Show TOC

Background documentationDefault Security Policy Profiles Locate this document in the navigation structure

 

SAP NetWeaver Application Server (AS) Java delivers default security policy profiles. The security policy profiles are used to distinguish normal dialog users from technical users used to access a specific service or conduct system-to-system communication. It determines, for example, if the password of a user can expire or if it must be changed after the initial logon. The security policy also determines if the user can log on or not. You can only modify the Default profile and any custom profiles you create.

The table below provides an overview of the default security policy profiles.

Default Security Profiles of SAP NetWeaver AS Java

Profile Name

Description

Default

Used for regular generic users. The profile can be displayed and modified.

Users of this type have the following characteristics:

  • Can be used to log on to the AS Java

  • Normal password rules apply, for example the user's password can expire or the password must be changed after initial logon

  • Created by administrators, during self-registration, or read from external user management engine (UME) data sources. The administrator and guest users are created automatically during installation.

  • UME maps (A) Dialog users from the AS ABAP data source to this type

    Well known standard users of this type include: Administrator and Guest.

Technical User

Used for system-to-system communication. You can display the profile, but you cannot modify it directly. This profile is based on the Default profile. Changes to the Default profile, with the exception of the Password Validity Period, apply to the Technical User profile. The Password Validity Period of the Technical User profile is always 0.

Users of this type have the following characteristics:

  • Can be used to log on to the AS Java

  • Password does not expire

  • Some created automatically (SAPJSF), some by the user administrator

  • UME maps (B) System users from the AS ABAP data source to this type

    Well known standard users of this type include: SAPJSF and ADSuser.

    Although SAPJSF is a standard technical user, you cannot log on to the AS Java with it for security reasons.

    For more information, see User Management of Application Server ABAP as Data Source.

Internal Service User

Used to perform internal operations, for example PCD ACL operations for a portal. The profile cannot be displayed or modified.

Users of this type have the following characteristics:

  • Cannot be used to log on

  • Usually do not have passwords

  • Normally created automatically

  • Users exist only in the Java database, does not map to other data sources

  • Type cannot be changed

    Well known standard users of this type include: pcd_service, config_fwk_service, ume_service

Unknown

Not a profile, but a category for AS ABAP user types that cannot be mapped to one of the UME listed above.

  • UME maps AS ABAP users of type (C) Communication, (S) Service, and (L) Reference to this profile

  • Password rules of the back-end AS ABAP and ability to log on apply according to the AS ABAP user type

The standard users created during installation vary depending on the data source that you use.

For more information and standard naming conventions, see Standard Users and Standard User Groups.

Changing the Security Policy

Using identity management of the AS Java, you can freely change the security policy of users with the Default, Technical User, or a custom security policy to Default, Technical User, or another custom security policy. You cannot change the security policy of users with the Internal Service User security policy. You can change the security policy of users with the Unknown security policy to Default, Technical User, or a custom security policy, but you cannot change it back again, unless you change the user type in ABAP user management.

More Information

Creating a Technical User