Show TOC

Procedure documentationAssign Users from External Platforms to Jobs with Credentials Locate this document in the navigation structure

 

To run jobs on external platforms as a specific user, you can specify the user and password in the job definition Run As User field and you can use credentials. Credentials are used to store login details for users on external systems in both a central and secure manner. When the password of a user changes, you can change it on the credential, which takes effect immediately; if you had specified the user explicitly on job definitions, you would have to change the password on every job definition, this is error-prone. Credentials are part of the Security section of the navigation bar.

Note Note

SAP strongly recommends the use of credentials over specifying a username and password in the Run As User field.

End of the note.

The built-in login credential protocol is used to authenticate users against the remote system defined in Endpoint.

Note Note

The value in Endpoint must match the value of the RemoteHostName process server parameter for the corresponding process server The central server must be able to resolve the hostname entered.

End of the note.
Actions

Credentials support the following actions:

Action

Description

Edit

Edit the credential

Edit Security

Edit the security of the credential

Delete

Delete the credential

Expand All

Expand all credentials in the current filter

New

Create a new credential
Standard Credentials

With standard credentials, you specify the username in the Run As User field of a job definition. When the job gets allocated to a process server, SAP CPS retrieves the credential by searching for a credential where the following conditions are met:

  • the process server parameter RemoteHostName matches the value of Endpoint

  • the value of the Run As User matches the value of Real User

The Password is used in combination with the value of Run As User to log on and execute the code in the job.

When either fails, the job is put into status Error, as no password could be found for the user on that system.

You use standard credentials, when the usernames and passwords of specific users are the same across systems.

Virtual Credentials

Virtual credentials allow you to specify a user across several systems by the same name although their username and password are different. When the job gets allocated to a process server, SAP CPS retrieves the credential by searching for a credential which meet the following conditions:

  • the process server parameter RemoteHostName matches the value of Endpoint

  • the value of the Run As User matches the value of the Virtual User (the {Virtual}: prefix is trimmed)

The Real User and Password from the credential are the used to log on and execute the code in the job.

When either fails, the job is put into status error, as no username and password could be found for the user on that system.

You use virtual credentials, when the usernames and passwords of specific users are different across systems.

For example, all your systems could have a virtual user named erpuser which has a different username and password on one or more systems. In the Run As User field of the job definition you can then specify {Virtual}:erpuser. The credential with the Virtual User erpuser will be used, the actual username and password can be different across systems, see the example below.

Syntax

When you need to specify a standard credential in the Run As User field of a job definition, provide just the username of the user for Unix and VMS systems. On windows, you might need to specify a windows domain, use [domain\]username, for example masalan\jdoe.

On Windows, the syntax without credentials for the Run As User is [domain\]username/password, for example masalan\jdoe/mysecret or jdoe/mysecret; on UNIX and OpenVMS it is username.

Summary

Standard Credentials

Virtual Credentials

Run As User value

username

{Virtual}:vuser

Lookup by

Username=username EndPoint=RemoteHostName

VirtualUser=vuser EndPoint=RemoteHostName

Result

Password

Username Password
Security

To use a credential, the user must have sufficient privileges, like Credential.view system privileges or corresponding object privileges.

To create a credential, you need to have privileges to see the credential protocol you want to use.

Privilege

Description

Credentials.Create

Create credentials

Credentials.Delete

Delete credentials

Credentials.Edit

Edit credentials

Credentials.View

Access credentials

You can grant privileges on two levels, Access and Admin; a privilege granted on Admin level allows the grantee to grant the privilege to other users. These privileges can be granted system-wide, per partition or isolation group.

You specify which users can access, edit, and delete the credential on the Security tab of the credential.

Note Note

Please be very careful when you create credentials, make sure that only specific users can use them. A credential allows you to log onto a system without a password and can potentially cause havoc if you are not careful.

End of the note.

Procedure

Create a credential

  1. Navigate to   Security → Credentials  

  2. Choose New from the context menu, fill a hostname into the Endpoint field (hostname must match the RemoteHostName process server parameter).

  3. Specify the username and password, which in most cases are case-sensitive.

  4. Choose Save and Close.

Use a credential

  1. Navigate to   Definitions → Job Definitions  .

  2. Choose Edit from the context menu of a job definition that runs on an external platform.

  3. On the Source tab, enter the username of the user provided in a credential.

  4. Submit the job and choose a queue that is served by a process server running on the Endpoint specified in the credential.

Values

Field

Description

Protocol

The protocol used for the credential, login is the default

Endpoint

The hostname of the system where the user is valid; this must be set to the same value as the RemoteHostName process server parameter

Real User

The username of the user on the endpoint

Password

The password of the user on the endpoint

Virtual User

The virtual username for the user

Example

The production ERP system at Masalan Inc has an additional development and a quality assurance system; job definitions are developed and tested before they reach production. To ease the pain of migration, Masalan Inc uses the virtual user property of their credentials. The following accounts are used to run the jobs on the different systems:

  • pr1adm - production system

  • qa1adm - quality assurance system

  • dv1adm - development system

Note Note

The use of administrative SAP users is for illustration purposes only, you should not use these accounts without your SAP Administrator knowing.

End of the note.

In the development system, you create a credential as follows:

Field

Value

Protocol

login

Endpoint

dv1.masalan.com

Real User

dv1adm

Password

someGoodSecret

Virtual User

erpuser

In the quality assurance system, you create a credential as follows:

Field

Value

Protocol

login

Endpoint

qa1.masalan.com

Real User

qa1adm

Password

someGoodSecret

Virtual User

erpuser

In the production system, you create a credential as follows:

Field

Value

Protocol

login

Endpoint

pr1.masalan.com

Real User

pr1adm

Password

someGoodSecret

Virtual User

erpuser

Job definitions that need to run as the environment-specific user contain {Virtual}:erpuser in the Run As User field; the job definition can be migrated without the need to change the Run As User field as in each system, the correct user is used to execute the code.