note Note

    The SAP NetWeaver Enterprise Search roles designed for this user type and the roles contained in them provide the authorizations required for the administration of SAP NetWeaver Enterprise Search. They do not include any generic system privileges required to administer the underlying SAP system.

    End of the note.
  • Support users:

    Support staff who analyze the runtime configuration in the case of problems but who are not to be allowed to change the configuration. For this user type, SAP NetWeaver Enterprise Search provides the ABAP role SAP_ESH_SUPPORT.

  • Technical users:

    Users that are only used for anonymous system to system communication.

For more information about roles and authorizations, see Authorizations.

Standard Users Available After the Installation

Operating System Users

User

Primary Group

Comments

<sapsid>adm

sapsys

SAP system administrator

sapadm

sapsys

SAP system administrator

sdb

sdba

Owner of the database software

sqd<dbsid>

sapsys

Database owner (that is, the owner of the database tables)

SAP System Users

User Type

User Name

Comments

SAP system user (AS ABAP)

SAP*

User exists at least in SAP system clients 000, 001.

DDIC

User exists at least in SAP system clients 000, 001, and 002.

SAPJSF

Required for RFC communication between the user management functions of the Application Server Java and Application Server ABAP.

Administration user

Search_Admin

This user is required to configure SAP NetWeaver Enterprise Search. The Search_Admin user is an ABAP dialog user. It contains the roles SAP_J2EE_ADMIN and SAP_SLD_ADMINISTRATOR.

Its initial password is the master password. The first time that you log on, you must change the initial password. SAP strongly recommends that you also change the password at regular intervals.

Database Users

User Type

User Name

Comments

SAP database user

SUPERDBA

Database administration user

CONTROL

Database manager operator with full server authorization

SAPR3

Database administrator

SAP<SAPSID>

Database administrator

SAP<SAPSID>DB

Database administrator

MaxDB database user

DBADMIN

Database administrator

DBA

Database administrator

DBM

Database manager operator with full server authorization

For more information about the standard database users, see the MaxDB Security Guide.

Users Created During Automatic Configuration

User Type

User Name

Comments

Technical/Service user

SEARCH_CONN

This system user is used for the ICF services /sap/bc/webdynpro/sap/esh_adm_smoketest_files and /sap/es/getdocument.

It contains the roles SAP_ESH_ADMIN and SAP_ESH_RFC_ENDUSER.

The initial password is the master password. You must not change the password.

Service user

Extraction user created in the SAP NetWeaver Enterprise Search ABAP system. It is required in the RFC connections between the back-end systems and the Enterprise Search ABAP system that are used for data extraction.

All RFC connections from the R/3 back-end systems that are connected to SAP NetWeaver Enterprise Search use this system user to transfer data to SAP NetWeaver Enterprise Search.

The system creates this user automatically as soon as it is required to communicate with an R/3 back-end system for the first time.