Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Identifying the Structure and Configuration of the User Management Engine (UME)

Objectives

After completing this lesson, you will be able to:

List the various UME data sources
Explain the term UME data partitioning
Determine the current data source
Identify and modify configuration parameters

Basics

AS Java provides an open architecture supported by service providers for the storage of user and group data. AS Java is supplied with the following service providers which are also referred to as a "user store":

DBMS provider: storage in the system database
UDDI provider: storage via external service providers (Universal Description, Discovery and Integration)
UME provider: Connection of the integrated User Management Engine

The DBMS and UDDI providers implement standards and therefore ensure that AS Java is EE-compliant. When AS Java is installed, SAP's own User Management Engine (UME) is always set up as the user store and is the correct choice for most SAP customers. The UME is the only way to flexibly set up and operate user and authorization concepts.

Some of the important features of the UME are:

The UME has its own identity management for administering users formally known as UME Administration Console. It allows the administrator to perform the routine tasks of user administration, such as creating users and groups, role assignment, and other actions.
Security settings can be used to define password policies, such as minimum password length and the number of incorrect logon attempts before a user is locked.
The UME provides different self-service scenarios that can be used by applications. For example, a user can change his or her data, or register as a new user. Newly-created users can be approved using a workflow.
User data can be exchanged with other (AS Java or external) systems using an export/import mechanism.
The UME logs important security events, such as a user's successful logon or incorrect logon attempts, and changes to user data, groups, and roles.

Architecture

The UME supports a variety of data sources where user data can be stored:

System database
Directory service (LDAP server)
ABAP-based SAP system (as of SAP Web AS 6.20)

The illustration below shows the architecture of the UME:

The UME is a Java application which runs on AS Java and which covers the following functional areas:

UME Core Layer: Provides persistence managers between the application programming interface and the user management data sources - these control where user data such as users, user accounts, groups, roles and their assignments are read from or written to, with the result that applications which use the API do not have to know where the user management data is stored.
UME API Layer: This layer provides programming interfaces (APIs) not just for UME developers but also for customers and partners. This means that you can access the UME functions with the Java programs which you develop yourself.
UME services: The UME provides the following services to higher-level software layers:
- Log-on procedure and single sign-on (log-on to AS Java is taken over for other systems and vice versa)
- Provisioning processes via user master data
- Authorization Concept
UME UI: The UME is responsible for the user interface which, in some log-on procedures, appears in the Web browser, as well as for the UME Identity Management. This user interface is also known as the UME Administration Console.

The SAP NetWeaver usage types, which are based on AS Java (such as SAP Enterprise Portal), are based on the UME and perform a number of specific functions on this basis (such as self-registration with approval workflow).

Data Partitioning

As described in the previous section, the UME Persistence manager offers the option of storing user data in different data sources. The UME Persistence manager also supports data partitioning. This means in practice that, for example, user data for different user types can be stored in different data sources.

In practice, you often work with a combination of the data sourcesdatabase + directory service or database + ABAP user management. When this is done, certain user attributes are to be stored in a different data source, for example, or users are separated by their categories (internal or self-registered users).

Attribute-based data partitioning: A user in the UME has certain attributes, some of which are classified as global attributes (user ID, telephone number, and so on) ) and others of which are application-specific. Global information would be particularly suited to being stored in a directory service, and application-specific information in the database.
User-based data partitioning:With this type of partitioning, the data source in which users are stored is decided depending on the category of the user (self-registered or internal users). For example, users that register by self-service can be stored in the database, and internal users in the directory service.
Type-based data partitioning:With type-based data partitioning, different object types can be distributed to different data sources. The types are, for example, users, groups, roles, user accounts. For example, users can be stored in the directory service, and roles in the database.

SAP delivers preconfigured data source combinations (more information will be provided in the next section), which you should only change in special cases. For example, if you are using a directory service as a data source, you may need to perform attribute mapping. You usually use the delivered preconfigured data source combinations without additional changes:

Configuring the Data Source(s)

This section deals with the configuration of the data source(s) stored in the AS Java database in the form of configuration files (in XML format). In most cases, the installation option is retained or the data sources are configured immediately after AS Java installation.

Selecting the UME Data Source

The installation determines the data source for the User Management Engine (UME). After installation you may want to change the data source for a number or reasons. For example:

You are upgrading your system landscape to include new user repositories.
The data source you want to use for the UME is not available during installation

Adding an AS Java System to Your System Landscape

When you add an AS Java to your system landscape, you must decide whether to do the following:

Use an LDAP directory as the data source for user data.
Use an AS ABAP as the data source for user data.

You cannot configure the AS Java to access an LDAP directory and an AS ABAP as the data source simultaneously. The AS Java can also use its own database as the data source.

LDAP Directory as Data Source

Use an LDAP directory as the data source for the User Management Engine (UME) of your AS Java if you want to manage your user passwords in the LDAP directory. This is ideal if, for example, you want to re-use Windows integrated authentication to log on to a portal as well. Use this configuration to access non-SAP systems that share access to the LDAP directory. TheLDAP directory may or may not synchronize with other AS ABAP systems.

AS ABAP as Data Source

Use an AS ABAP as the data source if your Java applications access the services and user data of the ABAP system(s). If not you could also leave the Database as data source. Let's imagine a SAP Enterprise Portal or AS Java as a development platform on the left hand side and a SAP Solution Manager on the right hand side:

If your system landscape contains a large number of ABAP systems and these systems are managed by Central User Administration (CUA), you must choose between either using a child system of the CUA or the CUA central system as the data source

Use the CUA central system as the data source if all users in the CUA landscape need to access the AS Java, for example, through a Portal. In this configuration the AS Java can have read-write access to the user master data records. This enables an administrator to use the UME to manage user data.
Use a child system of the CUA as the data source if only some of the users need to access the AS Java, for example, through usage type PI of SAP NetWeaver Exchange Infrastructure (SAP NetWeaver XI). In this configuration the AS Java should be restricted to read-only access for user master records.

The ABAP system may or may not synchronize with an LDAP directory.

Change data sources

Modifying data sources can result in inconsistencies. Restrictions therefore apply to the modification of UME data sources.

Hint

Please make sure that you observe SAP Note 718383.

The following changes are supported:

System database (dataSourceConfiguration_database_only.xml):You can switch to any required LDAP configuration file (dataSourceConfiguration_[ldap description]_db.xml) or an ABAP system (dataSourceConfiguration_abap.xml). In this case, you must make sure that the new data source does not contain any users and groups with the same unique attributes as the database (i.e. the new data source must not contain any users or groups with the same unique name or ID as the users or groups in the database).
ABAP system (dataSourceConfiguration_abap.xml):No change is possible.
Directory service (dataSourceConfiguration_[ldap description]_db.xml): If you have selected an LDAP directory as the user data source, you can modify the structure of the LDAP directory or switch to a different LDAP if this does not modify any unique user IDs.

SAP Identity Management (IDM)

In SAP Identity Management (SAP IDM), SAP provides integrated, business process-driven Identity Management functions for a heterogeneous system landscape. SAP Identity Management uses a central identity store to consolidate and save data from various source systems, for example, SAP ERP Human Capital Management (SAP ERP HCM). This information is distributed to connected target systems. User accounts and role assignments for SAP and non-SAP applications are distributed.

Role assignments can be automated using rule definitions. A very important function of SAP Identity Management is the option of making the authorization assignment workflow-controlled. The integration with SAP ERP HCM as one of the possible source systems for identity information is a key function for business process-driven Identity Management.

Tools for UME Configuration

User management configuration or UME configuration is a Web Dynpro application for configuring the UME. It is integrated in SAP NetWeaver Administrator (NWA) and in the System Administration role of SAP Enterprise Portal. You can also start this tool as a stand-alone console. Use the method most appropriate to your environment.

SAP NetWeaver Administrator of AS Java. Enter the following in your Web browser: <http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/nwa/identity. Then Choose User Management Configuration.).
SAP Enterprise Portal: Enter the following in your Web browser:<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/irj). Choose System Administration → System Configuration → UME Configuration
Identity Management of AS Java: Enter the following in your Web browser:<http/https>://<AS_Java_hostname>:<AS_Java_HTTP_port>/useradmin. Choose User Management Configuration.

Hint

As of 7.20 there is an Expert Mode available in the configuration area, which gives you access to the maintenance of the UME properties.

Note

No matter which access method you use, configure the AS Javato use Secure Socket Layer(SSL) whenever possible.

Caution

Before you make any changes to the UME Configuration, you should first back up the current configuration. You can do this using a function in the Identity Management (User Management Configuration → Support → Download Configuration ZIP File), which saves the current configuration data in a ZIP file. This file allows you to record and trace the changes. However, they are not intended to be re-imported into AS Java.

Config Tool

If you are not able to start the AS Java because of an ume configuration mismatch you could use the Config Tool to correct this issue:

Open the Config Tool, then choose the Configuration Editor mode Here you able to access all the UME settings (path: cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties).

By way of an example, the next figure shows how you can find out the currently active data source in Offline Configuration Editor mode.

software only available in English

UME Parameters

User Store

Service provider in AS Java which saves user administration data such as user and group data.

UME

User Management Engine: A Java-based user administration component with central user administration, a single sign-on (SSO), and secure access to distributed applications.

After you have selected and precisely configured a data source, there are many other parameters with which you can influence the behavior of the UME. The following figure provides an overview of the relevant areas:

The following list presents a number of important, selected parameters:

Date source(s)

ume.persistence.data_source_configuration Name of the UME configuration file (depending on the data source, other parameters may be relevant for connecting the data source)

Security Policy

ume.logon.security_policy.auto_unlock_time Number of minutes after which a user locked because of invalid login attempts is unlocked again (if the value is 0 then the user remains locked)
ume.logon.security_policy.lock_after_invalid_attempts Number of invalid login attempts after which a user is locked (automatically set to 0 in an AS ABAP+Java)
ume.logon.security_policy.password_special_char_required Determines the minimum number of special characters that the password must contain
ume.logon.security_policy.password_alpha_numeric_required Specifies the minimum number of numeric and alpahetical characters that the password must contain (if the number is 3 then the password must contain at least 3 numbers and 3 letters)
ume.logon.security_policy.password_expire_days Number of days before the password expires
ume.logon.security_policy.password_max_length or ume.logon.security_policy.password_min_length Maximum or minimum length of the password
ume.logon.security_policy.useridmaxlength or ume.logon.security_policy.useridminlength Maximum or minimum length of the user ID

There are different security policy profiles, e.g. Default and Technical User. The properties for the profile Technical User is hard coded and can not be changed. The properties can be viewed in the useradmin → Configuration → Securtiy Policy by selecting the profile. Changes of the Default security profile properties affects the properties mentioned above and vice versa. You can create your own security policy profiles where you can maintain property settings different to the Default security policy profile. These settings can only viewed and maintained in this "simple" mode and is not accessible via expert mode or the configuration editor mode of the config tool.

In the UME Configuration you can maintain user and assign them a security policy profiles, so you can have user with different values of the security policy properties. By default, the Default security policy profile is assigned.

Notification E-Mails

The UME can be configured in such a way that in certain situations (e.g. after locking a user), e-mails are sent via an external SMTP server. For this to be possible, of course, valid e-mail addresses must be stored in the user master records.

User Admin UI

ume.admin.addattrs Makes it possible to add customer-specific attributes to the user master record
ume.admin.search_maxhits Maximum number of search hits displayed in the Administration Console (default 1000)
ume.admin.search_maxhits_warninglevel Number of hits as of which a warning is issued in the Administration Console (default 200)
ume.admin.wd.url.help URL to the online documentation (may, for example, point to the customer's local help system)
ume.admin.wd.table.size.<name> Specifies the number of rows for output in the Administration Console (for <name>, there are small, medium and large)

Adding Customizing Attributes to User Profile

ume.supergroups.anonymous_group.displayname ID of the group of anonymous users (default Anonymous Users)
ume.supergroups.authenticated_group.displayname ID of the group of logged on users (default Authenticated Users)
ume.supergroups.everyone.displayname ID of the group of all users (default Everyone)
ume.virtual_groups.names IDs of virtual groups (formed on the basis of certain user properties)

Logon Screen Customization

ume.logon.branding_image Path to the image displayed in the logon screen
ume.logoff.redirect.url Address that is called following logoff (only for the SAP Enterprise Portal)

Note

These are just some examples. For detail information please check the Online Documentation for your SAP Product Version.

Check User Management Engine Configuration

Business Example

Your company uses SAP NetWeaver Application Server Java. You want to know which Data Source Configuration has been activated on this system.

Valid for this Exercise

Parameter	Value
SAP Classroom	WTS
SAP System ID	SMJ
Host name (FQDN)	smhost.wdf.sap.corp
Operating System	Windows
Central Services Instance	SCS90
Primary Application Server (PAS)	J91
Java Administrator / password	`train-## / <your password>`
Always replace ## with ...	`<group no.>`

Task 1: Configuration Data

Save and evaluate the current configuration data.

Steps

On the WTS check the active Data Source configuration for the SAP Solution Manager Java System using the Identity Management.
1. On the SAP Solution Manager Classroon 2: WTS start an Edge browser.
2. E
3. Enter the URL http://smhost.wdf.sap.corp:59100 and use the User Management link. Alternatively call the function directly by enhancing the URL with the alias: http://smhost.wdf.sap.corp:59100/useradmin
4. On the Logon Page enter:
  - User*:train-##
  - Password*:<your password>
5. Choose the button Configuration below the Welcome <user name> message.
  Note
  In case you receive the message: "An error occurred, contact your system administrator.
  Press Log Off, close this browser tab, try the User Management link again, Logon again, and finally choose the button Configuration once again.
6. Choose the tab Data Sources (default).
7. Which Data Source has been configured for your SAP system? Write this information down: ________________________________
Check the UME Backend connection of the SAP Solution Manager Java System.
1. Still in the UME console choose the tab ABAP System.
2. Press the link UME RFC Destination.
  Result
  A new tab opens, the SAP NWA starts with the function for Destination configuration. The user interface shows the Destination List.
3. Search for the UMEBackendConnection. It is the Destination Type RFC.
4. Select this Destination.
5. In section Destination Detail select the tab Connection and Transport (default).
6. Check the fields Target Host and System Number. Even if there is no value provided in field System ID: Which SAP System is referred to in the above checked fields? _____
7. Select the tab Logon Data.
8. Check the client which is entered and make a note of the User Name: ______________
9. Close this browser tab.
Check the active Data Source configuration for the SAP Solution Manager Java System using the SAP Netweaver Administrator Configuration Browser.
1. Go to the first tab of your browser which should be the start page called SAP NetWeaver Application Server Java. If not open any more enter the URL http://smhost.wdf.sap.corp:59100.
2. Select link SAP NetWeaver Administrator.
3. On the top right of the user interface enter use the Search function: Java Configuration Browser.
4. Press Go or ENTER.
5. In the results, under Java Configuration Browser select the Overview link.
6. On the right of the screen use the Table Settings icon (wrench symbol) and select Large (20 Rows).
7. Open the following path: Local System → cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service.
8. Select the entry properties.
9. At the bottom of the screen in the section Properties use the Filter below column Name and type: data_source
10. Press ENTER on the your keyboard.
11. Check the row ume.persistence.data_source_configuration. In the field Custom Value you should find dataSourceConfiguration_abap.xml.
  Note
  This view is exactly the same as in the Config Tool using the Configuration Editor. Because in the training environment we have only one SAP Solution Manager server, we need to use this workaround. Keep in mind: you cannot change anything here, but in Config Tool you would be able to.

Task 2: Optional: Save the current configuration data of UME and evaluate it

Steps

Save the current UME configuration of your SAP NetWeaver AS Java system to a file using the Identity Management.
1. On the SAP Solution Manager WTS start an Edge browser.
2. Go to the first tab of your browser which should be the start page called SAP NetWeaver Application Server Java. If not enter the URL http://smhost.wdf.sap.corp:59100.
3. Use the link to the User Management on the start page or change your URL to: http://smhost.wdf.sap.corp:59100/useradmin
4. On the Logon Page enter:
  - User*:train-##
  - Password*:<your password> (e.g. Master10)
5. Press the button Configuration.
6. Choose the tab Support.
7. Choose the link Download Configuration ZIP File.
8. Choose Show in Folder (folder icon) and the archive IM-CONFIG_wdflbmt<no.><date><timestamp> appears in a Windows Explorer in the Downloads directory of the WTS.
Using the ZIP file you have just saved in the Downloads folder of WTS, answer the following questions:
– Which data source is currently active?
– After how many days does the user password expire?
– What is the maximum length of a password?
1. In Windows Explorer navigate to the Downloads folder and double-click to open the ZIP file which you previously saved.
2. Select the file sapum-global.properties and with the secondary mouse button choose View file.
3. You can use the following UME parameters to answer the above asked questions:
  - ume.persistence.data_source_configuration: Displays the current data source and should be set to dataSourceConfiguration_abap.xml
  - ume.logon.security_policy.password_expire_days: Displays the validity period of passwords in days and should be set to 999999.
  - ume.logon.security_policy.password_max_length: Displays the maximum length of a password and should be set to 14

Result

You have saved the current status of the UME configuration in a ZIP file and evaluated it by checking some parameters and their values.

Task 3: Optional: Check an UME parameter

Steps

Use the Identity Management to change the threshold value for warnings in case of extensive search results to 240.
1. Still working on the SAP Solution Manager WTS use the already opened Identity Management. In this case continue with sub-step f).
2. If it is not open any more, start an Edge browser and proceed with the next steps.
3. Go to the first tab of your browser which should be the start page called SAP NetWeaver Application Server Java. If not enter the URL http://smhost.wdf.sap.corp:59100.
4. Use the link to the User Management on the start page or change your URL to: http://smhost.wdf.sap.corp:59100/useradmin
5. On the Logon Page enter:
  - User*:train-##
  - Password*:<your password> (e.g. Master10)
6. In the Identity Management, go to the view Configuration → User Admin UI.
7. Switch to edit mode by choosing Modify Configuration.
8. Under Warning Threshold for Large Search Results enter 240.
9. Choose Save All Changes.
10. You should receive the following message on top: "Configuration saved. All changes are already in effect. There is no need to restart the server nodes".
Use the Expert Mode in the Identity Management to change the same value to 250.
1. Click the button Open Expert Mode (on the right hand side at the border of the screen).
2. Enter the following search string into the filter field (below the field Key) : ume.admin.search .
  Hint
  Do not use a * or a . at the end of your search string.
3. Choose ENTER.
4. Choose Modify.
5. In the row with parameter ume.admin.search_maxhits_warninglevel enter 250 in the Value field.
6. Choose Save.
7. You should receive the following message: "Configuration saved. All changes are already in effect. There is no need to restart the server nodes".
8. Click the button Close Expert Mode.

Related Information

Online documentation for SAP NetWeaver 7.5, path http://help.sap.com/nw75 in the area Application Help → SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the SAP NetWeaver AS Java → User Management Engine
SAP Note 718383- Supported Data Sources and Modification Options
SAP Note 948654 - Only use Global Settings for UME Properties
SAP Course ADM960 SAP NetWeaver Application Server Security

Next lesson