Tell us what you think

We want to create the best possible experience for our learners. Your feedback helps us to improve the experience for everyone.

Maintaining Users and Groups

Objective

After completing this lesson, you will be able to list and use the tools for administering users and groups

The Link between Users, Groups and Roles

In the UME environment, the umbrella term Principle is used for the following central "objects"- User, User Account, Group and Role.

Principles in the UME Environment:

Principle	Meaning
User	General properties of a user (such as name, e-mail, telephone number etc.)
User Account	Logon-related properties of a user (such as password, validity, lock indicator and so on)
Group	Set of user and/or groups
Role	Set of (Java) authorizations

For historical reasons, users and user accounts are different principles which are typically associated. When the term user is employed below, then, more precisely, it is the associated principles user and user account that are intended.

Note

Depending on the SAP NetWeaver usage type, the principles have an additional meaning (thus in a SAP Enterprise Portal there are portal roles that are also handled in the same way as a UME principle).

The following figure shows how you can assign principles.

Users are usually assigned to groups to which roles are then assigned. However, it is also possible to assign roles to users directly. The Principle group supports hierarchies of groups. A group may also possess higher and lower-level groups. Users actually possess the roles which

are directly assigned to them
are assigned to the groups to which they belong
are assigned to the higher-level groups of the groups to which they belong

When performing a search in the Identity Management, you must always check the field Search Recursively if you want to see indirectly assigned principles.

Special Features of the ABAP System Data Source

If you use a client of an ABAP system (and consequently the configuration file dataSourceConfiguration_abap.xml) as the data source then UME behaves as follows:

The ABAP users are visible in AS Java and can log onto AS Java with their ABAP passwords.
The ABAP roles are depicted in AS Java as UME groups of the same name.
In AS Java, the assignment of ABAP users to ABAP (composite) roles appears as the assignment of UME users to UME groups.

The reason for this group administration concept is the shared authorization administration for applications that have both ABAP and Java components. Applications such as SAP Process Integration (PI), for example, possess both ABAP and Java components. The ABAP authorizations are mapped with PFCG roles. The JEE authorizations are mapped with UME roles. A user should be assigned a PFCG role in the ABAP system and a UME role on the Java side for the user to have both ABAP and Java authorizations. To avoid this, the PFCG roles are visible as groups in the UME. The PFCG role (a group) can be assigned a UME role in the UME. If a user is assigned the PFCG role in the ABAP system, he or she automatically also receives the authorizations from the UME role. Assigning authorizations therefore becomes simpler.

The connection between the UME in AS Java and user management in AS ABAP is established via the Java Connector (JCo). To this end, a communication user existing in ABAP is stored as a UME parameter (this usually has SAPJSF in its name). This communication user's ABAP authorization determines whether it is possible to modify ABAP user master records using UME resources.

The role SAP_BC_JSF_COMMUNICATION_RO gives the UME read access to the user data in SAP NetWeaver AS ABAP.
The role SAP_BC_JSF_COMMUNICATION gives the UME write access to the user data in SAP NetWeaver AS ABAP.

Hint

When using the UME with AS ABAP, the AS Java communication user(s) (SAP Recommendation: SAPJSF_ <SID>) must exist in the AS ABAP data source before you install the AS Java. If you have several AS Java systems with AS ABAP data sources, we recommend that you create system-specific users. In addition, you must complete the initial password setup for the AS ABAP users, before installing the AS Java

When configuring the "ABAP"data source, the ABAP user groups appear as Companies in the UME; this was introduced with Release 7.10. The assignment of the user group for authorization check in the user master record of the user in AS ABAP (transaction SU01) is represented in the UME as an assignment to the company. The delegated user administration can then be used immediately after the installation in AS Java also. For more information about companies and the delegated user administration of AS Java, go to the online documentation for SAP NetWeaver 7.5, path http://help.sap.com/nw75 in the area Application Help → SAP NetWeaver Library: Function-Oriented ViewSecurity → Identity Management → User Management of the SAP NetWeaver AS Java → Configuring User Management → Configuring Delegated User Administration Using Companies

Administration Tools

The figures in this section explain the tools which you, as administrator, use to maintain users and groups.

call http://host:port/useradmin and log on. Choose Go. Select one of the entries and take a screenshot.

The most important tool for a user administrator in an AS Java system is the Identity Management application. This application is independently of the configured data source and is implemented as an application running in a Web browser (based on Web Dynpro Java). You start the user-friendly Administration Console...

via the URL http(s)://<hostname>.<domain>:<http(s) port>/useradmin
via theSAP NetWeaver Administrator (URL .../nwa). Then search for Identity Management
in a Portal via the path User Administration → Identity-Management.

Hint

The function scope available in the Identity Management depends on the current user's Java authorizations. For more information, see the lesson "The Java Authorization Concept".

If you have used the UME configuration file dataSourceConfiguration_abap.xml to connect an ABAP system client, then the usual AS ABAP tools (such as transaction SU01) are available for user administration.

Security Policy Profiles

The AS Java delivers default security policy profiles. The security policy profiles are used to distinguish normal dialog users from technical users used to access a specific service or to conduct system-to-system communication. It determines, for example, whether the password of a user can expire, or if it must be changed after the initial logon. The security policy also determines if the user can log on or not. You can only modify the Default profile and any custom profiles you create.

Default: Used for regular generic users. The profile can be displayed and modified.
Technical User: Used for system-to-system communication. The profile can be displayed, but not modified directly. Changing the Default security profile results in corresponding changes in the Technical User security profile. The properties for the Technical User security profile can be changed using the UME properties. However, the property for password expiration does not affect the validity of the password in the Technical Users profile.
Internal Service User: Used to perform internal operations, for example PCD ACL operations for a SAP Enterprise Portal. The profile cannot be displayed or modified.
Unknown: Not a profile, but a category for AS ABAP user types that cannot be mapped to one of the UME listed above.
Custom Profile: Created and defined by the customer.

Similar to AS Java the AS ABAP distinguishes between different users which is called user types. The table below provides an overview of the default security policy profiles and map them to AS ABAP user types:

AS Java Security Policy Profiles and AS ABAP User Types

User Type/Security Policy	Logon to AS Java	Password Change Forced	Mapped ABAP user types (with ABAP system as data source)
Default	possible	yes	Dialog
Technical users	possible	no	System
Internal service user	not possible	–	–
Unknown	depends on AS ABAP user type	depends on AS ABAP user type	Communication, Service and Reference
Custom Profile	possible	yes	–

Note

The last column in the table is only relevant if you are operating a UME with an ABAP system as the data source. Changes to the user type of an ABAP user are mapped to the corresponding UME user master record (and vice versa if the UME has write access to the ABAP system).

You specify the user type when you create a user via the Identity Management (you may not create the type Unknown). In the case of existing users, subsequent changes to the user type are only possible with restrictions.

Hint

You can define your own user types (also called Security Policy Profiles) in the UME Configuration to provide you own set of password rules. For example you could create a user type with very strong password rules for your super users or emergency users.

User and Group Administration

Business Example

You are using AS Java and are responsible for user administration. New users should have access to selected applications.

Valid for this Exercise

Parameter	Value
SAP Classroom	WTS
SAP System ID	SMJ
Host name (FQDN)	smhost.wdf.sap.corp
Operating System	Windows
Central Services Instance	SCS90
Primary Application Server (PAS)	J91
Java Administrator / password	`train-## / <your password>`
Always replace ## with ...	`<group no.>`

Task 1: User Maintenance

Copy and modify a user using the Identity Management

Steps

Log on to the Identity Management with your Java User ID.
1. On the SAP Solution Manager SMJ-WTS start an Edge browser.
2. Enter the URL http://smhost.wdf.sap.corp:59100
3. Use the User Management link on the start page or change your URL to: http://smhost.wdf.sap.corp:59100/useradmin
4. On the Logon Page enter:
  - User*: train-##
  - Password*: <Your Password>

Task 2: Optional: Group and Role Assignment

Check the groups and roles assigned to your user train-##.

Steps

Check language as well as group and role assignments of your user.
1. Press the button Identity Management.
2. In the section Search Criteria select User.
3. Keep the field value All Data Sources for the next field.
4. Enter your user name: train-## into the search field (which is initially empty) and press Go.
5. Select your user train-##.
6. In the section Details of User TRAIN-## press go into change mode by using Modify.
7. Select the tab General Information (default).
8. Check the field Language.
  Hint
  If no language is entered, the language configured in the browser will be used. If the language is not correct, you can search for your preferred language in this field.
9. Press Save in case you have changed anything or use Cancel to leave change mode without saving.
10. Change to tab Assigned Groups.
11. Write down all groups which are currently assigned to your own user: __________________________________________________________
12. Change to tab Assigned Roles.
13. Select the check box in front of the field: Search Recursively.
14. Press Go.
  Hint
  Here you see all roles the user is assigned to. Even if roles are "only" assigned to other groups (but the user is member of this group) the role(s) assigned to the group would be listed with the recursive search.
Copy your user train-## to a user COPY-## (## corresponds to your group number).
1. In the area Search - Search Criteria find your own user train-## and choose it in the resulting list.
2. Use function Copy to New User.
3. In the area Details of User TRAIN-## section General Information enter the following data:
  Logon ID:* COPY-##
  Define Password:* <choose an initial password>
  Confirm Password:* <choose an initial password>
  Last Name:* COPY-##
  E-Mail Address COPY-##@sap.com
4. Press Save.
5. Change to tab Assigned Groups.
6. The groups should be the same as for the template user TRAIN-##.

Task 3: User Creation

Create a new user with Identity Management.

Steps

Create a new user NEW-## (## corresponds to your group number).
1. In the area Search press Create User.
2. In the section General Information enter the following:
  Logon ID:* NEW-##
  Define Password:* <choose an initial password>
  Confirm Password:* <choose an initial password>
  Last Name:* NEW-##
  E-Mail Address NEW-##@sap.com
3. Press Save.
4. Change to tab Assigned Groups.
  Hint
  This user was created from scratch without any template. Therefore only minimal assignments took place (e.g. groups Everyone and Authenticated Users.
5. Write down all groups where the user is member of: ____________________________________
6. Change to tab Assigned Roles.
7. Select the check box in front of the field: Search Recursively.
8. Press Go.
  Hint
  Here you see all roles the user is assigned to. Even if roles are "only" assigned to other groups (but the user is member of this group) the role(s) assigned to the group would be listed with the recursive search. In this case the user only has role Everyone).

Result

You can manage users in the Identity Management.

User and Groups

Related Information

Online documentation for SAP NetWeaver 7.5: http://help.sap.com/nw75 in tab Use selectSAP NetWeaver Library: Function-Oriented View → Security → Identity Management then User Management of SAP NetWeaver for AS Java → User Management Engine

Next lesson

Logon ID:*	`COPY-##`
Define Password:*	`<choose an initial password>`
Confirm Password:*	`<choose an initial password>`
Last Name:*	`COPY-##`
E-Mail Address	`COPY-##@sap.com`

Logon ID:*	`NEW-##`
Define Password:*	`<choose an initial password>`
Confirm Password:*	`<choose an initial password>`
Last Name:*	`NEW-##`
E-Mail Address	`NEW-##@sap.com`