adm900 en col10 vlc fv part a4

ADM900SAP System Security Fundamentals

.

PARTICIPANT HANDBOOKVIRTUAL LIVE CLASSROOM

.Course Version: 10Course Duration: 2 Day(s)Material Number: 50117500

Dupli

catio

n is p

rohib

ited. Duplication is prohibited.

SAP Copyrights and Trademarks

2013 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

Dupli

catio

n is p

rohib


All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Copyright . All rights reserved. iii

Dupli

catio

n is p

rohib


iv Copyright . All rights reserved.

Dupli

catio

n is p

rohib


VLC About This Handbook

About This HandbookThis handbook provides you with basic information for attending your virtual live classroom session.Adobe Connect Support InformationWeb and audio support is available by: Pressing *0 from within the audio-conferencing Calling the support hotline numbers listed below Emailing the PGI support hotline belowGlobal PGI Support Hotline for SAP Education (24/7)Tel: +1 800-368-1945Tel: +1 719-234-7915Note: After dialing in, press option 2 for technical support. You will then be presented with two options press 1 for Audio support, or press 2 for Web support.Email: [email protected] up your Learning EnvironmentIdeally you want to be in a private room when participating in a synchronous (live) event. In reality, you may not be able to arrange that. Here are some tips for maximizing your learning environment: Create an inspirational office/studio to work in Use a comfortable chair Use well designed and functional computer peripherals Keep a log or journal of notes and ideas you can use for future sessions Before your online class: Tell co-workers you will be in class (send e-mail) Post a sign indicating when you will be free again (when class is over) Use a headset instead of your computer speakers to minimize disruption of others Ignore people who try to get your attention Turn off the ringers / alerts on telephone, pager, and cell phone Turn off e-mail and instant message alerts Remove other distractions lying on your desktop Keep a glass of water at your deskTeleconferencing ground rules: Use the mute button or press *6 Do not place call on hold

Copyright . All rights reserved. v

Dupli

catio

n is p

rohib


Use the "Raise hand" icon in the Attendee List: My Status to indicate you want to ask a question Identify yourself before speaking, when not called on Charge the batteries for your cordless handset If possible use a land line instead of your cell phone

Minimum Hardware Requirements PC with 1 GHz processor or higher. Minimum 1 GHz processor recommended for screen sharing. You

may be asked to share their screen during hands-on exercise portion of virtual class. 17 inch or larger monitor is recommended, set at 1024 X 768. Larger monitor and 1024 X 768 setting

will make presentation and system screens easier to read. Phone with Headset/Microphone or Speakerphone feature to maximize student listening and

comfort during presentation and demonstration portions of the course.Software RequirementA complete list of supported Operating Systems, browsers and additional requirements for Adobe Acrobat Connect can be found at: www.adobe.com/products/acrobatconnectpro/systemreqsSample Email to Notify Others You Are in a Virtual ClassThis is a sample of an email you can send to your colleagues and manager when you are taking an online course. Dear colleagues, Today I will be participating in an online class from my desk. I will be online from approximately 9:30 a.m. to 5:30 p.m. EST. I would appreciate it if you would not disturb me during this time. If you have an immediate question, please contact Joe Smith at extension 123. I appreciate your consideration. Best regards,Getting the Most Out of Your SessionSession Guidelines Turn off email, phones, instant messaging tools, and clear other distractions away from your training

area. Participate and prepare to be called on by name. Use the Raise Hand icon if you have an immediate question or comment. Be patient waiting for a response to your chat messages. If you leave the program, please use the Step Away status icon in the Attendee List pod to let your

instructor know when you leave and remember to clear it when you return.

vi Copyright . All rights reserved.

Dupli

catio

n is p

rohib


About This Handbook

This handbook is intended to complement the instructor-led presentation of this course, and serve as a source of reference. It is not suitable for self-study.Typographic ConventionsAmerican English is the standard used in this handbook.The following typographic conventions are also used.

This information is displayed in the instructors presentation

Demonstration

Procedure

Warning or Caution

Hint

Related or Additional Information

Facilitated Discussion

User interface control Example text

Window title Example text

Copyright . All rights reserved. vii

Dupli

catio

n is p

rohib


viii Copyright . All rights reserved.

Dupli

catio

n is p

rohib


Contents

xi Course Overview

1 Unit 1: Security Fundamentals2 Lesson: Review Security Fundamentals

19 Unit 2: Basic User Administration AS ABAP and AS Java20 Lesson: Implementing Basic User Administration AS ABAP27 Exercise 1: Create Users in AS ABAP35 Exercise 2: Work with Roles42 Lesson: Implementing Basic User Administration AS Java63 Exercise 3: Implement User and Group Administration

77 Unit 3: Advanced User Administration Topics78 Lesson: Implement Central User Administration (CUA)95 Exercise 4: Distribute User Data with CUA100 Lesson: Work with Directory Services107 Lesson: Describe SAP Governance, Risk, and Compliance (GRC)

10.0137 Exercise 5: Run Reports and View Dashboards143 Lesson: Work with Identity Management

161 Unit 4: Infrastructure Security162 Lesson: Review Network Topology174 Lesson: Enable Secure Network Communication (SNC)189 Lesson: Enable Secure Socket Layer (SSL)

209 Unit 5: Single Sign on in SAP Systems210 Lesson: Implementing Single Sign-On (SSO) in SAP Systems233 Exercise 6: Check Logon Procedure of ICF Service 235 Exercise 7: Activate HTTP Security Sessions

241 Unit 6: Security Monitoring with SAP Solution Manager242 Lesson: Monitoring and Analyzing Security with SAP Solution

Manager

Copyright . All rights reserved. ix

Dupli

catio

n is p

rohib


x Copyright . All rights reserved.

Dupli

catio

n is p

rohib


Course Overview

TARGET AUDIENCEThis course is intended for the following audiences: Technology Consultant Executive

Copyright . All rights reserved. xi

Dupli

catio

n is p

rohib


xii Copyright . All rights reserved.

Dupli

catio

n is p

rohib


UNIT 1 Security Fundamentals

Lesson 1Review Security Fundamentals 2

UNIT OBJECTIVES Ensure computer security

Copyright . All rights reserved. 1

Dupli

catio

n is p

rohib


Unit 1Lesson 1

Review Security Fundamentals

LESSON OVERVIEWThis lesson describes the security threats to a system and its security safeguards. It also explains how to categorize the security measures to secure the system environment.

Business ExampleYou need to have a basic understanding of the security threats to a system and the security measures that should be implemented. For this reason, you require the following knowledge: An understanding of computer security An understanding of security policies An understanding of security measures and the necessary steps to establish a secure

system environment

LESSON OBJECTIVESAfter completing this lesson, you will be able to: Ensure computer security

IntroductionsInstructor IntroductionStudent Introduction Your name and company name Part of business and project you represent SAP release currently implemented or implementing Status of project What products or services your company provides Class expectations

Session Best Practices Phones

- Place your phone on mute except when talking to the instructor to eliminate background noise for other participants

Access email and web sites only during breaks and after completion of exercises

2 Copyright . All rights reserved.

Dupli

catio

n is p

rohib


Managing Questions:- Use the Q and A pod to ask questions electronically- Review the Ask a Question icon in My Status- Ask for verbal questions at different points in lecture and demonstrations- Some questions will be parked until later

Discussions on the Phone:- Instructor will act as a moderator- Speak clearly and loud enough so everyone can hear- Only one conversation at a time

More Session Best Practices Be prompt returning from breaks and lunch

- Restart times will be posted in meeting room Be considerate of and respect your fellow students

- Remember every person learns at a different speed- Remember each student in class has a different SAP experience level

Additional InformationDocumentation Website:http://help.sap.com PGI Support Contact Information:Press *0 from within the audio conferenceMail to: [email protected] Support hotline numbers: 1-800-368-1945 OR 1-800-234-7915Note: Press option 2 for technical support and then press 1 for audio support or 2 for web support

Computer Security ConceptsSafeguards, threats, and goals are closely related. Threats compromise certain security goals, whereas safeguards protect your system against certain threats. As a result, when implementing security, you need to consider the safeguards with reference to the goals and the threats.

Security requirements for sensitive business data arise due to the following reasons:

Protection of intellectual property Legal issues and contracts Trust relationship with business partners

Lesson: Review Security Fundamentals


Dupli

catio

n is p

rohib


Continuous business operations Protection of image Correctness of data

Security can optimize administration processes in the following ways: Reduce the number of password resets when using Single Sign-On (SSO) Use digital signatures for approval processes

Some interesting facts from the 2010/2011 Computer Crime and Security Survey conducted by the Computer Security Institute (CSI): Malware infection continued to be the most commonly seen attack, with 67.1 percent of

respondents reporting it. Respondents reported markedly fewer financial fraud incidents than in previous years,

with only 8.7 percent of respondents saying they had seen this type of incident during the covered period.

Of the approximately half of respondents who experienced at least one security incident last year, fully 45.6 percent of them reported theyd been the subject of at least one targeted attack.

Respondents said that regulatory compliance efforts have had a positive effect on their security programs.

By and large, respondents did not believe that the activities of malicious insiders accounted for much of their losses due to cybercrime. 59.1 percent believe that no such losses were due to malicious insiders. Only 39.5 percent could say that none of their losses were due to non-malicious insider actions.

Slightly over half (51.1 percent) of the group said that their organizations do not use cloud computing. Ten percent, however, say their organizations not only use cloud computing, but have deployed cloud-specific security tools.

The source of the data is CSI (http://www.gocsi.com).The aim of this survey is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.System Security Goals

The following goals are achieved through security measures:

Availability Authentication Authorizations Confidentiality Integrity Non-repudiation

In detail, these goals entail:

Unit 1: Security Fundamentals


Dupli

catio

n is p

rohib


AvailabilityAvailability ensures that the users can access their resources whenever they need them. When determining your requirements with reference to the availability of resources, you should consider the costs that result from unplanned downtime, for example, loss of customers, costs for unproductive employees, and overtime. Some damage cannot fully be factored in terms of money, for example, loss of reputation.

AuthenticationAuthentication determines the real identity of the user.You can use the following authentication mechanisms in a system environment:- Authentication using user ID and password- Authentication using smart card- Authentication using a smart card and PIN

AuthorizationAuthorization defines the rights and privileges of the identified user. It also determines the functions that a user can access. The application must be programmed to check whether or not a user is authorized before that user can access a particular function.

ConfidentialityConfidentiality ensures that the users history and communication is kept confidential. Information and services need to be protected from unauthorized access. The authorizations to read, change, or add information or services must be granted explicitly to only a few users and other users must be denied access. If you post something on the Internet, the confidentiality of information is at risk.

IntegrityIntegrity ensures that the user information, which has been transmitted or stored, has not been altered. Programs and services should execute successfully and provide accurate information. As a result, people, programs, or hardware components should not modify programs and services.

NonrepudiationRepudiation is the process of denying that you have done something, whereas nonrepudiation ensures that people cannot deny their actions.



Dupli

catio

n is p

rohib


Security Threats and Goals

Figure 1: Security Threats and Goals

The threats shown in the figure are only a set of commonly known threats. A major security threat is social engineering where sensitive information is exposed casually or picked up without going through the correct channels.Case Study Social Engineering ThreatsThe case study is a good example, which shows the proper procedures that should be maintained for a secure environment.A security consultant was asked to visit a large company and evaluate the security lapses in the company. The man with whom the consultant was supposed to work was quite busy and left the consultant alone, saying he would be back soon. After an hour, the consultant walked down to the computer room but could not get in because it was a secure room. When another employee arrived and swiped his own access card, the consultant was let into the computer room. While inside the secure room, the consultant saw a note card next to the terminal with the administrator password written on it; he logged on to the server.The consultant worked on the computer for about 45 minutes. Then, an employee said that he and his coworkers were going out to lunch. The consultant was left alone in the computer room for another hour.The security consultant finished his work and returned to the desk of the man with whom he was supposed to work. The man was apologetic and asked the consultant to return the next day. The security consultant replied that he was already finished working and that the company had numerous security lapses.When considering security, do not think only of system attacks. Any untrained employee could also be a risk by performing unexpected or inappropriate system activities.



Dupli

catio

n is p

rohib


Examples of security threats: Accidents

Unexpected system activities may occur if the system is handled by an inexperienced employee.

Environmental threatsEnvironmental threats, such as earthquakes, might compromise the availability of the system.

System penetrationSystems are penetrated when an unauthorized person gains access to them by guessing accounts and passwords.

Authorization violationA person can violate authorizations and penetrate a system by misusing the current authorizations that were allocated or stolen. With some authorizations, the hacker is allowed to access the operating system, which allows transport of information and access to other operating system functions.

Planting of programsA hacker may gain access to a system and plant a program to access the computer. For example, a hacker might use the program source code to create a new user to break into the system, or a hacker might eavesdrop without being detected.

Tampering of dataThis occurs when a hacker grabs a connection and communicates with both the client and the server. After the hacker has grabbed the connection, the hacker can change the data.

Code injectionThe dynamic nature of websites causes security holes which can be used to gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser. Cross Site Scripting (XSS) attacks are a special form of code injection.Another code injection technique is a Structured Query Language (SQL) injection. An SQL injection attack consists of insertion or injection of a SQL query through the input data from the client to the application.

Denial of serviceA denial of service attack brings down the server and makes the server unavailable. There are several ways to make the server unavailable, such as cutting the network cable, physically destroying the server, or unplugging the server from the network.

RepudiationA buyer could repudiate the fact that he or she purchased an item from an online store.

Message floodingA hacker can deny service by flooding the system with messages so that the system cannot respond.

Masquerading



Dupli

catio

n is p

rohib


A person can masquerade as another user. Spoofing

Programs can be written to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet and trick the network because the true IP identity is concealed or disguised and looks like the packet is coming from within the network. This process is known as spoofing.

Buffer overflowAn application can receive data that the application is not expecting or not prepared to receive. As a result, unpredictable results occur. This is known as buffer overflow and can lead to vulnerability within the server.

PhishingAcquiring sensitive information such as usernames, passwords, or credit card details by masquerading as a trustworthy entity is known as phishing.

Threats in Client-Server Communication

Figure 2: Threats in Client-Server Communication

Due to the open and exposed communication architecture, client-server communication is vulnerable to attacks. The client communicates with the server across the network, where attackers can eavesdrop, capture, and manipulate data. At the back-end system, applications and the operating system may contain security holes where attackers can take advantage.The threats shown in the figure also apply to the client. In most cases, clients are more difficult to control than servers.



Dupli

catio

n is p

rohib


Communication in Open Networks

Figure 3: Communication in Open Networks

On the Internet, there are several threats to consider because there are various components over which you have no control.The threats on the Internet are as follows: Network components of Internet Service Provider (ISP) Domain Name System (DNS) servers Landscape of the communication partnerThreats in the digital world are similar to threats in the real world and are dangerous.Threats in the digital world are dangerous due to the following reasons: The attacks can be automated. The attacks can be executed remotely. The attacks can be performed by people with little knowledge of technology.



Dupli

catio

n is p

rohib


Security Safeguards

Figure 4: Safeguards

The figure shows a list of security safeguards.Types of Security Safeguards

Figure 5: Types of Security Safeguards

Security safeguards can be categorized as follows: Technical safeguards, such as firewalls, cryptographic algorithms, and certificates Organizational safeguards, such as rules or guidelines Physical safeguards, such as fire detection, secured rooms, and buildingsTo prevent physical damage, you should establish the following measures:



Dupli

catio

n is p

rohib


Secure the buildings Secure the server rooms Lock the servers Use underground wires Install security cameras around the building Define policies to lock doorsTechnical Safeguards

Figure 6: Technical Safeguards

There are measures available for most of the threats that have been described earlier. The figure does not represent all the possible threats and measures. It shows an example of how you can use security measures against various potential threats.An important aspect of technical security is to regularly install security patches for applications and operating systems that are provided by vendors. Even though many security lapses can be fixed, customers and users still need to update their systems regularly.



Dupli

catio

n is p

rohib


Security Policies

Figure 7: Security Policies

A company or an organization needs to define a general security policy. From this general security policy, a detailed IT security policy is derived. The documents that describe the security configuration of specific components in the system landscape are then created.

Security Implementation Cycle

Figure 8: Security Implementation Cycle

The figure shows how you can implement security. Analyze the risks to determine the security requirements and then look at the threats that are relevant. Determine the vulnerability to those threats and the appropriate safeguards for the threats.



Dupli

catio

n is p

rohib


As part of the risk analysis, conduct the following activities: Determine your security requirements with reference to availability, confidentiality, and

integrity of data. Identify the threats that could compromise your security. Determine the relevance of a threat to your company (vulnerability). Determine the measures or safeguards to protect your system (after you know the risks). Measure the associated risk of a threat and the cost of securing your system against the

risk. As a result, you can make a cost-benefit analysis.The risk analysis process leads to creating Standard Operation Procedures (SOPs) and implementing safeguards. Prioritize the safeguards, if there are constraints against implementing all of the safeguards at one time.The security implementation cycle leads to monitoring, implementation, and education. This is not a linear process but a circular process with continuous enhancements.System upgrades and landscape changes mean that you must adapt your security measures accordingly and continuously.

Note:Security is an on-going process. You need to reassess your security policy regularly.

INTERACTIVE ELEMENT: Breakout Rooms

1. List the security measures implemented in your system environment...........

LESSON SUMMARYYou should now be able to: Ensure computer security



Dupli

catio

n is p

rohib




Dupli

catio

n is p

rohib


Unit 1

Learning Assessment

1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company?Choose the correct answer.

X A Spoofing

X B Code injection

X C Social engineering

X D Authorization misuse

2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.Choose the correct answer.

X A Structured Query Language (SQL) injection

X B Cross Site Scripting (XSS)

X C Spoofing

X D Message flooding

3. What are the various reasons for implementing security?

4. List the measures that you can take to prevent physical damage to systems.

5. Identify five threats to system security.


Dupli

catio

n is p

rohib


6. List the categories of security safeguards. Give examples for each category.

Unit 1: Learning Assessment


Dupli

catio

n is p

rohib


Unit 1

Learning Assessment - Answers

1. Employee X works in ABC Company and meets employee Y who works in PQR Company. They discuss some internal issues of ABC Company. Which threat does employee X pose to ABC Company?Choose the correct answer.

X A Spoofing

X B Code injection

X C Social engineering

X D Authorization misuse

2. _________ is a process to modify the Internet Protocol (IP) address of the source of the Transmission Control Protocol/Internet Protocol (TCP/IP) packet.Choose the correct answer.

X A Structured Query Language (SQL) injection

X B Cross Site Scripting (XSS)

X C Spoofing

X D Message flooding

3. What are the various reasons for implementing security?

Some reasons to implement security are: protection of intellectual property, legal issues and contracts, trust relationship with business partners, continuous business operations, protection of company image, and correctness of data.

4. List the measures that you can take to prevent physical damage to systems.

Some measures that you can take to prevent physical damage to systems are: secure the buildings, secure the server rooms, lock the servers, use underground wires, install security cameras around the building, and define policies to lock doors.


Dupli

catio

n is p

rohib


5. Identify five threats to system security.

Some threats to system security are: penetration, authorization violation, planting, denial of service, and repudiation.

6. List the categories of security safeguards. Give examples for each category.

Categories of security safeguards are: technical safeguards such as firewalls, organizational safeguards such as rules or guidelines, and environmental safeguards such as fire detection.

Unit 1: Learning Assessment - Answers


Dupli

catio

n is p

rohib


UNIT 2 Basic User Administration AS ABAP and AS Java

Lesson 1Implementing Basic User Administration AS ABAP 20

Exercise 1: Create Users in AS ABAP 27Exercise 2: Work with Roles 35

Lesson 2Implementing Basic User Administration AS Java 42

Exercise 3: Implement User and Group Administration 63

UNIT OBJECTIVES Implement user administration concept Describe the authorization concept Change login parameters and user information Configure the User Management Engine (UME) Describe user and group administration Explain Java authorization concept


Dupli

catio

n is p

rohib


Unit 2Lesson 1

Implementing Basic User Administration AS ABAP

LESSON OVERVIEWThis lesson explains the implementation of user administration in Application Server ABAP (AS ABAP).Business ExampleThe users of the SAP system require user IDs with the appropriate authorizations to log on to the system. As an administrator, you need to set up user IDs for each user in the system. For this reason, you require the following knowledge: An understanding of user administration An understanding of user types and user groups An understanding of authorization objects and authorization checks An understanding of menus and authorizations in role maintenance An understanding of users and roles An understanding of login parameters

LESSON OBJECTIVESAfter completing this lesson, you will be able to: Implement user administration concept Describe the authorization concept Change login parameters and user information


Dupli

catio

n is p

rohib


Basics of User Administration

Figure 9: Users in the SAP Environment

The concepts of user master record and authorization are important to obtain a better understanding of SAP systems.In an SAP environment, the term user usually means user ID. People log on to operating systems, database, or the SAP system using a user/password combination. Operating systems, database, and SAP systems usually have different authorization concepts.If a user name and password combination is created in an SAP system for a user, this does not mean that it is possible to log on to the operating system of a host with the same user name and password combination. However, it is possible that identical user name and password combinations are created for SAP systems and operating systems.

Note:SAP work processes process the user requests. All these work processes use a common user to access the database.

This lesson deals exclusively with SAP users that are used to log on to a client of an ABAP-based SAP system. Users and authorization data are client dependent.Access to the operating system level of the application server and database server must be protected. Otherwise, it might not be possible to use the SAP systems or the data could be damaged.

Lesson: Implementing Basic User Administration AS ABAP


Dupli

catio

n is p

rohib


Users and Authorizations

Figure 10: Users and Authorizations

You can log on to a client of an SAP system if you know the user name and password of a user master record, and if the user type is authorized for the logon type. For example, it is not possible to log on with a communication or system user in the dialog process.In an SAP system, there is an authorization check every time a transaction is called. If you attempt to start a transaction for which you are not authorized, the system rejects the logon and displays an appropriate error message.If you start a transaction for which you have authorization, the system displays the initial screen of this transaction. Depending on the transaction called, you enter data and perform actions on this screen. There may be additional authorization checks to protect the data and actions.

Unit 2: Basic User Administration AS ABAP and AS Java


Dupli

catio

n is p

rohib


User Master Record

Figure 11: User Master Record

User authorizations are assigned using roles (and sometimes through manual profiles, for example, SAP_NEW). The authorizations are combined in roles and the roles are entered in the user master record.User Type

Figure 12: User Types

The user type is an important property of a user.The following user types are available for different purposes: Dialog



Dupli

catio

n is p

rohib


The Dialog user type is used for all logon types by just one person. During a dialog logon, the system checks for expired or initial passwords, and the user has the opportunity to change his or her password. Multiple dialog logons are checked and logged in the system.

SystemThe System user type is used for dialog-free communication within a system, for background processing within a system, or for Remote Function Call (RFC) users for various applications. The applications accessed using RFC include Application Link Enabling (ALE), Workflow, Transport Management System, and Central User Administration. It is not possible to use this type of user for a dialog logon. Users of this type are exempt from the usual settings for the validity period of a password. Only user administrators can change the password.

Note:For more information about the incorrect user type for the UME communication user, see SAP Note 622464.

Communications DataThe Communications Data user type is used for dialog-free communication between systems. It is not possible to use this type of user for a dialog logon. The usual settings for the validity period of a password apply to users of this type.

ServiceThe Service user type is a dialog user that is available to a larger, anonymous group of users. In general, you should assign only highly restricted authorizations to users of this type.Service users are used, for example, for anonymous system access using an Internet Transaction Server (ITS) or Internet Communication Framework (ICF) service. The system does not check for expired or initial passwords during logon. Only the user administrator can change the password. Multiple logons are permitted.

ReferenceThe Reference user type is a general user and is not specific to a particular person. It is similar to the service user. You cannot use a reference user to log on. A reference user is used only to assign additional authorizations. You can assign a reference user to a dialog user using the Roles tab page.

User GroupUser groups are used to distribute user maintenance among several user administrators or for mass maintenance of user data.A user group for authorization checks is required if you want to divide user maintenance among several user administrators. Only the administrator who has the authorization for this group can maintain users of this group.If you leave the field empty, the user is not assigned to any group. This means that any user administrator allowed to maintain any group can maintain the user. This assignment is part of the logon data in the user master record.For mass maintenance of user data (transaction SU10), users could be assigned to a user group on the Groups tab page. Assignments that you make on the Groups tab page are not



Dupli

catio

n is p

rohib


used for the authorization checks that are specified on the Logon Data tab page using the User Group field. This is purely a grouping that is suitable for mass maintenance.User groups can be created in transaction Maintain User Groups (SUGR).

INTERACTIVE ELEMENT: Chat

1. Take 5 minutes and write some responses to the following question in your Participant Handbook:

What are the different user types available in the SAP system and for what purpose are they used?..........

User MaintenanceTo start user maintenance (transaction SU01), choose Tools Administration User Maintenance Users in the SAP menu (transaction S000).You can create a new user master record by copying an existing user master record or creating a completely new one. The user master record contains all the data and settings that are required to log on to a client of the SAP system.The user master record data is divided into the following tab pages: Address

This tab page contains all the address-related data. Logon data

This tab page contains details such as password, validity period of the user, and user type. For further information about the password rules for special users, see SAP Note 622464.

Secure Network Communications (SNC)This tab page contains the security functions (external product) that are not directly available, but have been prepared in SAP systems. Note the usage regulations for the country in which you want to use this function.



Dupli

catio

n is p

rohib


Hint:The SNC tab page is not automatically displayed in every version of transaction SU01. This depends on the product/system/release and the Support Package (SP) level. This tab page becomes visible when you are using SNC and have activated the profile parameter snc/enable. For more information about using network security products, see SAP Note 66687.

DefaultsThis tab page displays the default values, such as the default printer and the logon language.

ParametersThis tab page displays the user-specific values for standard fields in SAP systems.

Roles and ProfilesThis tab page displays the roles and profiles assigned to the user.

GroupsThis tab page is used for grouping users for mass maintenance.

PersonalizationThis tab page is used for applying personal settings. Some transactions require personal settings that affect the appearance of a particular transaction code. These settings can be stored (prepopulated) using personalization objects on this tab page.

Note:The SAP application developer decides whether and when the personalization functions are available. There is no special Customizing switch that the customer has to activate. For SAP programs, any subsequent programming of this function is always a modification. As a result, subsequent programming of this function is rarely implemented in practice.

License DataThis tab page is used to specify the contractual user type of the user. The license data is required for system measurement.

When creating a user, you must maintain at least the following input fields: Last name on the Address tab page Initial password and identical repetition of password on the Logon Data tab page



Dupli

catio

n is p

rohib


Unit 2Exercise 1

Create Users in AS ABAP

Business ExampleYou need to create new users.Create a user in client 100 with the name ADMIN, where is your group number.1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN.

2. Maintain the first and last names of the user.3. Assign the user an initial password. Make sure that you use the correct upper and lower

case. Assign the password to User Group for Authorization Check SUPER.4. Enter a default value for the logon language for the user (for example, EN or DE).5. Save the user master record.


Dupli

catio

n is p

rohib


Unit 2Solution 1

Create Users in AS ABAP

Business ExampleYou need to create new users.Create a user in client 100 with the name ADMIN, where is your group number.1. Log on to client 100 in your SAP system, and create a user (master record) with the name ADMIN.a) Run transaction SU01.b) On the User Maintenance: Initial Screen, enter the name ADMIN in the User field,

and choose the Create pushbutton.2. Maintain the first and last names of the user.

a) On the Address tab page, enter the names in the Last name and First name fields.3. Assign the user an initial password. Make sure that you use the correct upper and lower

case. Assign the password to User Group for Authorization Check SUPER.a) On the Logon Data tab page, enter the password in the Initial password field.b) Enter the password again in the Repeat password field.c) Enter SUPER in the User group field.

4. Enter a default value for the logon language for the user (for example, EN or DE).a) On the Defaults tab page, enter EN for English or DE for German in the Logon Language

field.5. Save the user master record.

a) Save the changes.


Dupli

catio

n is p

rohib


Authorization Objects and Authorization Checks

Figure 13: Authorization Object

To understand the ABAP authorization concept, you must have some knowledge of roles and authorization profiles in the user master record. You also need to understand how to create your own roles and authorizations.

In an ABAP-based SAP system, authorization objects protect actions and access to data. The authorization objects are delivered by SAP and are in SAP systems. To provide a better overview, authorization objects are divided into various object classes.Authorization objects allow complex checks that involve multiple conditions. The conditions allow a user to perform an action. The conditions are specified in authorization fields for the authorization objects and are AND linked for the check.Authorization objects and their fields have descriptive and technical names. In the example shown in the figure, the authorization object User Master Maintenance: User Groups (technical name: S_USER_GRP) contains two fields, Activity (technical name: ACTVT) and User Group in User Master Record (technical name: CLASS). The authorization object S_USER_GRP protects the user master record. An authorization object can include up to 10 authorization fields.An authorization is always associated with exactly one authorization object and contains the value for the fields for the authorization object. An authorization is a permission to perform a certain action in the SAP system.The action is defined on the basis of the values for the individual fields of an authorization object. For example, Authorization B in the figure for the authorization object S_USER_GRP allows the display of all user master records that are not assigned to the user group SUPER. Authorization A, however, allows the display of records for this user group.There can be multiple authorizations for one authorization object. SAP delivers some authorizations, but most authorizations are created specifically for the customers requirements.



Dupli

catio

n is p

rohib


Authorization Check

Figure 14: Authorization Check

When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer (in the main memory, query using transaction SU56) of the application server.When the user calls a transaction, the system checks whether the user has an authorization in the user context that allows him or her to call the selected transaction. Authorization checks use the authorizations in the user context.If you assign new authorizations to the user, it may be necessary for this user to log on to the SAP system again to be able to use these new authorizations. (For more information, see SAP Note 452904 and the documentation for the parameter auth/new_buffering.)If the authorization check for calling a transaction was successful, the system displays the initial screen of the transaction. Depending on the transaction, the user can create data or select actions. When the user completes his or her dialog step, the data is sent to the dispatcher, which passes it to a dialog work process for processing.Authority checks (AUTHORITY-CHECK) that are checked during runtime in the work process are built into the coding by the ABAP developers for the data and actions that are to be protected.If the user context contains all required authorizations for the checks (return code = 0), the data and actions are processed and the next screen is displayed. Even if one authorization is missing, the data and actions are not processed and the user receives a message that his or her authorizations are insufficient. The value of the return code controls this step. In this case, the value of the return code is not equal to 0.All authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden. You can call this a positive authorization concept.



Dupli

catio

n is p

rohib


Role Maintenance Menus and Authorizations

Figure 15: Role Maintenance

Role maintenance (transaction PFCG, previously also called Profile Generator) simplifies the creation of authorizations and their assignment to users. In role maintenance, transactions that belong to the companys point of view are selected. Role maintenance creates authorizations with the required field values for the authorization objects that are checked in the selected transactions.A role can be assigned to various users. Changes to a role, therefore, have an effect on multiple users. Users can be assigned various roles.Menu Layout

Figure 16: Menu Layout



Dupli

catio

n is p

rohib


The user menu comprises role menu(s) and contains entries that are assigned to the user through the roles. Examples of such entries include transactions, URLs, and reports.You can access role maintenance with transaction PFCG or by choosing Tools Administration User Maintenance Role Administration Roles. Enter the name of the role, and choose Create or Change. Choose the Menu tab page.Select and change functions by adjusting the menu tree for the individual roles, as required. You can also insert or delete transactions into or from the tree structure.By choosing the function Report in the dropdown menu of the Insert pushbutton, you can integrate reports. In this case, role maintenance creates transaction codes (if they do not already exist) with which the reports can be called.By choosing the function Web address or file in the dropdown menu of the Insert pushbutton you can add Internet addresses or links to files (such as tables or text files). When integrating files, you must use storage paths instead of URLs. You can also specify Business Warehouse (BW) Web Reports and links to external mail systems and the Knowledge Warehouse (KW).In the change menus, you can create, move, delete, and rename directories and subdirectories, as required. You can use the function Drag & Drop in role maintenance.Authorization Profiles Generation

Figure 17: Generating Authorization Profiles

Role maintenance automatically creates the authorizations associated with the transactions specified in the menu tree. However, all authorization values must be manually checked and adjusted, if required, in accordance with the actual requirements and authorities. The system administrator is responsible for this task, together with the appropriate user department. When using organizational levels, you do not carry out maintenance directly in the field but by means of the Organizational Levels pushbutton (CTRL+F8).Choose the Authorizations tab page and then choose Display Authorization Data or Change Authorization Data pushbutton depending on the maintenance mode. Check the scope and contents of the authorizations.



Dupli

catio

n is p

rohib


If the system has proposed these authorizations, a green traffic light in the authorization overview indicates that role maintenance has supplied at least one proposal for each authorization field.A yellow traffic light indicates that the authorization must be manually maintained after it has been created. Role maintenance does not provide a default value for the authorization. While accessing files, role maintenance cannot determine whether data access should only be read access or read and write access.Some fields appear in many authorizations. A number of important fields, are therefore, combined into organizational levels, such as the company code. If you maintain an entry for the organizational level using the Organizational Levels pushbutton, you can then maintain all the fields that appear there in one go. A red traffic light indicates an unmaintained organizational level.

When all authorizations are maintained as required, the authorization profile can be generated by choosing Generate. After creation, this name cannot be changed. The authorizations are combined into profiles.

Note:The second character of the profile name must not be an underscore (_) (see SAP Note 16466).

The profiles must be entered in the user master record (by the role maintenance) for the authorizations to take effect for the user. This is called user master record comparison.Users and Roles

Figure 18: Assigning Roles to Users

The assignment of users to roles is performed in the role maintenance transaction (transaction PFCG) or in the user maintenance transaction (transaction SU01). Choose the User tab page and the user IDs to be maintained. When selecting user IDs, the system uses the current date as the start of the validity period of the assignment and sets 31.12.9999 as the end date. You can change both values.



Dupli

catio

n is p

rohib


Users can be linked to more than one role. This can be useful if some activities, such as printing, are to be permissible across roles.The assignment of roles to users does not automatically grant the corresponding authorizations to the users. To assign the authorizations, you must perform a user master record comparison, during which the profiles assigned to the roles are entered in the user master record.User Master Record Comparison

Figure 19: User Master Record Comparison

A user master record comparison determines whether authorization profiles should be added or removed from the current user based on his or her role assignment. During comparison, profiles are added to a user master record due to roles that have been added. If role assignments are manually or time-dependently removed, the corresponding authorization profiles are deleted from the user master record.The comparison can be individually performed for every role. Select the role in role maintenance. Choose the User tab page, and choose User comparison. In the dialog box that the system displays, choose Complete comparison.If multiple role assignments are to be updated, you can perform a corresponding comparison in role maintenance by choosing Utilities Mass comparison (transaction PFUD). You can individually specify the desired roles or update all assignments by entering the asterisk (*) character.You can also activate the periodic user master record comparison in role maintenance by choosing Utilities Mass comparison. Select the Schedule or check job for full reconciliation option. The system then displays a search window for the background job PFCG_TIME_DEPENDENCY. If it does not find a corresponding job, you can create a new one. The default value is that the comparison of all user master records takes place once every day.



Dupli

catio

n is p

rohib


Unit 2Exercise 2

Work with Roles

Business ExampleAuthorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations.Task 1Copy a role template and assign it to a user.1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your

role BC_ENDUSER.2. Check the transactions assigned for the user menu with this role.3. Check the authorizations for the role and maintain open authorizations, if necessary.4. Assign the role to user ADMIN, and save your settings.5. Perform a user comparison.

Task 2Check the user ADMIN.1. Log on to the SAP system with the user ADMIN and your chosen password. Check

whether the user can execute the transactions you assigned.


Dupli

catio

n is p

rohib


Unit 2Solution 2

Work with Roles

Business ExampleAuthorizations for users are created using roles and profiles. Administrators create the roles, and the system supports them by creating the associated authorizations.Task 1Copy a role template and assign it to a user.1. Choose the single role SAP_BC_ENDUSER that was delivered. Copy this completely to your

role BC_ENDUSER.a) Run transaction PFCG.b) On the Role Maintenance screen, enter SAP_BC_ENDUSER in the Role field.c) Choose the Copy Role pushbutton.d) Enter BC_ENDUSER in the to role field in the Query dialog box that appears.e) Choose the Copy all pushbutton.

2. Check the transactions assigned for the user menu with this role.a) On the initial screen of transaction PFCG, choose the Change pushbutton.

Alternatively, choose Role Change for the role BC_ENDUSER.b) On the Menu tab page, choose the Search pushbutton.c) Expand Basis Functions.

3. Check the authorizations for the role and maintain open authorizations, if necessary.a) On the Authorizations tab page, choose the Change Authorization Data pushbutton.b) Check the authorizations for the role and maintain open authorizations, if necessary.

For example, choose the yellow traffic light pushbutton and confirm the system query (whether full authorization should be assigned with Execute).

c) On the Change Roles: Authorizations screen, choose the Generate pushbutton and save the profile settings.

d) Accept the proposed profile name in the process. Confirm the message and exit from the Change Roles: Authorizations screen.

Note:You do not need to save again because this was already performed with the Generate function.

4. Assign the role to user ADMIN, and save your settings.


Dupli

catio

n is p

rohib


a) On the User tab page, enter ADMIN in the User ID field.b) Save your settings.

A user master comparison has not yet been performed, however, (next subtask). If the user ADMIN does not exist, create a user with this name in transaction SU01 in a new session.

5. Perform a user comparison.a) Choose the User Comparison pushbutton and then choose the Complete comparison

pushbutton.b) Exit and go back to the initial screen for PFCG, and save the data.

Task 2Check the user ADMIN.1. Log on to the SAP system with the user ADMIN and your chosen password. Check

whether the user can execute the transactions you assigned.a) Log on to the SAP system with the user ADMIN.b) Switch to the user menu, and execute some of the assigned transactions.



Dupli

catio

n is p

rohib


Login Parameters

Figure 20: System Parameters for User Logons 1

This section deals with authorizations in the SAP system from an operational point of view.The following questions are considered when dealing with login parameters: Which system settings can be used to influence logon behavior? How can errors and problems be analyzed?You can set the minimum length for passwords with the parameter login/min_password_lng. The parameters login/min_password_digits, login/min_password_letters, login/min_password_lowercase, login/min_password_ uppercase, and login/min_password_specials specify the minimum number of digits, letters (number of upper and lower case), or special characters that a password must contain.The parameter login/password_expiration_time specifies the number of days after which a user must set a new password. If the parameter is set to 0, the user does not need to change his or her password.The general rules for a password that cannot be deactivated are as follows: A password must not begin with ? or !. A password must not be the keyword pass.

Hint:The setting that determines that users must create a new password that differs from the previous five passwords they have entered is no longer mandatory. You can use the parameter login/password_history_size to set the history from between 1 and 100. The proposed standard value remains 5.

You can define additional password restrictions in the table USR40. SAP Web Application Server 6.20 and 6.40 offered the parameters login/password_max_new_valid and login/password_max_reset_valid. They specified how long an initial password for a newly created



Dupli

catio

n is p

rohib


user or a password that was reset by an administrator was valid. With SAP NetWeaver AS 7.0, they have been replaced by parameter login/password_max_idle_initial.

Hint:The parameter login/password_max_idle_initial indicates the maximum length of time during which an initial password (a password that the user administrator selects) remains valid if it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.

Caution:If you are using a Basis release prior to 6.20, the system may behave in a manner you do not expect with the parameters login/password_max_reset_valid and login/password_max_new_valid. Check SAP Note 450452 beforehand to see which settings are possible for your particular release level.

Another new parameter in SAP NetWeaver AS 7.0 is login/password_ max_idle_productive. This indicates the maximum length of time a productive password (a password that the user chooses) remains valid when it is not used. Once this period expires, the password can no longer be used for authentication. The user administrator can reactivate the password logon by assigning a new initial password.With the parameter login/min_password_diff, the administrator can determine the number of different characters a new password must possess in comparison with the old one when users change their passwords. This parameter does not take effect when a new user is created or passwords are reset (initial password).System Parameters for User Logons 2/2

Figure 21: System Parameters for User Logons 2



Dupli

catio

n is p

rohib


You can set the number of failed logon attempts after which the SAP GUI is terminated using the parameter login/fails_to_session_end. If the user wants to try again, he or she must restart the SAP GUI.You can set the number of failed logon attempts after which a user is locked in the SAP system using the parameter login/fails_to_user_lock. The failed logon counter is reset after a successful logon attempt.

Hint:At midnight (server time), the users that were locked as result of incorrect logon attempts, are no longer automatically unlocked by the system (default value since SAP NetWeaver 7.0). You reactivate this automatic unlocking with the parameter login/failed_user_auto_unlock = 1.

The administrator can unlock, lock, or assign a new password to users in user maintenance (transaction SU01).If the parameter login/disable_multi_gui_login is set to 1, a user cannot log on to a client more than once. This can be desirable for system security reasons. If the parameter is set to 1 and the user logs on again then the user has the option to continue with this logon and end any other logons in the system or terminate this logon. Users to whom this should not apply should be specified in the parameter login/multi_login_users. The insertion in the parameters should be separated with commas and with no spaces.



Dupli

catio

n is p

rohib


LESSON SUMMARYYou should now be able to: Implement user administration concept Describe the authorization concept Change login parameters and user information



Dupli

catio

n is p

rohib


Unit 2Lesson 2

Implementing Basic User Administration AS Java

LESSON OVERVIEWThis lesson provides an overview about the User Management Engine (UME) and UME configuration. This lesson also presents the tools for the administration of users and groups. In addition, the lesson describes how authorizations control which functions are permitted for a user and the assignment of these authorizations to a user.Business ExampleYou use Application Server ABAP (AS ABAP) and Application Server Java (AS Java)-based systems. You want to ensure consistent user master data within a heterogeneous system landscape. For this reason, you require the following knowledge: An understanding of UME data source(s) and parameters An understanding of user and group administration An understanding of UME roles and JEE security roles

LESSON OBJECTIVESAfter completing this lesson, you will be able to: Configure the User Management Engine (UME) Describe user and group administration Explain Java authorization concept

BasicsAS Java provides an open architecture supported by service providers for the storage of user and group data.The AS Java is supplied with the following service providers (user store): Database Management System (DBMS) provider

This is used for storage in the system database. Universal Description, Discovery and Integration (UDDI) provider

This is used for storage using external service providers. UME provider

This is used to provide connection of the integrated UME. The DBMS and UDDI providers implement standards and, therefore, ensure that AS Java is Java 2 Enterprise Edition (J2EE)-compliant. When AS Java is installed, SAPs own UME is


Dupli

catio

n is p

rohib


always set up as the user store and is the preferred choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts.

Important features of the UME: The UME has its own administration console for administering users. It allows the

administrator to perform routine tasks of user administration, such as creating users and groups, role assignment, and other actions.

The UME provides security settings that can be used to define password policies, such as minimum password length and the number of incorrect logon attempts before a user is locked.

The UME provides different self-service scenarios that applications can use. For example, a user can change his or her data or register as a new user. Newly created users can be approved using a workflow.

The UME uses an export or import mechanism by which user data can be exchanged with other (AS Java or external) systems.

The UME logs important security events, such as a users successful logons or incorrect logon attempts, and changes to user data, groups, and roles.

User Store and Data Sources

Figure 22: User Store and Data Sources

The UME supports the following data sources where user data can be stored: System database Directory service (Lightweight Directory Access Protocol (LDAP) server) ABAP-based SAP system (as of SAP Web AS 6.20)

Lesson: Implementing Basic User Administration AS Java


Dupli

catio

n is p

rohib


Architecture of the UME

Figure 23: Architecture of the UME

The figure shows the architecture of the UME.The UME is a Java application that runs on AS Java.The UME covers the following functional areas: UME core layer

The UME core layer provides persistence managers between the application programming interface (API) and the user management data sources. The persistence managers control where the user data such as users, user accounts, groups, roles, and their assignments are read from or written to. Therefore, the applications that use the API do not have to know where the user management data is stored.

UME API layerThe UME API layer provides APIs not just for UME developers but also for customers and partners. This means that you can access the UME functions with the Java programs that you develop yourself.

UME servicesThe UME provides the following services to higher-level software layers:- Logon procedure and Single Sign-On (SSO) (logon to AS Java is taken over for other

systems and vice versa)- Provisioning processes through user master data- Authorization concept

UME UI



Dupli

catio

n is p

rohib


The UME is responsible for UI, which appears in the web browser in some logon procedures. The UME is also responsible for the UI of the UME administration console.

The SAP NetWeaver usage types that are based on AS Java, such as SAP NetWeaver Portal, are based on the UME and perform a number of specific functions on this basis. Examples of specific functions include self-registration with approval workflow. Data Partitioning

Figure 24: Data Partitioning

The UME persistence manager offers the option of storing user data in different data sources. The UME persistence manager also supports data partitioning. This means, for example, user data for different user types can be stored in different data sources.In practice, you often work with a combination of the data sources, such as database and directory service or database and ABAP user management. Working with a combination of the data sources, we can separate user attributes into different data sources or separate users by their categories (internal or self-registered users).The different types of data partitioning are as follows: Attribute-based data partitioning

With attribute-based data partitioning, a user in the UME has certain attributes, some of which are classified as global attributes (such as user ID and telephone number) and others are application specific. The system mostly stores the global information in a directory service and application-specific information in the database.

User-based data partitioningWith user-based data partitioning, the data source in which users are stored is dependent on the category of the user (self-registered or internal users). For example, users who register by self-service can be stored in the database and internal users can be stored in the directory service.

Type-based data partitioning



Dupli

catio

n is p

rohib


With type-based data partitioning, different object types can be distributed to different data sources. Examples of object types are users, groups, roles, and user accounts. For example, users can be stored in the directory service and roles in the database.

SAP delivers preconfigured data source combinations, which you should change only in special cases. For example, if you are using a directory service as a data source, you may need to perform attribute mapping. You generally use the delivered preconfigured data source combinations without additional changes.

Data Source(s)

Figure 25: Data Source(s) After Installation

The data source(s) stored in the AS Java database are configured in the form of configuration files (in the XML format). In most cases, the installation option is retained or the configuration of data sources is done immediately after AS Java installation.The data source that is set up during AS Java installation depends on the following SAP NetWeaver usage types:Usage Type Data Source Configuration FileAS Java (without ABAP) System database dataSourceConfiguration_dat

abase_only.xmlAS ABAP + Java ABAP system dataSourceConfiguration_ab

ap.xml



Dupli

catio

n is p

rohib


Supported Change Options

Figure 26: Supported Change Options

Modifying data sources after installation can result in inconsistencies. Therefore, certain restrictions apply to the modification of UME data sources. The figure explains the supported modification options.

Hint:Please make sure that you observe SAP Note 718383.

The following changes are supported in UME data sources: System database (dataSourceConfiguration_database_only.xml)

You can switch to any required LDAP configuration file (dataSource- Configuration_[ldap description]_db.xml) or an ABAP system (dataSourceConfiguration_abap.xml). In this case, you must make sure that the new data source does not contain any users and groups with the same unique attributes as in the database. For example, the new data source must not contain any users or groups with the same unique name or ID as the users or groups in the database.

ABAP system (dataSourceConfiguration_abap.xml)No change is possible.

Directory service (dataSourceConfiguration_[ldap description]_db.xml)If you have selected an LDAP directory as the user data source, you can modify the structure of the LDAP directory or switch to a different LDAP, if this does not modify any unique user IDs.



Dupli

catio

n is p

rohib


Example of a Heterogeneous System Landscape

Figure 27: Example of a Heterogeneous System Landscape

The figure shows a complex system landscape with AS ABAP, AS Java, and non-SAP systems. In this type of heterogeneous system landscape with SAP and non-SAP systems, it is useful to use a directory service as the primary storage location for user data.As shown in the figure, the ABAP systems are administered with Central User Administration (CUA). CUA synchronizes user data with the directory service. In case of AS Java systems, the directory service is configured as the data source. Non-SAP systems also have access to user data through the directory service.



Dupli

catio

n is p

rohib


SAP NetWeaver Identity Management

Figure 28: SAP NetWeaver Identity Management

In SAP NetWeaver Identity Management, SAP provides integrated, business process-driven Identity Management functions for a heterogeneous system landscape. SAP NetWeaver Identity Management uses a central identity store to consolidate and save data from various source systems (for example, SAP ERP Human Capital Management (SAP ERP HCM)). This information is distributed to connected target systems. User accounts and role assignments for SAP and non-SAP applications are distributed. Role assignments can be automated using rule definitions.An important function of SAP NetWeaver Identity Management is the option of making authorization assignment workflow-controlled. Integration with SAP ERP HCM as one of the possible source systems for identity information is a key function for business process-driven Identity Management.

Note:For more information about SAP NetWeaver Identity Management, see the SAP Developer Network (https://www.sdn.sap.com/irj/sdn/nw-identitymanagement).



Dupli

catio

n is p

rohib


Tools for UME Configuration (Viewing and Modifying)

Figure 29: Tools for UME Configuration (Viewing and Modifying)

The figure lists the tools with which you can display and change the UME configuration.

Note:For more information about global settings for UME properties, see SAP Note 948654.

The tools to view and modify the UME configuration are as follows: UME administration console

You can use the UME administration console running in the web browser to modify selected settings even without knowing the technical parameter names (path: http(s)://: /useradmin Configuration).

Hint:Many settings do not require a restart. If a restart is necessary, you are notified accordingly after you save the properties.

Hint:As of 7.20, an Expert mode is available in the configuration area, which enables you to maintain most of the UME properties.

Configuration tool (Configuration Editor mode)



Dupli

catio

n is p

rohib


You are able to access all the UME settings only in the Configuration Editor mode (path: cluster_config system custom_global cfg services com.sap.security.core.ume.service Propertysheet properties).

SAP NetWeaver Administrator, Java Configuration BrowserYou can use the SAP NetWeaver Administrator running in the web browser to view all the UME parameters (including tooltip with descriptive text). Choose Configuration Infrastructure Java Configuration Browser and then cluster_config system custom_global cfg services com.sap.security.core.ume.service properties.

Note:In the SAP NetWeaver Administrator, you can also view the UME parameters (choose Configuration Infrastructure Java System Properties Overview). Select a template or an instance there. Then, select service User Management Engine on Services tab page. The UME parameters are now selected.Do not change any values here; just use the global change options.

SAP NetWeaver Administrator, AuthenticationAs of SAP NetWeaver AS 7.11, some UME parameters regarding logon can be changed online in the SAP NetWeaver Administrator by choosing Configuration Security Authentication and Single Sign-On Properties.

UME Configuration iViewIf usage type EP Core has been installed in your SAP NetWeaver system, you can use the portal interface to access an iView for UME configuration. This offers setting options similar to the UME administration console (portal path: System Administration System Configuration UME Configuration).

Caution:Before you make any changes to the UME configuration, you should first back up the current configuration. You can do this using a function in the UME administration console (User Management Configuration Support Download Configuration ZIP File), which saves the current configuration data in a ZIP file. This file allows you to record and trace the changes. However, they are not intended to be reimported in AS Java.

The steps to perform various advanced settings in Configuration Editor mode are as follows:1. Stop all the Java instances in your system.2. Start the Configuration Tool.3. Switch to the Configuration Editor mode.4. Switch to change mode.



Dupli

catio

n is p

rohib


5. Choose cluster_config system custom_global cfg services com.sap.security.core.ume.service Propertysheet properties and double-click Propertysheet properties.

6. Make the required changes (Apply Custom).7. Start the Java instances on the system.

Displaying the Active Data Source

Figure 30: Displaying the Active Data Source

The figure shows how you can find out the current active data source in the Offline Configuration Editor mode.



Dupli

catio

n is p

rohib


UME Parameters

Figure 31: Functions of the UME Parameters

After you have selected and configured a data source, there are many other parameters with which you can influence the behavior of the UME. The figure provides an overview of the relevant areas.

The important UME parameters are as follows: Date source(s) Security policy E-mail notification Logging on and off SAP logon ticket Groups AdministrationThe following table shows the data source(s) parameter:Date Source(s) Parameter Descriptionume.persistence.data_source_configuration Name of the UME configuration file

(depending on the data source, other parameters may be relevant for connecting the data source)

The following table shows the various security policy parameters:



Dupli

catio

n is p

rohib


Security Policy Parameter Descriptionume.logon.security_policy.auto_unlock_time Specifies number of minutes after which a

user locked because of invalid logon attempts is unlocked again (if the value is 0, then the user remains locked)

ume.logon.security_policy.lock_after_invalid_attempts

Determines number of invalid logon attempts after which a user is locked (automatically set to 0 in an AS ABAP+Java)

ume.logon.security_policy.password_special_char_required

Determines the minimum number of special characters that the password must contain

ume.logon.security_policy.password_alpha_numeric_required

Specifies the minimum number of numeric and alphabetical characters that the password must contain (for example, if the number is three, then the password must contain at least three numbers and three letters)

ume.logon.security_policy.password_expire_days

Determines number of days before the password expires

ume.logon.security_policy.password_max_length or ume.logon.security_ policy.password_min_length

Specifies maximum or minimum length of the password

ume.logon.security_policy.useridmaxlength or ume.logon.security_policy.useridminlength

Determines maximum or minimum length of the user ID

There are different security policy profiles, for example, Default and Technical User. The properties for the profile Technical User are hard coded and cannot be changed. The properties can be viewed by selecting the profile in useradmin Configuration Security Policy. Changes to the Default security profile properties affect the properties mentioned in the security policy parameters table and vice-versa.You can create your own security policy profiles where you can maintain property settings that are different to the Default security policy profile. You can view these settings and maintain them only in the simple mode. These settings are not accessible through the Expert mode or the Configuration Editor mode of the Configuration Tool.In the UME administration console, you can maintain users and assign them security policy profiles. Therefore, you can have users with different values of the security policy properties. By default, the Default security policy profile is assigned to a user.E-mail NotificationYou can configure the UME in such a way that in certain situations (for example, after locking a user), you can send e-mails through an external Simple Mail Transfer Protocol (SMTP) server. For this to be possible, you need to store valid e-mail addresses in the user master records.The following table shows the various e-mail notification parameters:E-mail Notification Parameter Descriptionume.notification.mail_host This is the name of the SMTP server for the

e-mail notification



Dupli

catio

n is p

rohib


E-mail Notification Parameter Descriptionume.notification.create_performed or ume.notification.delete_performed

The user receives an e-mail as soon as the administrator creates or deletes a user

ume.notification.create_approval or ume.notification.create_denied

The user receives an e-mail as soon as the administrator approves or rejects the creation of a user account

ume.notification.lock_performed bzw. ume.notification.unlock_performed

The user receives an e-mail when the administrator locks or unlocks the user

ume.notification.pswd_reset_request The user sends an e-mail to the administrator when the password is to be reset

ume.notification.unlock_request The user sends an e-mail to the administrator when the account is to be unlocked

ume.notification.system_email The senders e-mail address is sent with a dummy name (the address does not have to exist)

The following table shows the various logging on and off parameters:Logging On and Off Parameter Descriptionume.logon.branding_image Path to the image is displayed on the logon

screenume.logoff.redirect.url The address that is called following logoff

(only for the SAP NetWeaver portal)

The following table shows various SAP logon ticket parameters:SAP Logon Ticket Parameter Descriptionlogon.ticket_lifetime Lifetime of the SAP logon ticket (Format:

:)logon.ticket_client Dummy client written to the SAP logon ticket

(default 000, in the case of AS ABAP with Java must be set to a client (value) which is not used in the ABAP system)

ume.logon.security.relax_domain.level Number of subdomains to be removed (for example, a value of 2 means that the SAP logon tickets issued by a system on the host twdf1234.wdf.sap.corp are sent to servers in the domain sap.corp).

The following table shows various groups parameters:

Lesson: Implementing Basic User

adm900 en col10 vlc fv part a4

Documents