During AS Java installation, certain principles are created for special purposes while others are created subsequently by the administrator. In this section you will get to know some of these "default principles". In some cases, the default IDs of these principles depend on the employed data source.
Naming special Principles
Objectives
After completing this lesson, you will be able to:
- List a number of special" principles
- Activate the emergency user
Default Principles
Default Users
The following table presents important default users:
Default Users
| User | Data Source | |||
|---|---|---|---|---|
| Database | LDAP Server | ABAP System | ||
| Add-In (ABAP+Java) | Remote | |||
| Administration user | Administrator | Administrator | J2EE_ADMIN | J2EE_ADM_<SID> |
| Guest user | Guest | Guest | J2EE_GUEST | J2EE_GST_<SID> |
| Communication user to data source | SAP<SID>DB | Freely definable | SAPJSF | SAPJSF_<SID> |
The administration user has unrestricted access to AS Java and you should therefore assign this account to only very few people and assign a password that is very secure.
If you use a client of an ABAP system as the data source, the listed user master records are located on this ABAP client (and can be viewed in SU01): In the case of a remote ABAP system, the SID of the AS Java system is incorporated in the user name. This allows you to distinguish between users if multiple AS Java systems are connected to a single ABAP client.
Among other things, the guest user is used for anonymous access to AS Java, for example in order to construct the logon form in the Web browser. This user is normally locked. Do not delete this user.
In addition to the users that are listed above, application-specific default users also exist in a pure AS Java system. You must therefore take care of further default users depending on the installed product.
Default Groups
The following table presents important default groups:
Default Groups
| Group | Data Source | ||
|---|---|---|---|
| Database | LDAP Server | ABAP System | |
| Administrators | Administrators | Administrators | SAP_J2EE_ADMIN |
| Guests | Guests | Guests | SAP_J2EE_GUEST |
| All Users | Everyone | Everyone | Everyone |
| Authenticated Users | Authenticated Users | Authenticated Users | Authenticated Users |
| Anonymous Users | Anonymous Users | Anonymous Users | Anonymous Users |
All the users that you assign to the Administrator group are given extensive system authorizations (in respect of the administrator role assigned to this group (see next section)). Initially, the default administration user is entered here.
Initially, the default guest user and the default guest role are assigned to the guest group.
In addition, the UME possesses a built-in groups adapter which is responsible for the following three special groups:
Everyone: Every (!) user is always a member of this group. If you assign roles/actions to this group then every user (including those that you may create in the future) has the corresponding authorizations.
Authenticated Users: You assign all the users who - in whatever way - have to log onto AS Java to this group.
Anonymous Users: You assign all the users who are able to log on anonymously to this group (configured by means of the UME property ume.login.guest_user.uniqueids).
The following therefore applies: Authenticated Users + Anonymous Users = Everyone.
In addition to these default groups, there are also application-specific groups depending on the installed product.
Appendix: Default Roles
The following table presents important default roles:
Appendix: Default Roles
| Role | Meaning |
|---|---|
| Administrator | Provides extensive Java authorizations for administrators (via actions) |
| Everyone | Contains some basic end user authorizations. |
Although by default no users are directly assigned to these two roles, the Administrator role is linked to the Administrators group. The role Everyone is assigned to the group Everyone; therefore, it is assigned to all users.
Emergency User
You need to activate an emergency user for the UME if the user management has been incorrectly configured and no one can log on to an application, or all administration users are locked. This emergency user is called SAP* and can log on to any application and to the configuration tools. The SAP* user has full administration authorizations and, for security reasons, does not have a default password. You set the password as part of emergency user activation.
Hint
The emergency user is generally not important in systems in which the UME runs (successfully) with the ABAP data source as you can always create a user in ABAP and give it Java administration rights.
Software only available in English
Proceed as follows to make a correction with the SAP* user:
Activate the SAP* user.
Stop the Java cluster.
In the Config Tool, open the Configuration Editor mode.
Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties..
Switch to change mode.
Set ume.superadmin.activated to the value true.
Set ume.superadmin.password to any password.
Start the Java cluster.
Change the configuration.
Log on with the user SAP* and the password that you have just set.
Note
While the SAP* user is active, all other users are deactivated.
Correct the problem; for example, unlock the administration user.
Deactivate the SAP* user.
Stop the Java cluster.
In the Config Tool, open the Configuration Editor mode.
Navigate to cluster_config → system → custom_global → cfg → services → com.sap.security.core.ume.service → Propertysheet properties.
Switch to change mode.
Set ume.superadmin.activated to the value false.
Start the Java cluster.
Related Information
- Online documentation for SAP NetWeaver 7.5, path
http://help.sap.com/nw75 in the area Application Help → SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the SAP NetWeaver AS Java → Reference Documentation for User Management
- Online documentation for SAP NetWeaver 7.5, path
http://help.sap.com/nw75 in the area Application Help → SAP NetWeaver Library: Function-Oriented View → Security → Identity Management → User Management of the SAP NetWeaver AS Java → Troubleshooting → Activating the Emergency User
Log in to track your progress & complete quizzes